new options, cleaned up real_ hack
git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2527 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
This commit is contained in:
parent
68b72b545b
commit
96bbe0adb8
6 changed files with 231 additions and 159 deletions
|
@ -41,6 +41,15 @@
|
|||
# might login.
|
||||
# Default: empty -> no restriction is set
|
||||
#
|
||||
# sshd_allowed_groups list of groups separated by spaces.
|
||||
# set this for example to "wheel sftponly"
|
||||
# to ensure that only users in the groups
|
||||
# wheel and sftponly might login.
|
||||
# Default: empty -> no restriction is set
|
||||
# Note: This is set after sshd_allowed_users,
|
||||
# take care of the behaviour if you use
|
||||
# these 2 options together.
|
||||
#
|
||||
# sshd_use_pam: if you want to use pam or not for authenticaton
|
||||
# Values: no or yes.
|
||||
# Default: no
|
||||
|
@ -100,6 +109,14 @@
|
|||
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
|
||||
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
#
|
||||
# sshd_sftp_subsystem: Set a different sftp-subystem than the default one.
|
||||
# Might be interesting for sftponly usage
|
||||
# Default: empty -> no change of the default
|
||||
#
|
||||
# sshd_additional_options: Set this to any additional sshd_options which aren't listed above.
|
||||
# As well this option might be usefull to define complexer Match Blocks
|
||||
# This string is going to be included, like it is defined. So take care!
|
||||
# Default: empty -> not added.
|
||||
|
||||
class sshd {
|
||||
include sshd::client
|
||||
|
@ -118,77 +135,68 @@ class sshd {
|
|||
|
||||
class sshd::base {
|
||||
# prepare variables to use in templates
|
||||
$real_sshd_listen_address = $sshd_listen_address ? {
|
||||
'' => [ '0.0.0.0', '::' ],
|
||||
default => $sshd_listen_address
|
||||
case $sshd_listen_address {
|
||||
'': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
|
||||
}
|
||||
$real_sshd_allowed_users = $sshd_allowed_users ? {
|
||||
'' => '',
|
||||
default => $sshd_allowed_users
|
||||
case $sshd_allowed_users {
|
||||
'': { $sshd_allowed_users = '' }
|
||||
}
|
||||
$real_sshd_use_pam = $sshd_use_pam ? {
|
||||
'' => 'no',
|
||||
default => $sshd_use_pam
|
||||
case $sshd_allowed_groups {
|
||||
'': { $sshd_allowed_groups = '' }
|
||||
}
|
||||
$real_sshd_permit_root_login = $sshd_permit_root_login ? {
|
||||
'' => 'without-password',
|
||||
default => $sshd_permit_root_login
|
||||
case $sshd_use_pam {
|
||||
'': { $sshd_use_pam = 'no' }
|
||||
}
|
||||
$real_sshd_password_authentication = $sshd_password_authentication ? {
|
||||
'' => 'no',
|
||||
default => $sshd_password_authentication
|
||||
case $sshd_permit_root_login {
|
||||
'': { $sshd_permit_root_login = 'without-password' }
|
||||
}
|
||||
$real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
|
||||
'' => 'no',
|
||||
default => $sshd_tcp_forwarding
|
||||
case $sshd_password_authentication {
|
||||
'': { $sshd_password_authentication = 'no' }
|
||||
}
|
||||
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
|
||||
'' => 'no',
|
||||
default => $sshd_x11_forwarding
|
||||
case $sshd_tcp_forwarding {
|
||||
'': { $sshd_tcp_forwarding = 'no' }
|
||||
}
|
||||
$real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
|
||||
'' => 'no',
|
||||
default => $sshd_agent_forwarding
|
||||
case $sshd_x11_forwarding {
|
||||
'': { $sshd_x11_forwarding = 'no' }
|
||||
}
|
||||
$real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
|
||||
'' => 'no',
|
||||
default => $sshd_challenge_response_authentication
|
||||
case $sshd_agent_forwarding {
|
||||
'': { $sshd_agent_forwarding = 'no' }
|
||||
}
|
||||
$real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
|
||||
'' => 'yes',
|
||||
default => $sshd_pubkey_authentication
|
||||
case $sshd_challenge_response_authentication {
|
||||
'': { $sshd_challenge_response_authentication = 'no' }
|
||||
}
|
||||
$real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
|
||||
'' => 'no',
|
||||
default => $sshd_rsa_authentication
|
||||
case $sshd_pubkey_authentication {
|
||||
'': { $sshd_pubkey_authentication = 'yes' }
|
||||
}
|
||||
$real_sshd_strict_modes = $sshd_strict_modes ? {
|
||||
'' => 'yes',
|
||||
default => $sshd_strict_modes
|
||||
case $sshd_rsa_authentication {
|
||||
'': { $sshd_rsa_authentication = 'no' }
|
||||
}
|
||||
$real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
|
||||
'' => 'yes',
|
||||
default => $sshd_ignore_rhosts
|
||||
