merged with riseup
git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2263 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
This commit is contained in:
parent
e3ce449ff4
commit
9ce186f5c3
7 changed files with 666 additions and 150 deletions
|
@ -1,6 +1,7 @@
|
||||||
#
|
#
|
||||||
# ssh module
|
# ssh module
|
||||||
#
|
#
|
||||||
|
# Copyright 2008, micah@riseup.net
|
||||||
# Copyright 2008, admin(at)immerda.ch
|
# Copyright 2008, admin(at)immerda.ch
|
||||||
# Copyright 2008, Puzzle ITC GmbH
|
# Copyright 2008, Puzzle ITC GmbH
|
||||||
# Marcel Härry haerry+puppet(at)puzzle.ch
|
# Marcel Härry haerry+puppet(at)puzzle.ch
|
||||||
|
@ -16,10 +17,23 @@
|
||||||
#
|
#
|
||||||
# sshd-config:
|
# sshd-config:
|
||||||
#
|
#
|
||||||
# The configuration of the sshd is rather strict and
|
# The configuration of the sshd is rather strict and might not fit all
|
||||||
# might not fit all needs. However there are a bunch
|
# needs. However there are a bunch of variables, which you might
|
||||||
# of variables, which you might consider to configure.
|
# consider configuring.
|
||||||
# Checkout the following:
|
#
|
||||||
|
# To set any of the following, simply set them as variables in your manifests
|
||||||
|
# before the class is included, for example:
|
||||||
|
#
|
||||||
|
# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
|
||||||
|
# $sshd_use_pam = yes
|
||||||
|
# include sshd::debian
|
||||||
|
#
|
||||||
|
# The following is a list of the currently available variables:
|
||||||
|
#
|
||||||
|
# sshd_listen_address: specify the addresses sshd should listen on
|
||||||
|
# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
|
||||||
|
# addresses, or leave it unset to listen on all
|
||||||
|
# Default: empty -> results in listening on 0.0.0.0
|
||||||
#
|
#
|
||||||
# sshd_allowed_users: list of usernames separated by spaces.
|
# sshd_allowed_users: list of usernames separated by spaces.
|
||||||
# set this for example to "foobar root"
|
# set this for example to "foobar root"
|
||||||
|
@ -39,10 +53,53 @@
|
||||||
# Valid values: yes or no
|
# Valid values: yes or no
|
||||||
# Default: no
|
# Default: no
|
||||||
#
|
#
|
||||||
|
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
|
||||||
|
# When disabled, s/key passowords are disabled
|
||||||
|
# Valid values: yes or no
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
|
# sshd_tcp_forwarding: If you want to enable TcpForwarding
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
# sshd_x11_forwarding: If you want to enable x11 forwarding
|
# sshd_x11_forwarding: If you want to enable x11 forwarding
|
||||||
# Valid Values: yes or no
|
# Valid Values: yes or no
|
||||||
# Default: no
|
# Default: no
|
||||||
#
|
#
|
||||||
|
# sshd_agent_forwarding: If you want to allow ssh-agent forwarding
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
|
# sshd_pubkey_authentication: If you want to enable public key authentication
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: yes
|
||||||
|
#
|
||||||
|
# sshd_rsa_authentication: If you want to enable RSA Authentication
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
|
# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
|
# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
|
# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: yes
|
||||||
|
#
|
||||||
|
# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
|
||||||
|
# Valid Values: yes or no
|
||||||
|
# Default: no
|
||||||
|
#
|
||||||
|
# sshd_port: If you want to specify a different port than the default 22
|
||||||
|
# Default: 22
|
||||||
|
#
|
||||||
|
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
|
||||||
|
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||||
|
#
|
||||||
|
|
||||||
class sshd {
|
class sshd {
|
||||||
include sshd::client
|
include sshd::client
|
||||||
|
@ -61,6 +118,10 @@ class sshd {
|
||||||
|
|
||||||
class sshd::base {
|
class sshd::base {
|
||||||
# prepare variables to use in templates
|
# prepare variables to use in templates
|
||||||
|
$real_sshd_listen_address = $sshd_listen_address ? {
|
||||||
|
'' => [ '0.0.0.0', '::' ],
|
||||||
|
default => $sshd_listen_address
|
||||||
|
}
|
||||||
$real_sshd_allowed_users = $sshd_allowed_users ? {
|
$real_sshd_allowed_users = $sshd_allowed_users ? {
|
||||||
'' => '',
|
'' => '',
|
||||||
default => $sshd_allowed_users
|
default => $sshd_allowed_users
|
||||||
|
@ -77,17 +138,68 @@ class sshd::base {
|
||||||
'' => 'no',
|
'' => 'no',
|
||||||
default => $sshd_password_authentication
|
default => $sshd_password_authentication
|
||||||
}
|
}
|
||||||
|
$real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
|
||||||
|
'' => 'no',
|
||||||
|
default => $sshd_tcp_forwarding
|
||||||
|
}
|
||||||
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
|
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
|
||||||
'' => 'no',
|
'' => 'no',
|
||||||
default => $sshd_x11_forwarding
|
default => $sshd_x11_forwarding
|
||||||
}
|
}
|
||||||
|
$real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
|
||||||
|
'' => 'no',
|
||||||
|
default => $sshd_agent_forwarding
|
||||||
|
}
|
||||||
|
$real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
|
||||||
|
'' => 'no',
|
||||||
|
default => $sshd_challenge_response_authentication
|
||||||
|
}
|
||||||
|
$real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
|
||||||
|
'' => 'yes',
|
||||||
|
default => $sshd_pubkey_authentication
|
||||||
|
}
|
||||||
|
$real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
|
||||||
|
'' => 'no',
|
||||||
|
default => $sshd_rsa_authentication
|
||||||
|
}
|
||||||
|
$real_sshd_strict_modes = $sshd_strict_modes ? {
|
||||||
|
'' => 'yes',
|
||||||
|
default => $sshd_strict_modes
|
||||||
|
}
|
||||||
|
$real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
|
||||||
|
'' => 'yes',
|
||||||
|
default => $sshd_ignore_rhosts
|
||||||
|
}
|
||||||
|
$real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
|
||||||
|
'' => 'no',
|
||||||
|
default => $sshd_rhosts_rsa_authentication
|
||||||
|
}
|
||||||
|
$real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
|
||||||
|
'' => 'no',
|
||||||
|
default => $sshd_hostbased_authentication
|
||||||
|
}
|
||||||
|
$real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
|
||||||
|
'' => 'no',
|
||||||
|
default => $sshd_permit_empty_passwords
|
||||||
|
}
|
||||||
|
$real_sshd_port = $sshd_port ? {
|
||||||
|
'' => 22,
|
||||||
|
default => $sshd_port
|
||||||
|
}
|
||||||
|
$real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
|
||||||
|
'' => "%h/.ssh/authorized_keys",
|
||||||
|
default => $sshd_authorized_keys_file
|
||||||
|
}
|
||||||
|
|
||||||
file { 'sshd_config':
|
file { 'sshd_config':
