From 7224e085a3c362de66364748ea3117e16f03fbcb Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 16:41:18 -0500 Subject: [PATCH 01/12] Fix inclusion for default os When the os of a client is not one of those that use a specialized class, (e.g. FreeBSD) the inclusion is currently broken: it tries to include sshd::default which does not exist. Change this to include sshd::base instead. Signed-off-by: Gabriel Filion --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 90b7c64..f37a051 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -251,7 +251,7 @@ class sshd { '': { $sshd_ensure_version = "present" } } - include sshd::client + include sshd::client case $operatingsystem { gentoo: { include sshd::gentoo } @@ -259,7 +259,7 @@ class sshd { centos: { include sshd::centos } openbsd: { include sshd::openbsd } debian,ubuntu: { include sshd::debian } - default: { include sshd::default } + default: { include sshd::base } } if $use_nagios { From 35768ed1e839ffa4c23d7a9ce06e8b34cec0228f Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 17:13:39 -0500 Subject: [PATCH 02/12] Add an sshd_config template for FreeBSD Since there is no "catch-all" default configuration file for sshd, we need to add for each OS. Add a template for FreeBSD so that sshd can be configured on this OS. Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 220 ++++++++++++++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 templates/sshd_config/FreeBSD.erb diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb new file mode 100644 index 0000000..1d3de07 --- /dev/null +++ b/templates/sshd_config/FreeBSD.erb @@ -0,0 +1,220 @@ +# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ +# $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09:06 kensmith Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#VersionAddendum FreeBSD-20100308 + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +#AddressFamily any +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> + +# The default requires explicit activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: + +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +#MaxAuthTries 6 +#MaxSessions 10 + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable PAM authentication +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +#GatewayPorts no +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> + +X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/libexec/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> + +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + From 5bb61c2761210cff97b95c315fcc93c9c87e1c71 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 20:45:59 -0500 Subject: [PATCH 03/12] Fix ssh_authorized_key When one uses the $name to define the user that should receive an SSH key, setting $user to a negative value, ssh_authorized_key currently creates the authorized_keys file under /home/.ssh/authorized_keys Fix this by changing ${user} to ${real_user} in the key's path. Signed-off-by: Gabriel Filion --- manifests/ssh_authorized_key.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index bf188d8..575b654 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -22,7 +22,7 @@ define sshd::ssh_authorized_key( undef,'': { case $real_user { 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } + default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" } } } default: { From 5dd814871a25ee2ba3ecb4e4a880c368212631b9 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Thu, 20 Jan 2011 02:25:32 -0500 Subject: [PATCH 04/12] ssh_authorized_key: use $name for user by default Currently ssh_authorized_key has some logic about $user being false or '', but it sets its value to default to 'root'. So, in order to use the name as the user's name, one has to clear the user parameter, which is totally redundant. Since it is sometimes useful to publish multiple keys for a user, the $user parameter is useful. To make using ssh_authorized_key for one-key normal users simpler, make $user default to being empty (which will use $name as the user name). 'root' can always be specified either via the name or by the $user paramter. Signed-off-by: Gabriel Filion --- manifests/ssh_authorized_key.