case $sshd_strict_modes {
|
||||
'': { $sshd_strict_modes = 'yes' }
|
||||
}
|
||||
$real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
|
||||
'' => 'no',
|
||||
default => $sshd_rhosts_rsa_authentication
|
||||
case $sshd_ignore_rhosts {
|
||||
'': { $sshd_ignore_rhosts = 'yes' }
|
||||
}
|
||||
$real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
|
||||
'' => 'no',
|
||||
default => $sshd_hostbased_authentication
|
||||
case $sshd_rhosts_rsa_authentication {
|
||||
'': { $sshd_rhosts_rsa_authentication = 'no' }
|
||||
}
|
||||
$real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
|
||||
'' => 'no',
|
||||
default => $sshd_permit_empty_passwords
|
||||
case $sshd_hostbased_authentication {
|
||||
'': { $sshd_hostbased_authentication = 'no' }
|
||||
}
|
||||
$real_sshd_port = $sshd_port ? {
|
||||
'' => 22,
|
||||
default => $sshd_port
|
||||
case $sshd_permit_empty_passwords {
|
||||
'': { $sshd_permit_empty_passwords = 'no' }
|
||||
}
|
||||
$real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
|
||||
'' => "%h/.ssh/authorized_keys",
|
||||
default => $sshd_authorized_keys_file
|
||||
case $sshd_port {
|
||||
'': { $sshd_port = 22 }
|
||||
}
|
||||
case $sshd_authorized_keys_file {
|
||||
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
|
||||
}
|
||||
case $sshd_sftp_subsystem {
|
||||
'': { $sshd_sftp_subsystem = '' }
|
||||
}
|
||||
case $sshd_additional_options {
|
||||
'': { $sshd_additional_options = '' }
|
||||
}
|
||||
|
||||
file { 'sshd_config':
|
||||
|
|
|
@ -10,14 +10,14 @@
|
|||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
<%- unless real_sshd_port.to_s.empty? then %>
|
||||
Port <%= real_sshd_port %>
|
||||
<%- unless sshd_port.to_s.empty? then %>
|
||||
Port <%= sshd_port %>
|
||||
<%- else %>
|
||||
Port 22
|
||||
<%- end %>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in real_sshd_listen_address -%>
|
||||
<% for address in sshd_listen_address -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
#AddressFamily any
|
||||
|
@ -42,13 +42,13 @@ SyslogFacility AUTHPRIV
|
|||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
<%- unless real_sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= real_sshd_permit_root_login %>
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= sshd_permit_root_login %>
|
||||
<%- else %>
|
||||
PermitRootLogin without-password
|
||||
<%- end %>
|
||||
|
||||
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then %>
|
||||
StrictModes yes
|
||||
<%- else %>
|
||||
StrictModes no
|
||||
|
@ -56,33 +56,33 @@ StrictModes no
|
|||
|
||||
#MaxAuthTries 6
|
||||
|
||||
<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
RSAAuthentication yes
|
||||
<%- else %>
|
||||
RSAAuthentication no
|
||||
<%- end %>
|
||||
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
PubkeyAuthentication yes
|
||||
<%- else %>
|
||||
PubkeyAuthentication no
|
||||
<%- end %>
|
||||
|
||||
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else %>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
|
@ -93,28 +93,28 @@ HostbasedAuthentication no
|
|||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then %>
|
||||
PasswordAuthentication yes
|
||||
<%- else %>
|
||||
PasswordAuthentication no
|
||||
<%- end %>
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else %>
|
||||
ChallengeResponseAuthentication no
|
||||
|
@ -141,7 +141,7 @@ GSSAPICleanupCredentials yes
|
|||
# session checks to run without PAM authentication, then enable this but set
|
||||
# ChallengeResponseAuthentication=no
|
||||
#UsePAM no
|
||||
<%- if real_sshd_use_pam.to_s == 'yes' then %>
|
||||
<%- if sshd_use_pam.to_s == 'yes' then %>
|
||||
UsePAM yes
|
||||
<%- else %>
|
||||
UsePAM no
|
||||
|
@ -152,7 +152,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
|
||||
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
AllowTcpForwarding yes
|
||||
<%- else %>
|
||||
AllowTcpForwarding no
|
||||
|
@ -160,7 +160,7 @@ AllowTcpForwarding no
|
|||
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
X11Forwarding yes
|
||||
<%- else %>
|
||||
X11Forwarding no
|
||||
|
@ -186,7 +186,21 @@ X11Forwarding no
|
|||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||
<%- unless real_sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= real_sshd_allowed_users %>
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
|
||||
<%- unless sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= sshd_allowed_users %>
|
||||
<%- end %>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