|
||||||
path => '/etc/ssh/sshd_config',
|
path => '/etc/ssh/sshd_config',
|
||||||
owner => root,
|
owner => root,
|
||||||
group => 0,
|
group => 0,
|
||||||
mode => 600,
|
mode => 600,
|
||||||
content => template("sshd/sshd_config/${operatingsystem}_normal.erb"),
|
content => $lsbdistcodename ? {
|
||||||
|
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
|
||||||
|
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
|
||||||
|
},
|
||||||
notify => Service[sshd],
|
notify => Service[sshd],
|
||||||
}
|
}
|
||||||
# Now add the key, if we've got one
|
# Now add the key, if we've got one
|
||||||
|
@ -127,6 +239,10 @@ class sshd::gentoo inherits sshd::linux {
|
||||||
}
|
}
|
||||||
|
|
||||||
class sshd::debian inherits sshd::linux {
|
class sshd::debian inherits sshd::linux {
|
||||||
|
|
||||||
|
# the templates for Debian need lsbdistcodename
|
||||||
|
include assert_lsbdistcodename
|
||||||
|
|
||||||
Package[openssh]{
|
Package[openssh]{
|
||||||
name => 'openssh-server',
|
name => 'openssh-server',
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,13 +10,19 @@
|
||||||
# possible, but leave them commented. Uncommented options change a
|
# possible, but leave them commented. Uncommented options change a
|
||||||
# default value.
|
# default value.
|
||||||
|
|
||||||
#Port 22
|
<%- unless real_sshd_port.to_s.empty? then %>
|
||||||
|
Port <%= real_sshd_port %>
|
||||||
|
<%- else %>
|
||||||
|
Port 22
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||||
|
<% for address in real_sshd_listen_address -%>
|
||||||
|
ListenAddress <%= address %>
|
||||||
|
<% end -%>
|
||||||
|
#AddressFamily any
|
||||||
#Protocol 2,1
|
#Protocol 2,1
|
||||||
Protocol 2
|
Protocol 2
|
||||||
#AddressFamily any
|
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
|
|
||||||
# HostKey for protocol version 1
|
# HostKey for protocol version 1
|
||||||
#HostKey /etc/ssh/ssh_host_key
|
#HostKey /etc/ssh/ssh_host_key
|
||||||
# HostKeys for protocol version 2
|
# HostKeys for protocol version 2
|
||||||
|
@ -41,22 +47,57 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
|
||||||
<%- else %>
|
<%- else %>
|
||||||
PermitRootLogin without-password
|
PermitRootLogin without-password
|
||||||
<%- end %>
|
<%- end %>
|
||||||
#StrictModes yes
|
|
||||||
|
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
|
||||||
|
StrictModes yes
|
||||||
|
<%- else %>
|
||||||
|
StrictModes no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
#MaxAuthTries 6
|
#MaxAuthTries 6
|
||||||
|
|
||||||
#RSAAuthentication yes
|
<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
|
||||||
#PubkeyAuthentication yes
|
RSAAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
<%- else %>
|
||||||
|
RSAAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
PubkeyAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
|
||||||
|
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||||
|
<%- else %>
|
||||||
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
#RhostsRSAAuthentication no
|
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||||
|
RhostsRSAAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
RhostsRSAAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# similar for protocol version 2
|
# similar for protocol version 2
|
||||||
#HostbasedAuthentication no
|
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||||
|
HostbasedAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
HostbasedAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||||
#IgnoreUserKnownHosts no
|
#IgnoreUserKnownHosts no
|
||||||
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
#IgnoreRhosts yes
|
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||||
|
IgnoreRhosts yes
|
||||||
|
<%- else %>
|
||||||
|
IgnoreRhosts no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||||
|
@ -64,11 +105,20 @@ PasswordAuthentication yes
|
||||||
<%- else %>
|
<%- else %>
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
<%- end %>
|
<%- end %>
|
||||||
#PermitEmptyPasswords no
|
|
||||||
|
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||||
|
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||||
|
PermitEmptyPasswords yes
|
||||||
|
<% else -%>
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
# Change to no to disable s/key passwords
|
||||||
#ChallengeResponseAuthentication yes
|
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||||
|
ChallengeResponseAuthentication yes
|
||||||
|
<%- else %>
|
||||||
ChallengeResponseAuthentication no
|
ChallengeResponseAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
# Kerberos options
|
# Kerberos options
|
||||||
#KerberosAuthentication no
|
#KerberosAuthentication no
|
||||||
|
@ -101,7 +151,13 @@ UsePAM no
|