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 575b654..40649b0 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -3,7 +3,7 @@ define sshd::ssh_authorized_key( $ensure = 'present', $type = 'ssh-dss', $key = 'absent', - $user = 'root', + $user = '', $target = undef, $options = 'absent' ){ From 3662c5a2a5db912109f82970691f762df285ac92 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sun, 30 Jan 2011 21:24:00 -0500 Subject: [PATCH 05/12] Finish fixing ChallengeResponseAuthentication This value was hardcoded in both the Debian lenny and etch templates. The lenny template was fixed with commit 167cf532711ac88 but the etch template was left out. Fix the etch template so that the ChallengeResponseAuthentication instruction is not overridden. Signed-off-by: Gabriel Filion --- templates/sshd_config/Debian_etch.erb | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 746a447..a9a9f59 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -167,8 +167,6 @@ AllowTcpForwarding yes AllowTcpForwarding no <%- end -%> -ChallengeResponseAuthentication no - <%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users -%> <%- end -%> From abb8566742f1a78d7b588adf3f31f5759aa2cadd Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sun, 30 Jan 2011 21:28:36 -0500 Subject: [PATCH 06/12] Add sshd_config template for Debian sid Debian's unstable branch currently has no template for sshd_config, and thus cannot use the sshd class. Add a template for Debian sid. Signed-off-by: Gabriel Filion --- templates/sshd_config/Debian_sid.erb | 186 +++++++++++++++++++++++++++ 1 file changed, 186 insertions(+) create mode 100644 templates/sshd_config/Debian_sid.erb diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb new file mode 100644 index 0000000..13895b7 --- /dev/null +++ b/templates/sshd_config/Debian_sid.erb @@ -0,0 +1,186 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# Change to no to disable tunnelled clear text passwords +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +#HostbasedUsesNameFromPacketOnly yes + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + From 5654d69add11c3eb15fc061949af2e406cf5b500 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Mon, 27 Dec 2010 18:24:43 -0500 Subject: [PATCH 07/12] Enable support for Ubuntu The sshd class currently has a mechanism to make resources for Ubuntu similar to the ones for Debian, but the sshd::client class doesn't. Also, There are no templates for sshd_config on Ubuntu so provide for them. Since Ubuntu releases almost all use ssh versions that are as recent as the Debian squeeze one, and the default sshd_config file is usually the same as on Debian, add a default (Ubuntu.erb) template so that it fits all Ubuntu releases. Signed-off-by: Gabriel Filion --- manifests/client.pp | 2 +- templates/sshd_config/Ubuntu.erb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 120000 templates/sshd_config/Ubuntu.erb diff --git a/manifests/client.pp b/manifests/client.pp index b650244..31785e9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -2,7 +2,7 @@ class sshd::client { case $operatingsystem { - debian: { include sshd::client::debian } + debian,ubuntu: { include sshd::client::debian } default: { case $kernel { linux: { include sshd::client::linux } diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb new file mode 120000 index 0000000..11b0acc --- /dev/null +++ b/templates/sshd_config/Ubuntu.erb @@ -0,0 +1 @@ +Debian_squeeze.erb \ No newline at end of file From c99ff17b1fc6769cc1323a7857a1234dc408dc9b Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 21 Feb 2011 18:29:25 +0100 Subject: [PATCH 08/12] Resync Debian sid template with the Squeeze's one. Currently, the only difference is LoginGraceTime, that defaults to 600 in sid. --- templates/sshd_config/Debian_sid.erb | 50 +++++++++++++++++++--------- 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 13895b7..acb79e3 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -1,19 +1,19 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# # Package generated configuration file -# See the sshd_config(5) manpage for details +# See the sshd(8) manpage for details <%- unless sshd_head_additional_options.to_s.empty? then %> <%= sshd_head_additional_options %> <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -85,7 +85,6 @@ HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no <% end -%> - # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes @@ -104,7 +103,7 @@ ChallengeResponseAuthentication yes ChallengeResponseAuthentication no <%- end -%> -# Change to no to disable tunnelled clear text passwords +# To disable tunneled clear text passwords, change to no here! <%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> @@ -112,14 +111,33 @@ PasswordAuthentication no <%- end -%> # Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> # GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> <%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes @@ -130,6 +148,7 @@ X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes + #UseLogin no #MaxStartups 10:30:60 @@ -159,7 +178,7 @@ UsePAM yes UsePAM no <%- end -%> -#HostbasedUsesNameFromPacketOnly yes +HostbasedUsesNameFromPacketOnly yes <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes @@ -183,4 +202,3 @@ AllowGroups <%= sshd_allowed_groups %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - From ac240412cccef97e213526d21e2b69a2566258d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 