|
||||
<%- unless sshd_additional_options.to_s.empty? then %>
|
||||
<%= sshd_additional_options %>
|
||||
<%- end %>
|
||||
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
# See the sshd(8) manpage for details
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- unless real_sshd_port.to_s.empty? then -%>
|
||||
Port <%= real_sshd_port -%>
|
||||
<%- unless sshd_port.to_s.empty? then -%>
|
||||
Port <%= sshd_port -%>
|
||||
<%- else -%>
|
||||
Port 22
|
||||
<%- end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in real_sshd_listen_address -%>
|
||||
<% for address in sshd_listen_address -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
|
@ -33,52 +33,52 @@ LogLevel INFO
|
|||
|
||||
# Authentication:
|
||||
LoginGraceTime 600
|
||||
<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= real_sshd_permit_root_login -%>
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
|
||||
<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
|
||||
<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
|
||||
<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
|
@ -88,21 +88,21 @@ HostbasedAuthentication no
|
|||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
|
@ -117,7 +117,7 @@ PasswordAuthentication no
|
|||
# Kerberos TGT Passing does only work with the AFS kaserver
|
||||
#KerberosTgtPassing yes
|
||||
|
||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
|
@ -130,7 +130,11 @@ KeepAlive yes
|
|||
#Banner /etc/issue.net
|
||||
#ReverseMappingCheck yes
|
||||
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
#Subsystem sftp /usr/lib/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -141,7 +145,7 @@ KeepAlive yes
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if real_sshd_use_pam.to_s == 'yes' then -%>
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
|
@ -149,7 +153,7 @@ UsePAM no
|
|||
|
||||
HostbasedUsesNameFromPacketOnly yes
|
||||
|
||||
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
|
@ -157,7 +161,16 @@ AllowTcpForwarding no
|
|||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
<%- unless real_sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= real_sshd_allowed_users -%>
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
|
||||
<%- unless sshd_additional_options.to_s.empty? then %>
|
||||
<%= sshd_additional_options %>
|
||||
<%- end %>
|
||||
|
||||
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
# See the sshd(8) manpage for details
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
<%- unless real_sshd_port.to_s.empty? then -%>
|
||||
Port <%= real_sshd_port -%>
|
||||
<%- unless sshd_port.to_s.empty? then -%>
|
||||
Port <%= sshd_port -%>
|
||||
<%- else -%>
|
||||
Port 22
|
||||
<%- end -%>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in real_sshd_listen_address -%>
|
||||
<% for address in sshd_listen_address -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
Protocol 2
|
||||
|
@ -33,52 +33,52 @@ LogLevel INFO
|
|||
|
||||
# Authentication:
|
||||
LoginGraceTime 600
|
||||
<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= real_sshd_permit_root_login -%>
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then -%>
|
||||
PermitRootLogin <%= sshd_permit_root_login -%>
|
||||
<%- else -%>
|
||||
PermitRootLogin without-password
|
||||
<%- end -%>
|
||||
|
||||
<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then -%>
|
||||
StrictModes yes
|
||||
<%- else -%>
|
||||
StrictModes no
|
||||
<%- end -%>
|
||||
|
||||
<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||
RSAAuthentication yes
|
||||
<%- else -%>
|
||||
RSAAuthentication no
|
||||
<%- end -%>
|
||||
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||
PubkeyAuthentication yes
|
||||
<%- else -%>
|
||||
PubkeyAuthentication no
|
||||
<%- end -%>
|
||||
|
||||
<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else -%>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end -%>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else -%>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||
IgnoreRhosts yes
|
||||
<%- else -%>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||
HostbasedAuthentication yes
|
||||
<%- else -%>
|
||||
HostbasedAuthentication no
|
||||
|
@ -88,21 +88,21 @@ HostbasedAuthentication no
|
|||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else -%>
|
||||
ChallengeResponseAuthentication no
|
||||
<%- end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then -%>
|
||||
PasswordAuthentication yes
|
||||
