added sshd_challenge_response_authentication variable, with the default value set to no

2008-09-26 17:05:49 -04:00 · 2008-09-26 17:05:49 -04:00 · 51c18b6b8f
commit 51c18b6b8f
parent d6f9d64d9b
5 changed files with 29 additions and 5 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -38,6 +38,11 @@
 # sshd_password_authentication: If you want to enable password authentication or not
 #                               Valid values: yes or no
 #                               Default: no
+#				
+# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
+# 				When disabled, s/key passowords are disabled
+# 				Valid values: yes or no
+#				Default: no
 # 
 # sshd_x11_forwarding:          If you want to enable x11 forwarding 
 #                               Valid Values: yes or no
@ -88,6 +93,10 @@ class sshd::base {
    	'' => 'no',
 	default => $sshd_agent_forwarding
    }
+    $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
+        '' => 'no',
+	default => $sshd_challenge_response_authentication
+    }

    file { 'sshd_config':
        path => '/etc/ssh/sshd_config',
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@ -67,8 +67,11 @@ PasswordAuthentication no
 #PermitEmptyPasswords no

 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
 ChallengeResponseAuthentication no
+<%- end %>

 # Kerberos options
 #KerberosAuthentication no
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@ -52,8 +52,12 @@ HostbasedAuthentication no
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no

-# Uncomment to disable s/key passwords 
-#ChallengeResponseAuthentication no
+# Change to no to disable s/key passwords
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>

 # To disable tunneled clear text passwords, change to no here!
 <%- if real_sshd_password_authentication.to_s == 'yes' then %>
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@ -70,7 +70,11 @@ PasswordAuthentication no
 #PermitEmptyPasswords no

 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>

 # Kerberos options
 #KerberosAuthentication no
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@ -63,7 +63,11 @@ PasswordAuthentication no
 #PermitEmptyPasswords no

 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>

 # Kerberos options
 #KerberosAuthentication no