21 Feb 2011 12:45:49 -0500 Subject: [PATCH 09/12] remove HostbasedUsesNameFromPacketOnly yes from Debian sshd_config templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used --- templates/sshd_config/Debian_etch.erb | 2 -- templates/sshd_config/Debian_lenny.erb | 2 -- templates/sshd_config/Debian_sid.erb | 2 -- templates/sshd_config/Debian_squeeze.erb | 2 -- 4 files changed, 8 deletions(-) diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index e71316d..c90a5fe 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -157,8 +157,6 @@ UsePAM yes UsePAM no <%- end -%> -HostbasedUsesNameFromPacketOnly yes - <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 4648a22..14e32bf 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -160,8 +160,6 @@ UsePAM yes UsePAM no <%- end -%> -HostbasedUsesNameFromPacketOnly yes - <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index acb79e3..6dc9333 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -178,8 +178,6 @@ UsePAM yes UsePAM no <%- end -%> -HostbasedUsesNameFromPacketOnly yes - <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 79fef15..cf50ddb 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -178,8 +178,6 @@ UsePAM yes UsePAM no <%- end -%> -HostbasedUsesNameFromPacketOnly yes - <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> From 95bf6e032bda5c2799d44b5fb6aa6c46c109d0d8 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Mon, 21 Feb 2011 15:18:14 -0500 Subject: [PATCH 10/12] FreeBSD: Use variables for the Kerberos options Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 1d3de07..4e4329a 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -130,14 +130,33 @@ ChallengeResponseAuthentication no <%- end -%> # Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> # GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will From 34863e959fcd05dd325a658561f14580d49b6764 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 6 Mar 2011 09:10:44 +0100 Subject: [PATCH 11/12] New opt-in support to only use strong SSL ciphers and MACs. The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git. --- README | 4 ++++ manifests/init.pp | 3 +++ templates/sshd_config/CentOS.erb | 5 +++++ templates/sshd_config/Debian_etch.erb | 5 +++++ templates/sshd_config/Debian_lenny.erb | 5 +++++ templates/sshd_config/Debian_sid.erb | 5 +++++ templates/sshd_config/Debian_squeeze.erb | 5 +++++ templates/sshd_config/Gentoo.erb | 4 ++++ templates/sshd_config/OpenBSD.erb | 5 +++++ 9 files changed, 41 insertions(+) diff --git a/README b/README index fa4214d..9cf253f 100644 --- a/README +++ b/README @@ -170,6 +170,10 @@ The following is a list of the currently available variables: (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile %h/.ssh/authorized_keys + $sshd_hardened_ssl + Use only strong SSL ciphers and MAC. + Values: no or yes; Default: no. + $sshd_sftp_subsystem Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default diff --git a/manifests/init.pp b/manifests/init.pp index 991fbba..cc5f10e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,6 +77,9 @@ class sshd { case $sshd_authorized_keys_file { '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } } + case $sshd_hardened_ssl { + '': { $sshd_hardened_ssl = 'no' } + } case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 544effe..859759a 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end -%> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index c90a5fe..23559fc 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -172,6 +172,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 14e32bf..65befdc 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -181,6 +181,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 6dc9333..0213342 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index cf50ddb..dfebcc3 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 768d3f5..f9f5b23 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -208,6 +208,10 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 51662d3..7a20cd9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> From 005baf59c5a73583507c7e73d7b56f9029ac978a Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 20 Jun 2011 20:21:16 +0200 Subject: [PATCH 12/12] Add sshd_config template for Debian Wheezy. Currently, this is a symlink to the Debian sid's one, which I've recently resync'd. Once Wheezy is frozen, we'll want to fork its own template. --- templates/sshd_config/Debian_wheezy.erb | 1 + 1 file changed, 1 insertion(+) create mode 120000 templates/sshd_config/Debian_wheezy.erb diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb new file mode 120000 index 0000000..3faae05 --- /dev/null +++ b/templates/sshd_config/Debian_wheezy.erb @@ -0,0 +1 @@ +Debian_sid.erb \ No newline at end of file