||||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||||
#AllowTcpForwarding yes
|
|
||||||
|
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
<%- else %>
|
||||||
|
AllowTcpForwarding no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
#GatewayPorts no
|
#GatewayPorts no
|
||||||
#X11Forwarding no
|
#X11Forwarding no
|
||||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
163
templates/sshd_config/Debian_etch.erb
Normal file
163
templates/sshd_config/Debian_etch.erb
Normal file
|
@ -0,0 +1,163 @@
|
||||||
|
# Package generated configuration file
|
||||||
|
# See the sshd(8) manpage for details
|
||||||
|
|
||||||
|
# What ports, IPs and protocols we listen for
|
||||||
|
<%- unless real_sshd_port.to_s.empty? then -%>
|
||||||
|
Port <%= real_sshd_port -%>
|
||||||
|
<%- else -%>
|
||||||
|
Port 22
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||||
|
<% for address in real_sshd_listen_address -%>
|
||||||
|
ListenAddress <%= address %>
|
||||||
|
<% end -%>
|
||||||
|
Protocol 2
|
||||||
|
# HostKeys for protocol version 2
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_dsa_key
|
||||||
|
#Privilege Separation is turned on for security
|
||||||
|
UsePrivilegeSeparation yes
|
||||||
|
|
||||||
|
# ...but breaks Pam auth via kbdint, so we have to turn it off
|
||||||
|
# Use PAM authentication via keyboard-interactive so PAM modules can
|
||||||
|
# properly interface with the user (off due to PrivSep)
|
||||||
|
#PAMAuthenticationViaKbdInt no
|
||||||
|
# Lifetime and size of ephemeral version 1 server key
|
||||||
|
KeyRegenerationInterval 3600
|
||||||
|
ServerKeyBits 768
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
LoginGraceTime 600
|
||||||
|
<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
|
||||||
|
PermitRootLogin <%= real_sshd_permit_root_login -%>
|
||||||
|
<%- else -%>
|
||||||
|
PermitRootLogin without-password
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
|
||||||
|
StrictModes yes
|
||||||
|
<%- else -%>
|
||||||
|
StrictModes no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||||
|
RSAAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
RSAAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
PubkeyAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
|
||||||
|
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||||
|
<%- else -%>
|
||||||
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||||
|
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||||
|
RhostsRSAAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
RhostsRSAAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||||
|
IgnoreRhosts yes
|
||||||
|
<%- else -%>
|
||||||
|
IgnoreRhosts no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# similar for protocol version 2
|
||||||
|
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||||
|
HostbasedAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
HostbasedAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||||
|
#IgnoreUserKnownHosts yes
|
||||||
|
|
||||||
|
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||||
|
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||||
|
PermitEmptyPasswords yes
|
||||||
|
<% else -%>
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||||
|
ChallengeResponseAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
|
||||||
|
PasswordAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
PasswordAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# To change Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#AFSTokenPassing no
|
||||||
|
#KerberosTicketCleanup no
|
||||||
|
|
||||||
|
# Kerberos TGT Passing does only work with the AFS kaserver
|
||||||
|
#KerberosTgtPassing yes
|
||||||
|
|
||||||
|
<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||||
|
X11Forwarding yes
|
||||||
|
<%- else -%>
|
||||||
|
X11Forwarding no
|
||||||
|
<%- end -%>
|
||||||
|
X11DisplayOffset 10
|
||||||
|
KeepAlive yes
|
||||||
|
#UseLogin no
|
||||||
|
|
||||||
|
#MaxStartups 10:30:60
|
||||||
|
#Banner /etc/issue.net
|
||||||
|
#ReverseMappingCheck yes
|
||||||
|
|
||||||
|
#Subsystem sftp /usr/lib/sftp-server
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
<%- if real_sshd_use_pam.to_s == 'yes' then -%>
|
||||||
|
UsePAM yes
|
||||||
|
<%- else -%>
|
||||||
|
UsePAM no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
HostbasedUsesNameFromPacketOnly yes
|
||||||
|
|
||||||
|
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
<%- else -%>
|
||||||
|
AllowTcpForwarding no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
<%- unless real_sshd_allowed_users.to_s.empty? then -%>
|
||||||
|
AllowUsers <%= real_sshd_allowed_users -%>
|
||||||
|
<%- end -%>
|
||||||
|
|
169
templates/sshd_config/Debian_lenny.erb
Normal file
169
templates/sshd_config/Debian_lenny.erb
