add sshd_ignore_rhosts option, default set to yes
This commit is contained in:
Micah Anderson
parent
ba8d788f89
commit
9edd2705d4
5 changed files with 28 additions and 3 deletions
|
|
@ -121,6 +121,10 @@ class sshd::base {
|
|||
'' => 'yes',
|
||||
default => $sshd_strict_modes
|
||||
}
|
||||
$real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
|
||||
'' => 'yes',
|
||||
default => $sshd_ignore_rhosts
|
||||
}
|
||||
|
||||
file { 'sshd_config':
|
||||
path => '/etc/ssh/sshd_config',
|
||||
|
|
|
|||
|
|
@ -70,8 +70,13 @@ PubkeyAuthentication no
|
|||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||
|
|
|
|||
|
|
@ -55,8 +55,14 @@ PubkeyAuthentication no
|
|||
|
||||
# rhosts authentication should not be used
|
||||
#RhostsAuthentication no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
|
|
|
|||
|
|
@ -73,8 +73,13 @@ PubkeyAuthentication no
|
|||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||
|
|
|
|||
|
|
@ -67,8 +67,13 @@ PubkeyAuthentication no
|
|||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
|
||||
IgnoreRhosts yes
|
||||
<%- else %>
|
||||
IgnoreRhosts no
|
||||
<% end -%>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
|
||||
|
|
|
|||
Loading…
Reference in a new issue