opuppet/module-sshd
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

merged with riseup

Browse source 
git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2263 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
This commit is contained in:
mh 2008-09-29 22:37:26 +00:00
parent e3ce449ff4
commit 9ce186f5c3
7 changed files with 666 additions and 150 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

130
manifests/init.pp
View file

@ -1,6 +1,7 @@
# #
# ssh module # ssh module
# #
# Copyright 2008, micah@riseup.net
# Copyright 2008, admin(at)immerda.ch # Copyright 2008, admin(at)immerda.ch
# Copyright 2008, Puzzle ITC GmbH # Copyright 2008, Puzzle ITC GmbH
# Marcel Härry haerry+puppet(at)puzzle.ch # Marcel Härry haerry+puppet(at)puzzle.ch
@ -16,10 +17,23 @@
# #
# sshd-config: # sshd-config:
# #
# The configuration of the sshd is rather strict and # The configuration of the sshd is rather strict and might not fit all
# might not fit all needs. However there are a bunch # needs. However there are a bunch of variables, which you might
# of variables, which you might consider to configure. # consider configuring.
# Checkout the following: #
# To set any of the following, simply set them as variables in your manifests
# before the class is included, for example:
#
# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
# $sshd_use_pam = yes
# include sshd::debian
#
# The following is a list of the currently available variables:
#
# sshd_listen_address: specify the addresses sshd should listen on
# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
# addresses, or leave it unset to listen on all
# Default: empty -> results in listening on 0.0.0.0
# #
# sshd_allowed_users: list of usernames separated by spaces. # sshd_allowed_users: list of usernames separated by spaces.
# set this for example to "foobar root" # set this for example to "foobar root"
@ -38,11 +52,54 @@
# sshd_password_authentication: If you want to enable password authentication or not # sshd_password_authentication: If you want to enable password authentication or not
# Valid values: yes or no # Valid values: yes or no
# Default: no # Default: no
#
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
# When disabled, s/key passowords are disabled
# Valid values: yes or no
# Default: no
# #
# sshd_tcp_forwarding: If you want to enable TcpForwarding
# Valid Values: yes or no
# Default: no
#
# sshd_x11_forwarding: If you want to enable x11 forwarding # sshd_x11_forwarding: If you want to enable x11 forwarding
# Valid Values: yes or no # Valid Values: yes or no
# Default: no # Default: no
# #
# sshd_agent_forwarding: If you want to allow ssh-agent forwarding
# Valid Values: yes or no
# Default: no
#
# sshd_pubkey_authentication: If you want to enable public key authentication
# Valid Values: yes or no
# Default: yes
#
# sshd_rsa_authentication: If you want to enable RSA Authentication
# Valid Values: yes or no
# Default: no
#
# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
# Valid Values: yes or no
# Default: no
#
# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
# Valid Values: yes or no
# Default: no
#
# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
# Valid Values: yes or no
# Default: yes
#
# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
# Valid Values: yes or no
# Default: no
#
# sshd_port: If you want to specify a different port than the default 22
# Default: 22
#
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
#
class sshd { class sshd {
include sshd::client include sshd::client
@ -60,7 +117,11 @@ class sshd {
class sshd::base { class sshd::base {
# prepare variables to use in templates # prepare variables to use in templates
$real_sshd_listen_address = $sshd_listen_address ? {
'' => [ '0.0.0.0', '::' ],
default => $sshd_listen_address
}
$real_sshd_allowed_users = $sshd_allowed_users ? { $real_sshd_allowed_users = $sshd_allowed_users ? {
'' => '', '' => '',
default => $sshd_allowed_users default => $sshd_allowed_users
@ -77,17 +138,68 @@ class sshd::base {
'' => 'no', '' => 'no',
default => $sshd_password_authentication default => $sshd_password_authentication
} }
$real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
'' => 'no',
default => $sshd_tcp_forwarding
}
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? { $real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
'' => 'no', '' => 'no',
default => $sshd_x11_forwarding default => $sshd_x11_forwarding
} }
$real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
'' => 'no',
default => $sshd_agent_forwarding
}
$real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
'' => 'no',
default => $sshd_challenge_response_authentication
}
$real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
'' => 'yes',
default => $sshd_pubkey_authentication
}
$real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
'' => 'no',
default => $sshd_rsa_authentication
}
$real_sshd_strict_modes = $sshd_strict_modes ? {
'' => 'yes',
default => $sshd_strict_modes
}
$real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
'' => 'yes',
default => $sshd_ignore_rhosts
}
$real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
'' => 'no',
default => $sshd_rhosts_rsa_authentication
}
$real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
'' => 'no',
default => $sshd_hostbased_authentication
}
$real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
'' => 'no',
default => $sshd_permit_empty_passwords
}
$real_sshd_port = $sshd_port ? {
'' => 22,
default => $sshd_port
}
$real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
'' => "%h/.ssh/authorized_keys",
default => $sshd_authorized_keys_file
}
file { 'sshd_config': file { 'sshd_config':
path => '/etc/ssh/sshd_config', path => '/etc/ssh/sshd_config',
owner => root, owner => root,
group => 0, group => 0,
mode => 600, mode => 600,
content => template("sshd/sshd_config/${operatingsystem}_normal.erb"), content => $lsbdistcodename ? {
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
},
notify => Service[sshd], notify => Service[sshd],
} }
# Now add the key, if we've got one # Now add the key, if we've got one
@ -127,6 +239,10 @@ class sshd::gentoo inherits sshd::linux {
} }
class sshd::debian inherits sshd::linux { class sshd::debian inherits sshd::linux {
# the templates for Debian need lsbdistcodename
include assert_lsbdistcodename
Package[openssh]{ Package[openssh]{
name => 'openssh-server', name => 'openssh-server',
} }