Normal file
|
@ -0,0 +1,169 @@
|
||||||
|
# Package generated configuration file
|
||||||
|
# See the sshd(8) manpage for details
|
||||||
|
|
||||||
|
# What ports, IPs and protocols we listen for
|
||||||
|
<%- unless real_sshd_port.to_s.empty? then -%>
|
||||||
|
Port <%= real_sshd_port -%>
|
||||||
|
<%- else -%>
|
||||||
|
Port 22
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||||
|
<% for address in real_sshd_listen_address -%>
|
||||||
|
ListenAddress <%= address %>
|
||||||
|
<% end -%>
|
||||||
|
Protocol 2
|
||||||
|
# HostKeys for protocol version 2
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_dsa_key
|
||||||
|
#Privilege Separation is turned on for security
|
||||||
|
UsePrivilegeSeparation yes
|
||||||
|
|
||||||
|
# ...but breaks Pam auth via kbdint, so we have to turn it off
|
||||||
|
# Use PAM authentication via keyboard-interactive so PAM modules can
|
||||||
|
# properly interface with the user (off due to PrivSep)
|
||||||
|
#PAMAuthenticationViaKbdInt no
|
||||||
|
# Lifetime and size of ephemeral version 1 server key
|
||||||
|
KeyRegenerationInterval 3600
|
||||||
|
ServerKeyBits 768
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
LoginGraceTime 600
|
||||||
|
<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
|
||||||
|
PermitRootLogin <%= real_sshd_permit_root_login -%>
|
||||||
|
<%- else -%>
|
||||||
|
PermitRootLogin without-password
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
|
||||||
|
StrictModes yes
|
||||||
|
<%- else -%>
|
||||||
|
StrictModes no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
|
||||||
|
RSAAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
RSAAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
PubkeyAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
|
||||||
|
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||||
|
<%- else -%>
|
||||||
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||||
|
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
|
||||||
|
RhostsRSAAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
RhostsRSAAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
|
||||||
|
IgnoreRhosts yes
|
||||||
|
<%- else -%>
|
||||||
|
IgnoreRhosts no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# similar for protocol version 2
|
||||||
|
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
|
||||||
|
HostbasedAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
HostbasedAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||||
|
#IgnoreUserKnownHosts yes
|
||||||
|
|
||||||
|
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||||
|
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
|
||||||
|
PermitEmptyPasswords yes
|
||||||
|
<% else -%>
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
|
||||||
|
ChallengeResponseAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
|
||||||
|
PasswordAuthentication yes
|
||||||
|
<%- else -%>
|
||||||
|
PasswordAuthentication no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
# To change Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#AFSTokenPassing no
|
||||||
|
#KerberosTicketCleanup no
|
||||||
|
|
||||||
|
# Kerberos TGT Passing does only work with the AFS kaserver
|
||||||
|
#KerberosTgtPassing yes
|
||||||
|
|
||||||
|
<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
|
||||||
|
X11Forwarding yes
|
||||||
|
<%- else -%>
|
||||||
|
X11Forwarding no
|
||||||
|
<%- end -%>
|
||||||
|
X11DisplayOffset 10
|
||||||
|
KeepAlive yes
|
||||||
|
#UseLogin no
|
||||||
|
|
||||||
|
#MaxStartups 10:30:60
|
||||||
|
#Banner /etc/issue.net
|
||||||
|
#ReverseMappingCheck yes
|
||||||
|
|
||||||
|
#Subsystem sftp /usr/lib/sftp-server
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
<%- if real_sshd_use_pam.to_s == 'yes' then -%>
|
||||||
|
UsePAM yes
|
||||||
|
<%- else -%>
|
||||||
|
UsePAM no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
HostbasedUsesNameFromPacketOnly yes
|
||||||
|
|
||||||
|
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
<%- else -%>
|
||||||
|
AllowTcpForwarding no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%>
|
||||||
|
AllowAgentForwarding yes
|
||||||
|
<%- else -%>
|
||||||
|
AllowAgentForwarding no
|
||||||
|
<%- end -%>
|
||||||
|
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
<%- unless real_sshd_allowed_users.to_s.empty? then -%>
|
||||||
|
AllowUsers <%= real_sshd_allowed_users -%>
|
||||||
|
<%- end -%>
|
||||||
|
|
|
@ -1,102 +0,0 @@
|
||||||
# Package generated configuration file
|
|
||||||
# See the sshd(8) manpage for defails
|
|
||||||
|
|
||||||
# What ports, IPs and protocols we listen for
|
|
||||||
# Port 22
|
|
||||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
|
||||||
#ListenAddress ::