<%- else -%>
|
||||
PasswordAuthentication no
|
||||
|
@ -117,7 +117,7 @@ PasswordAuthentication no
|
|||
# Kerberos TGT Passing does only work with the AFS kaserver
|
||||
#KerberosTgtPassing yes
|
||||
|
||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||
X11Forwarding yes
|
||||
<%- else -%>
|
||||
X11Forwarding no
|
||||
|
@ -130,7 +130,11 @@ KeepAlive yes
|
|||
#Banner /etc/issue.net
|
||||
#ReverseMappingCheck yes
|
||||
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
#Subsystem sftp /usr/lib/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -141,7 +145,7 @@ KeepAlive yes
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if real_sshd_use_pam.to_s == 'yes' then -%>
|
||||
<%- if sshd_use_pam.to_s == 'yes' then -%>
|
||||
UsePAM yes
|
||||
<%- else -%>
|
||||
UsePAM no
|
||||
|
@ -149,13 +153,13 @@ UsePAM no
|
|||
|
||||
HostbasedUsesNameFromPacketOnly yes
|
||||
|
||||
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||
AllowTcpForwarding yes
|
||||
<%- else -%>
|
||||
AllowTcpForwarding no
|
||||
<%- end -%>
|
||||
|
||||
<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||
AllowAgentForwarding yes
|
||||
<%- else -%>
|
||||
AllowAgentForwarding no
|
||||
|
@ -163,7 +167,15 @@ AllowAgentForwarding no
|
|||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
<%- unless real_sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= real_sshd_allowed_users -%>
|
||||
<%- unless sshd_allowed_users.to_s.empty? then -%>
|
||||
AllowUsers <%= sshd_allowed_users -%>
|
||||
<%- end -%>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
|
||||
<%- unless sshd_additional_options.to_s.empty? then %>
|
||||
<%= sshd_additional_options %>
|
||||
<%- end %>
|
||||
|
||||
|
|
|
@ -10,14 +10,14 @@
|
|||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
<%- unless real_sshd_port.to_s.empty? then %>
|
||||
Port <%= real_sshd_port %>
|
||||
<%- unless sshd_port.to_s.empty? then %>
|
||||
Port <%= sshd_port %>
|
||||
<%- else %>
|
||||
Port 22
|
||||
<%- end %>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in real_sshd_listen_address -%>
|
||||
<% for address in sshd_listen_address -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
#AddressFamily any
|
||||
|
@ -47,46 +47,46 @@ Protocol 2
|
|||
#LoginGraceTime 2m
|
||||
PermitRootLogin without-password
|
||||
|
||||
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then %>
|
||||
StrictModes yes
|
||||
<%- else %>
|
||||
StrictModes no
|
||||
<%- end %>
|
||||
|
||||
<%- unless real_sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= real_sshd_permit_root_login %>
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= sshd_permit_root_login %>
|
||||
<%- else %>
|
||||
PermitRootLogin without-password
|
||||
<%- end %>
|
||||
#MaxAuthTries 6
|
||||
|
||||
<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
RSAAuthentication yes
|
||||
<%- else %>
|
||||
RSAAuthentication no
|
||||
<%- end %>
|
||||
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
PubkeyAuthentication yes
|
||||
<%- else %>
|
||||
PubkeyAuthentication no
|
||||
<%- end %>
|
||||
|
||||
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else %>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
|
@ -97,28 +97,28 @@ HostbasedAuthentication no
|
|||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then %>
|
||||
PasswordAuthentication yes
|
||||
<%- else %>
|
||||
PasswordAuthentication no
|
||||
<%- end %>
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else %>
|
||||
ChallengeResponseAuthentication no
|
||||
|
@ -145,20 +145,20 @@ ChallengeResponseAuthentication no
|
|||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
<%- if real_sshd_use_pam.to_s == 'yes' then %>
|
||||
<%- if sshd_use_pam.to_s == 'yes' then %>
|
||||
UsePAM yes
|
||||
<%- else %>
|
||||
UsePAM no
|
||||
<%- end %>
|
||||
|
||||
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
AllowTcpForwarding yes
|
||||
<%- else %>
|
||||
AllowTcpForwarding no
|
||||
<%- end %>
|
||||
|
||||
#GatewayPorts no
|
||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
X11Forwarding yes
|
||||
<%- else %>
|
||||
X11Forwarding no
|
||||
|
@ -183,7 +183,11 @@ X11Forwarding no
|
|||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/lib/misc/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
|
@ -191,6 +195,16 @@ Subsystem sftp /usr/lib/misc/sftp-server
|
|||
# AllowTcpForwarding no
|
||||
# ForceCommand cvs server
|
||||
|
||||
<%- unless real_sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= real_sshd_allowed_users %>