86
templates/sshd_config/CentOS_normal.erb → templates/sshd_config/CentOS.erb
View file

@ -10,13 +10,19 @@
# possible, but leave them commented. Uncommented options change a # possible, but leave them commented. Uncommented options change a
# default value. # default value.
#Port 22 <%- unless real_sshd_port.to_s.empty? then %>
Port <%= real_sshd_port %>
<%- else %>
Port 22
<%- end %>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in real_sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
#AddressFamily any
#Protocol 2,1 #Protocol 2,1
Protocol 2 Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1 # HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2 # HostKeys for protocol version 2
@ -41,22 +47,57 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
<%- else %> <%- else %>
PermitRootLogin without-password PermitRootLogin without-password
<%- end %> <%- end %>
#StrictModes yes
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
<%- end %>
#MaxAuthTries 6 #MaxAuthTries 6
#RSAAuthentication yes <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
#PubkeyAuthentication yes RSAAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys <%- else %>
RSAAuthentication no
<%- end %>
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no <%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2 # similar for protocol version 2
#HostbasedAuthentication no <%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
<% end -%>
# Change to yes if you don't trust ~/.ssh/known_hosts for # Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication # RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no #IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files # Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes <%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
<%- if real_sshd_password_authentication.to_s == 'yes' then %> <%- if real_sshd_password_authentication.to_s == 'yes' then %>
@ -64,11 +105,20 @@ PasswordAuthentication yes
<%- else %> <%- else %>
PasswordAuthentication no PasswordAuthentication no
<%- end %> <%- end %>
#PermitEmptyPasswords no
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
<%- end %>
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@ -101,7 +151,13 @@ UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
<%- end %>
#GatewayPorts no #GatewayPorts no
#X11Forwarding no #X11Forwarding no
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> <%- if real_sshd_x11_forwarding.to_s == 'yes' then %>

163
templates/sshd_config/Debian_etch.erb Normal file
View file

@ -0,0 +1,163 @@
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
<%- unless real_sshd_port.to_s.empty? then -%>
Port <%= real_sshd_port -%>
<%- else -%>
Port 22
<%- end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in real_sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
#PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= real_sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
# similar for protocol version 2
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
# To disable tunneled clear text passwords, change to no here!
<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
#Subsystem sftp /usr/lib/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if real_sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
HostbasedUsesNameFromPacketOnly yes
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
ChallengeResponseAuthentication no
<%- unless real_sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= real_sshd_allowed_users -%>
<%- end -%>

169
templates/sshd_config/Debian_lenny.erb Normal file
View file

@ -0,0 +1,169 @@
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
<%- unless real_sshd_port.to_s.empty? then -%>
Port <%= real_sshd_port -%>
<%- else -%>
Port 22
<%- end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in real_sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
#PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= real_sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
# similar for protocol version 2
<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
# To disable tunneled clear text passwords, change to no here!
<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
#Subsystem sftp /usr/lib/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if real_sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
HostbasedUsesNameFromPacketOnly yes
<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
ChallengeResponseAuthentication no
<%- unless real_sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= real_sshd_allowed_users -%>
<%- end -%>