|
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
Protocol 2
|
|
||||||
# HostKeys for protocol version 2
|
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
HostKey /etc/ssh/ssh_host_dsa_key
|
|
||||||
#Privilege Separation is turned on for security
|
|
||||||
UsePrivilegeSeparation yes
|
|
||||||
|
|
||||||
# ...but breaks Pam auth via kbdint, so we have to turn it off
|
|
||||||
# Use PAM authentication via keyboard-interactive so PAM modules can
|
|
||||||
# properly interface with the user (off due to PrivSep)
|
|
||||||
#PAMAuthenticationViaKbdInt no
|
|
||||||
# Lifetime and size of ephemeral version 1 server key
|
|
||||||
KeyRegenerationInterval 3600
|
|
||||||
ServerKeyBits 768
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
SyslogFacility AUTH
|
|
||||||
LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
LoginGraceTime 600
|
|
||||||
<%- unless real_sshd_permit_root_login.to_s.empty? then %>
|
|
||||||
PermitRootLogin <%= real_sshd_permit_root_login %>
|
|
||||||
<%- else %>
|
|
||||||
PermitRootLogin without-password
|
|
||||||
<%- end %>
|
|
||||||
StrictModes yes
|
|
||||||
|
|
||||||
RSAAuthentication yes
|
|
||||||
PubkeyAuthentication yes
|
|
||||||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
|
||||||
|
|
||||||
# rhosts authentication should not be used
|
|
||||||
#RhostsAuthentication no
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
||||||
IgnoreRhosts yes
|
|
||||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
|
||||||
RhostsRSAAuthentication no
|
|
||||||
# similar for protocol version 2
|
|
||||||
HostbasedAuthentication no
|
|
||||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
|
||||||
#IgnoreUserKnownHosts yes
|
|
||||||
|
|
||||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
|
||||||
PermitEmptyPasswords no
|
|
||||||
|
|
||||||
# Uncomment to disable s/key passwords
|
|
||||||
#ChallengeResponseAuthentication no
|
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
|
||||||
PasswordAuthentication yes
|
|
||||||
<%- else %>
|
|
||||||
PasswordAuthentication no
|
|
||||||
<%- end %>
|
|
||||||
|
|
||||||
# To change Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
#KerberosOrLocalPasswd yes
|
|
||||||
#AFSTokenPassing no
|
|
||||||
#KerberosTicketCleanup no
|
|
||||||
|
|
||||||
# Kerberos TGT Passing does only work with the AFS kaserver
|
|
||||||
#KerberosTgtPassing yes
|
|
||||||
|
|
||||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
|
||||||
X11Forwarding yes
|
|
||||||
<%- else %>
|
|
||||||
X11Forwarding no
|
|
||||||
<%- end %>
|
|
||||||
X11DisplayOffset 10
|
|
||||||
KeepAlive yes
|
|
||||||
#UseLogin no
|
|
||||||
|
|
||||||
#MaxStartups 10:30:60
|
|
||||||
#Banner /etc/issue.net
|
|
||||||
#ReverseMappingCheck yes
|
|
||||||
|
|
||||||
#Subsystem sftp /usr/lib/sftp-server
|
|
||||||
|
|
||||||
<%- if real_sshd_use_pam.to_s == 'yes' then %>
