opuppet/module-sshd
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add Debian Squeeze sshd template. Enabled kerberos and gssapi options, using the defaults when not specified

Browse source
This commit is contained in:
Micah Anderson 2010-12-14 13:22:43 -05:00
parent 6b660a56a7
commit 72e24df3b6
2 changed files with 257 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
manifests/init.pp
View file

@ -76,7 +76,36 @@
# sshd_password_authentication: If you want to enable password authentication or not
# Valid values: yes or no
# Default: no
#
#
# sshd_kerberos_authentication: If you want the password that is provided by the user to be
# validated through the Kerberos KDC. To use this option the
# server needs a Kerberos servtab which allows the verification of
# the KDC's identity.
# Valid values: yes or no
# Default: no
#
# sshd_kerberos_getafstoken: If AFS is active and user has a Kerberos 5 TGT, attempt to
# acquire an AFS token before accessing the user's home directory.
# Valid values: yes or no
# Default: no
#
# sshd_kerberos_orlocalpasswd: If password authentication through Kerberos fails, then the password
# will be validated via any additional local mechanism.
# Valid values: yes or no
# Default: yes
#
# sshd_kerberos_ticketcleanup: Destroy the user's ticket cache file on logout?
# Valid values: yes or no
# Default: yes
#
# sshd_gssapi_authentication: Authenticate users based on GSSAPI?
# Valid values: yes or no
# Default: no
#
# sshd_gssapi_cleanupcredentials: Destroy user's credential cache on logout?
# Valid values: yes or no
# Default: yes
#
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
# When disabled, s/key passowords are disabled
# Valid values: yes or no
@ -160,6 +189,24 @@ class sshd {
case $sshd_password_authentication {
'': { $sshd_password_authentication = 'no' }
}
case $sshd_kerberos_authentication {
'': { $sshd_kerberos_authentication = 'no' }
}
case $sshd_kerberos_getafstoken {
'': { $sshd_kerberos_getafstoken = 'no' }
}
case $sshd_kerberos_orlocalpasswd {
'': { $sshd_kerberos_orlocalpasswd = 'yes' }
}
case $sshd_kerberos_ticketcleanup {
'': { $sshd_kerberos_ticketcleanup = 'yes' }
}
case $sshd_gssapi_authentication {
'': { $sshd_gssapi_authentication = 'no' }
}
case $sshd_gssapi_cleanupcredentials {
'': { $sshd_gssapi_cleanupcredentials = 'yes' }
}
case $sshd_tcp_forwarding {
'': { $sshd_tcp_forwarding = 'no' }
}

209
templates/sshd_config/Debian_squeeze.erb Normal file
View file

@ -0,0 +1,209 @@
# This file is managed by Puppet, all local modifications will be overwritten
#
# Package generated configuration file
# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
# What ports, IPs and protocols we listen for
<%- unless sshd_port.to_s.empty? then -%>
<%- if sshd_port.to_s == 'off' then -%>
#Port -- disabled by puppet
<% else -%>
Port <%= sshd_port -%>
<% end -%>
<%- else -%>
Port 22
<%- end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
# Kerberos options
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
KerberosAuthentication yes
<%- else -%>
KerberosAuthentication no
<%- end -%>
<%- if sshd_kerberos_getafstoken.to_s == 'yes' then -%>
KerberosGetAFSToken yes
<%- else -%>
KerberosGetAFSToken no
<%- end -%>
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
KerberosOrLocalPasswd yes
<%- else -%>
KerberosOrLocalPasswd no
<%- end -%>
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
KerberosTicketCleanup yes
<%- else -%>
KerberosTicketCleanup no
<%- end -%>
# GSSAPI options
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPIAuthentication yes
<%- else -%>
GSSAPIAuthentication no
<%- end -%>
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPICleanupCredentials yes
<%- else -%>
GSSAPICleanupCredentials yes
<%- end -%>
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>