102
templates/sshd_config/Debian_normal.erb
View file

@ -1,102 +0,0 @@
# Package generated configuration file
# See the sshd(8) manpage for defails
# What ports, IPs and protocols we listen for
# Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
#PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless real_sshd_permit_root_login.to_s.empty? then %>
PermitRootLogin <%= real_sshd_permit_root_login %>
<%- else %>
PermitRootLogin without-password
<%- end %>
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# To disable tunneled clear text passwords, change to no here!
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
PasswordAuthentication yes
<%- else %>
PasswordAuthentication no
<%- end %>
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes
<%- else %>
X11Forwarding no
<%- end %>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
#Subsystem sftp /usr/lib/sftp-server
<%- if real_sshd_use_pam.to_s == 'yes' then %>
UsePAM yes
<%- else %>
UsePAM no
<%- end %>
HostbasedUsesNameFromPacketOnly yes
AllowTcpForwarding yes
ChallengeResponseAuthentication no
<%- unless real_sshd_allowed_users.to_s.empty? then %>
AllowUsers <%= real_sshd_allowed_users %>
<%- end %>

83
templates/sshd_config/Gentoo_normal.erb → templates/sshd_config/Gentoo.erb
View file

@ -10,10 +10,17 @@
# possible, but leave them commented. Uncommented options change a # possible, but leave them commented. Uncommented options change a
# default value. # default value.
#Port 22 <%- unless real_sshd_port.to_s.empty? then %>
Port <%= real_sshd_port %>
<%- else %>
Port 22
<%- end %>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in real_sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new # Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit # installations. In future the default will change to require explicit
@ -39,7 +46,13 @@ Protocol 2
#LoginGraceTime 2m #LoginGraceTime 2m
PermitRootLogin without-password PermitRootLogin without-password
#StrictModes yes
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
<%- end %>
<%- unless real_sshd_permit_root_login.to_s.empty? then %> <%- unless real_sshd_permit_root_login.to_s.empty? then %>
PermitRootLogin <%= real_sshd_permit_root_login %> PermitRootLogin <%= real_sshd_permit_root_login %>
<%- else %> <%- else %>
@ -47,19 +60,48 @@ PermitRootLogin without-password
<%- end %> <%- end %>
#MaxAuthTries 6 #MaxAuthTries 6
#RSAAuthentication yes <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
#PubkeyAuthentication yes RSAAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys <%- else %>
RSAAuthentication no
<%- end %>
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no <%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2 # similar for protocol version 2
#HostbasedAuthentication no <%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
<% end -%>
# Change to yes if you don't trust ~/.ssh/known_hosts for # Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication # RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no #IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files # Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes <%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
<%- if real_sshd_password_authentication.to_s == 'yes' then %> <%- if real_sshd_password_authentication.to_s == 'yes' then %>
@ -67,10 +109,20 @@ PasswordAuthentication yes
<%- else %> <%- else %>
PasswordAuthentication no PasswordAuthentication no
<%- end %> <%- end %>
#PermitEmptyPasswords no
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no
<%- end %>
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@ -99,7 +151,12 @@ UsePAM yes
UsePAM no UsePAM no
<%- end %> <%- end %>
#AllowTcpForwarding yes <%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
<%- end %>
#GatewayPorts no #GatewayPorts no
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> <%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes X11Forwarding yes

83
templates/sshd_config/OpenBSD_normal.erb → templates/sshd_config/OpenBSD.erb
View file

@ -8,11 +8,18 @@
# possible, but leave them commented. Uncommented options change a # possible, but leave them commented. Uncommented options change a
# default value. # default value.
#Port 22 <%- unless real_sshd_port.to_s.empty? then %>
Port <%= real_sshd_port %>
<%- else %>
Port 22
<%- end %>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in real_sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
#Protocol 2,1 #Protocol 2,1
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1 # HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_key
@ -37,22 +44,57 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
<%- else %> <%- else %>
PermitRootLogin without-password PermitRootLogin without-password
<%- end %> <%- end %>
#StrictModes yes
<%- if real_sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
<%- end %>
#MaxAuthTries 6 #MaxAuthTries 6
#RSAAuthentication yes <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
#PubkeyAuthentication yes RSAAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys <%- else %>
RSAAuthentication no
<%- end %>
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no <%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2 # similar for protocol version 2
#HostbasedAuthentication no <%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
<% end -%>
# Change to yes if you don't trust ~/.ssh/known_hosts for # Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication # RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no #IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files # Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes <%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
<%- if real_sshd_password_authentication.to_s == 'yes' then %> <%- if real_sshd_password_authentication.to_s == 'yes' then %>
@ -60,10 +102,20 @@ PasswordAuthentication yes
<%- else %> <%- else %>
PasswordAuthentication no PasswordAuthentication no
<%- end %> <%- end %>
#PermitEmptyPasswords no
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no
<%- end %>
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@ -75,7 +127,12 @@ PasswordAuthentication no
#GSSAPIAuthentication no #GSSAPIAuthentication no
#GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes
#AllowTcpForwarding yes <%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
<%- end %>
#GatewayPorts no #GatewayPorts no
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> <%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes X11Forwarding yes