|
|
||||||
UsePAM yes
|
|
||||||
<%- else %>
|
|
||||||
UsePAM no
|
|
||||||
<%- end %>
|
|
||||||
|
|
||||||
HostbasedUsesNameFromPacketOnly yes
|
|
||||||
AllowTcpForwarding yes
|
|
||||||
|
|
||||||
ChallengeResponseAuthentication no
|
|
||||||
|
|
||||||
<%- unless real_sshd_allowed_users.to_s.empty? then %>
|
|
||||||
AllowUsers <%= real_sshd_allowed_users %>
|
|
||||||
<%- end %>
|
|
|
@ -10,10 +10,17 @@
|
||||||
# possible, but leave them commented. Uncommented options change a
|
# possible, but leave them commented. Uncommented options change a
|
||||||
# default value.
|
# default value.
|
||||||
|
|
||||||
#Port 22
|
<%- unless real_sshd_port.to_s.empty? then %>
|
||||||
|
Port <%= real_sshd_port %>
|
||||||
|
<%- else %>
|
||||||
|
Port 22
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||||
|
<% for address in real_sshd_listen_address -%>
|
||||||
|
ListenAddress <%= address %>
|
||||||
|
<% end -%>
|
||||||
#AddressFamily any
|
#AddressFamily any
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
|
|
||||||
# Disable legacy (protocol version 1) support in the server for new
|
# Disable legacy (protocol version 1) support in the server for new
|
||||||
# installations. In future the default will change to require explicit
|
# installations. In future the default will change to require explicit
|
||||||
|
@ -39,7 +46,13 @@ Protocol 2
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
#LoginGraceTime 2m
|
||||||
PermitRootLogin without-password
|
PermitRootLogin without-password
|
||||||
#StrictModes yes
|
|
||||||
|
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
|
||||||
|
StrictModes yes
|
||||||
|
<%- else %>
|
||||||
|
StrictModes no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
<%- unless real_sshd_permit_root_login.to_s.empty? then %>
|
<%- unless real_sshd_permit_root_login.to_s.empty? then %>
|
||||||
PermitRootLogin <%= real_sshd_permit_root_login %>
|
PermitRootLogin <%= real_sshd_permit_root_login %>
|
||||||
<%- else %>
|
<%- else %>
|
||||||
|
@ -47,19 +60,48 @@ PermitRootLogin without-password
|
||||||
<%- end %>
|
<%- end %>
|
||||||
#MaxAuthTries 6
|
#MaxAuthTries 6
|
||||||
|
|
||||||
#RSAAuthentication yes
|
<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
|
||||||
#PubkeyAuthentication yes
|
RSAAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
<%- else %>
|
||||||
|
RSAAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
PubkeyAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
|
||||||
|
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||||
|
<%- else %>
|
||||||
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
#RhostsRSAAuthentication no
|
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||||
|
RhostsRSAAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
RhostsRSAAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# similar for protocol version 2