|
||||
<%- unless sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= sshd_allowed_users %>
|
||||
<%- end %>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
|
||||
<%- unless sshd_additional_options.to_s.empty? then %>
|
||||
<%= sshd_additional_options %>
|
||||
<%- end %>
|
||||
|
||||
|
||||
|
|
|
@ -8,14 +8,14 @@
|
|||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
<%- unless real_sshd_port.to_s.empty? then %>
|
||||
Port <%= real_sshd_port %>
|
||||
<%- unless sshd_port.to_s.empty? then %>
|
||||
Port <%= sshd_port %>
|
||||
<%- else %>
|
||||
Port 22
|
||||
<%- end %>
|
||||
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
<% for address in real_sshd_listen_address -%>
|
||||
<% for address in sshd_listen_address -%>
|
||||
ListenAddress <%= address %>
|
||||
<% end -%>
|
||||
#Protocol 2,1
|
||||
|
@ -39,13 +39,13 @@ ListenAddress <%= address %>
|
|||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
<%- unless real_sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= real_sshd_permit_root_login %>
|
||||
<%- unless sshd_permit_root_login.to_s.empty? then %>
|
||||
PermitRootLogin <%= sshd_permit_root_login %>
|
||||
<%- else %>
|
||||
PermitRootLogin without-password
|
||||
<%- end %>
|
||||
|
||||
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
|
||||
<%- if sshd_strict_modes.to_s == 'yes' then %>
|
||||
StrictModes yes
|
||||
<%- else %>
|
||||
StrictModes no
|
||||
|
@ -53,33 +53,33 @@ StrictModes no
|
|||
|
||||
#MaxAuthTries 6
|
||||
|
||||
<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_rsa_authentication.to_s == 'yes' then %>
|
||||
RSAAuthentication yes
|
||||
<%- else %>
|
||||
RSAAuthentication no
|
||||
<%- end %>
|
||||
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
PubkeyAuthentication yes
|
||||
<%- else %>
|
||||
PubkeyAuthentication no
|
||||
<%- end %>
|
||||
|
||||
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||
<%- unless sshd_authorized_keys_file.to_s.empty? then %>
|
||||
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
|
||||
<%- else %>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<%- end %>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||
RhostsRSAAuthentication yes
|
||||
<%- else %>
|
||||
RhostsRSAAuthentication no
|
||||
<% end -%>
|
||||
|
||||
# similar for protocol version 2
|
||||
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||
HostbasedAuthentication yes
|
||||
<%- else %>
|
||||
HostbasedAuthentication no
|
||||
|
@ -90,28 +90,28 @@ HostbasedAuthentication no
|
|||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_password_authentication.to_s == 'yes' then %>
|
||||
PasswordAuthentication yes
|
||||
<%- else %>
|
||||
PasswordAuthentication no
|
||||
<%- end %>
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||
PermitEmptyPasswords yes
|
||||
<% else -%>
|
||||
PermitEmptyPasswords no
|
||||
<% end -%>
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||
ChallengeResponseAuthentication yes
|
||||
<%- else %>
|
||||
ChallengeResponseAuthentication no
|
||||
|
@ -127,14 +127,14 @@ ChallengeResponseAuthentication no
|
|||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||
AllowTcpForwarding yes
|
||||
<%- else %>
|
||||
AllowTcpForwarding no
|
||||
<%- end %>
|
||||
|
||||
#GatewayPorts no
|
||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
<%- if sshd_x11_forwarding.to_s == 'yes' then %>
|
||||
X11Forwarding yes
|
||||
<%- else %>
|
||||
X11Forwarding no
|
||||
|
@ -159,10 +159,17 @@ X11Forwarding no
|
|||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
<%- if sshd_sftp_subsystem.to_s.empty? then %>
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
<%- else %>
|
||||
Subsystem sftp <%= sshd_sftp_subsystem %>
|
||||
<%- end %>
|
||||
|
||||
<%- unless real_sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= real_sshd_allowed_users %>
|
||||
<%- unless sshd_allowed_users.to_s.empty? then %>
|
||||
AllowUsers <%= sshd_allowed_users %>
|
||||
<%- end %>
|
||||
<%- unless sshd_allowed_groups.to_s.empty? then %>
|
||||
AllowGroups <%= sshd_allowed_groups %>
|
||||
<%- end %>
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
|
@ -170,3 +177,7 @@ AllowUsers <%= real_sshd_allowed_users %>
|
|||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# ForceCommand cvs server
|
||||
|
||||
<%- unless sshd_additional_options.to_s.empty? then %>
|
||||
<%= sshd_additional_options %>
|
||||
<%- end %>
|
||||
|
|
Loading…
Reference in a new issue