|
# similar for protocol version 2
|
||||||
#HostbasedAuthentication no
|
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||||
|
HostbasedAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
HostbasedAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||||
#IgnoreUserKnownHosts no
|
#IgnoreUserKnownHosts no
|
||||||
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
#IgnoreRhosts yes
|
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||||
|
IgnoreRhosts yes
|
||||||
|
<%- else %>
|
||||||
|
IgnoreRhosts no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||||
|
@ -67,10 +109,20 @@ PasswordAuthentication yes
|
||||||
<%- else %>
|
<%- else %>
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
<%- end %>
|
<%- end %>
|
||||||
#PermitEmptyPasswords no
|
|
||||||
|
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||||
|
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||||
|
PermitEmptyPasswords yes
|
||||||
|
<% else -%>
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
# Change to no to disable s/key passwords
|
||||||
#ChallengeResponseAuthentication yes
|
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||||
|
ChallengeResponseAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
# Kerberos options
|
# Kerberos options
|
||||||
#KerberosAuthentication no
|
#KerberosAuthentication no
|
||||||
|
@ -99,7 +151,12 @@ UsePAM yes
|
||||||
UsePAM no
|
UsePAM no
|
||||||
<%- end %>
|
<%- end %>
|
||||||
|
|
||||||
#AllowTcpForwarding yes
|
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
<%- else %>
|
||||||
|
AllowTcpForwarding no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
#GatewayPorts no
|
#GatewayPorts no
|
||||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
||||||
X11Forwarding yes
|
X11Forwarding yes
|
|
@ -8,11 +8,18 @@
|
||||||
# possible, but leave them commented. Uncommented options change a
|
# possible, but leave them commented. Uncommented options change a
|
||||||
# default value.
|
# default value.
|
||||||
|
|
||||||
#Port 22
|
<%- unless real_sshd_port.to_s.empty? then %>
|
||||||
|
Port <%= real_sshd_port %>
|
||||||
|
<%- else %>
|
||||||
|
Port 22
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||||
|
<% for address in real_sshd_listen_address -%>
|
||||||
|
ListenAddress <%= address %>
|
||||||
|
<% end -%>
|
||||||
#Protocol 2,1
|
#Protocol 2,1
|
||||||
#AddressFamily any
|
#AddressFamily any
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
|
|
||||||
# HostKey for protocol version 1
|
# HostKey for protocol version 1
|
||||||
#HostKey /etc/ssh/ssh_host_key
|
#HostKey /etc/ssh/ssh_host_key
|
||||||
|
@ -37,22 +44,57 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
|
||||||
<%- else %>
|
<%- else %>
|
||||||
PermitRootLogin without-password
|
PermitRootLogin without-password
|
||||||
<%- end %>
|
<%- end %>
|
||||||
#StrictModes yes
|
|
||||||
|
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
|
||||||
|
StrictModes yes
|
||||||
|
<%- else %>
|
||||||
|
StrictModes no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
#MaxAuthTries 6
|
#MaxAuthTries 6
|
||||||
|
|
||||||
#RSAAuthentication yes
|
<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
|
||||||
#PubkeyAuthentication yes
|
RSAAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
<%- else %>
|
||||||
|
RSAAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
PubkeyAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
|
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
|
||||||
|
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
|
||||||
|
<%- else %>
|
||||||
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
#RhostsRSAAuthentication no
|
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
|
||||||
|
RhostsRSAAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
RhostsRSAAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# similar for protocol version 2
|
# similar for protocol version 2
|
||||||
#HostbasedAuthentication no
|
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
|
||||||
|
HostbasedAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
HostbasedAuthentication no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||||
#IgnoreUserKnownHosts no
|
#IgnoreUserKnownHosts no
|
||||||
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
#IgnoreRhosts yes
|
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
|
||||||
|
IgnoreRhosts yes
|
||||||
|
<%- else %>
|
||||||
|
IgnoreRhosts no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||||
|
@ -60,10 +102,20 @@ PasswordAuthentication yes
|
||||||
<%- else %>
|
<%- else %>
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
<%- end %>
|
<%- end %>
|
||||||
#PermitEmptyPasswords no
|
|
||||||
|
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||||
|
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
|
||||||
|
PermitEmptyPasswords yes
|
||||||
|
<% else -%>
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
# Change to no to disable s/key passwords
|
||||||
#ChallengeResponseAuthentication yes
|
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
|
||||||
|
ChallengeResponseAuthentication yes
|
||||||
|
<%- else %>
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
# Kerberos options
|
# Kerberos options
|
||||||
#KerberosAuthentication no
|
#KerberosAuthentication no
|
||||||
|
@ -75,7 +127,12 @@ PasswordAuthentication no
|
||||||
#GSSAPIAuthentication no
|
#GSSAPIAuthentication no
|
||||||
#GSSAPICleanupCredentials yes
|
#GSSAPICleanupCredentials yes
|
||||||
|
|
||||||
#AllowTcpForwarding yes
|
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
<%- else %>
|
||||||
|
AllowTcpForwarding no
|
||||||
|
<%- end %>
|
||||||
|
|
||||||
#GatewayPorts no
|
#GatewayPorts no
|
||||||
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
|
||||||
X11Forwarding yes
|
X11Forwarding yes
|
Loading…
Reference in a new issue