diff --git a/manifests/init.pp b/manifests/init.pp index 55a2714..bcad768 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,7 +13,7 @@ # the Free Software Foundation. # # Deploy authorized_keys file with the define -# sshd::deploy_auth_key +# sshd::ssh_authorized_key # # sshd-config: # @@ -40,6 +40,15 @@ # to ensure that only user foobar and root # might login. # Default: empty -> no restriction is set +# +# sshd_allowed_groups list of groups separated by spaces. +# set this for example to "wheel sftponly" +# to ensure that only users in the groups +# wheel and sftponly might login. +# Default: empty -> no restriction is set +# Note: This is set after sshd_allowed_users, +# take care of the behaviour if you use +# these 2 options together. # # sshd_use_pam: if you want to use pam or not for authenticaton # Values: no or yes. @@ -100,6 +109,14 @@ # sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) # Default: AuthorizedKeysFile %h/.ssh/authorized_keys # +# sshd_sftp_subsystem: Set a different sftp-subystem than the default one. +# Might be interesting for sftponly usage +# Default: empty -> no change of the default +# +# sshd_additional_options: Set this to any additional sshd_options which aren't listed above. +# As well this option might be usefull to define complexer Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. class sshd { include sshd::client @@ -118,77 +135,68 @@ class sshd { class sshd::base { # prepare variables to use in templates - $real_sshd_listen_address = $sshd_listen_address ? { - '' => [ '0.0.0.0', '::' ], - default => $sshd_listen_address + case $sshd_listen_address { + '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } } - $real_sshd_allowed_users = $sshd_allowed_users ? { - '' => '', - default => $sshd_allowed_users + case $sshd_allowed_users { + '': { $sshd_allowed_users = '' } } - $real_sshd_use_pam = $sshd_use_pam ? { - '' => 'no', - default => $sshd_use_pam + case $sshd_allowed_groups { + '': { $sshd_allowed_groups = '' } } - $real_sshd_permit_root_login = $sshd_permit_root_login ? { - '' => 'without-password', - default => $sshd_permit_root_login + case $sshd_use_pam { + '': { $sshd_use_pam = 'no' } } - $real_sshd_password_authentication = $sshd_password_authentication ? { - '' => 'no', - default => $sshd_password_authentication + case $sshd_permit_root_login { + '': { $sshd_permit_root_login = 'without-password' } } - $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? { - '' => 'no', - default => $sshd_tcp_forwarding + case $sshd_password_authentication { + '': { $sshd_password_authentication = 'no' } } - $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { - '' => 'no', - default => $sshd_x11_forwarding + case $sshd_tcp_forwarding { + '': { $sshd_tcp_forwarding = 'no' } } - $real_sshd_agent_forwarding = $sshd_agent_forwarding ? { - '' => 'no', - default => $sshd_agent_forwarding + case $sshd_x11_forwarding { + '': { $sshd_x11_forwarding = 'no' } } - $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? { - '' => 'no', - default => $sshd_challenge_response_authentication + case $sshd_agent_forwarding { + '': { $sshd_agent_forwarding = 'no' } } - $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { - '' => 'yes', - default => $sshd_pubkey_authentication + case $sshd_challenge_response_authentication { + '': { $sshd_challenge_response_authentication = 'no' } } - $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { - '' => 'no', - default => $sshd_rsa_authentication + case $sshd_pubkey_authentication { + '': { $sshd_pubkey_authentication = 'yes' } } - $real_sshd_strict_modes = $sshd_strict_modes ? { - '' => 'yes', - default => $sshd_strict_modes + case $sshd_rsa_authentication { + '': { $sshd_rsa_authentication = 'no' } } - $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? { - '' => 'yes', - default => $sshd_ignore_rhosts + case $sshd_strict_modes { + '': { $sshd_strict_modes = 'yes' } } - $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? { - '' => 'no', - default => $sshd_rhosts_rsa_authentication + case $sshd_ignore_rhosts { + '': { $sshd_ignore_rhosts = 'yes' } } - $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? { - '' => 'no', - default => $sshd_hostbased_authentication + case $sshd_rhosts_rsa_authentication { + '': { $sshd_rhosts_rsa_authentication = 'no' } } - $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? { - '' => 'no', - default => $sshd_permit_empty_passwords + case $sshd_hostbased_authentication { + '': { $sshd_hostbased_authentication = 'no' } } - $real_sshd_port = $sshd_port ? { - '' => 22, - default => $sshd_port + case $sshd_permit_empty_passwords { + '': { $sshd_permit_empty_passwords = 'no' } } - $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? { - '' => "%h/.ssh/authorized_keys", - default => $sshd_authorized_keys_file + case $sshd_port { + '': { $sshd_port = 22 } + } + case $sshd_authorized_keys_file { + '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } + } + case $sshd_sftp_subsystem { + '': { $sshd_sftp_subsystem = '' } + } + case $sshd_additional_options { + '': { $sshd_additional_options = '' } } file { 'sshd_config': @@ -293,43 +301,3 @@ define sshd::ssh_authorized_key( } } } - -# deprecated! -define sshd::deploy_auth_key( - $source = 'present', - $user = 'root', - $target_dir = '/root/.ssh/', - $group = 0 ) { - - notice("this way of deploying authorized keys is deprecated. use the native ssh_authorized_key instead") - - $real_target = $target_dir ? { - '' => "/home/$user/.ssh/", - default => $target_dir, - } - - file {$real_target: - ensure => directory, - owner => $user, - group => $group, - mode => 700, - } - - case $source { - 'present': { $keysource = $name } - default: { $keysource = $source } - } - - file {"authorized_keys_${user}": - path => "$real_target/authorized_keys", - owner => $user, - group => $group, - mode => 600, - source => [ "puppet://$server/files/sshd/authorized_keys/${keysource}", - "puppet://$server/files/sshd/authorized_keys/${fqdn}", - "puppet://$server/files/sshd/authorized_keys/default", - "puppet://$server/sshd/authorized_keys/${name}", - "puppet://$server/sshd/authorized_keys/${fqdn}", - "puppet://$server/sshd/authorized_keys/default" ], - } -} diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 6a16d77..27880cb 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,14 +10,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -42,13 +42,13 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no @@ -56,33 +56,33 @@ StrictModes no #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -93,28 +93,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -141,7 +141,7 @@ GSSAPICleanupCredentials yes # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -<%- if real_sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then %> UsePAM yes <%- else %> UsePAM no @@ -152,7 +152,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no @@ -160,7 +160,7 @@ AllowTcpForwarding no #GatewayPorts no #X11Forwarding no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -186,7 +186,21 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/libexec/openssh/sftp-server -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> <%- end %> + +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> +<%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> + diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 09be201..28aa52c 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -2,14 +2,14 @@ # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> +<%- unless sshd_port.to_s.empty? then -%> +Port <%= sshd_port -%> <%- else -%> Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -33,52 +33,52 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> <%- else -%> PermitRootLogin without-password <%- end -%> -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes <%- else -%> StrictModes no <%- end -%> -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes <%- else -%> RSAAuthentication no <%- end -%> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes <%- else -%> PubkeyAuthentication no <%- end -%> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end -%> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes <%- else -%> RhostsRSAAuthentication no <% end -%> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes <%- else -%> IgnoreRhosts no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no @@ -88,21 +88,21 @@ HostbasedAuthentication no #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes <%- else -%> ChallengeResponseAuthentication no <%- end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> PasswordAuthentication no @@ -117,7 +117,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes <%- else -%> X11Forwarding no @@ -130,7 +130,11 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +<%- if sshd_sftp_subsystem.to_s.empty? then %> #Subsystem sftp /usr/lib/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -141,7 +145,7 @@ KeepAlive yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes <%- else -%> UsePAM no @@ -149,7 +153,7 @@ UsePAM no HostbasedUsesNameFromPacketOnly yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> AllowTcpForwarding no @@ -157,7 +161,16 @@ AllowTcpForwarding no ChallengeResponseAuthentication no -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> <%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> + diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index bb39736..8d68808 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -2,14 +2,14 @@ # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> +<%- unless sshd_port.to_s.empty? then -%> +Port <%= sshd_port -%> <%- else -%> Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -33,52 +33,52 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> <%- else -%> PermitRootLogin without-password <%- end -%> -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes <%- else -%> StrictModes no <%- end -%> -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes <%- else -%> RSAAuthentication no <%- end -%> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes <%- else -%> PubkeyAuthentication no <%- end -%> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end -%> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes <%- else -%> RhostsRSAAuthentication no <% end -%> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes <%- else -%> IgnoreRhosts no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no @@ -88,21 +88,21 @@ HostbasedAuthentication no #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes <%- else -%> ChallengeResponseAuthentication no <%- end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> PasswordAuthentication no @@ -117,7 +117,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes <%- else -%> X11Forwarding no @@ -130,7 +130,11 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +<%- if sshd_sftp_subsystem.to_s.empty? then %> #Subsystem sftp /usr/lib/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -141,7 +145,7 @@ KeepAlive yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes <%- else -%> UsePAM no @@ -149,13 +153,13 @@ UsePAM no HostbasedUsesNameFromPacketOnly yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> AllowTcpForwarding no <%- end -%> -<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> AllowAgentForwarding yes <%- else -%> AllowAgentForwarding no @@ -163,7 +167,15 @@ AllowAgentForwarding no ChallengeResponseAuthentication no -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> <%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1b9b98e..77ed378 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,14 +10,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -47,46 +47,46 @@ Protocol 2 #LoginGraceTime 2m PermitRootLogin without-password -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no <%- end %> -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -97,28 +97,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -145,20 +145,20 @@ ChallengeResponseAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then %> UsePAM yes <%- else %> UsePAM no <%- end %> -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no <%- end %> #GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -183,7 +183,11 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/lib/misc/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -191,6 +195,16 @@ Subsystem sftp /usr/lib/misc/sftp-server # AllowTcpForwarding no # ForceCommand cvs server -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> <%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> + + diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 32f6780..a6e0763 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,14 +8,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -39,13 +39,13 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no @@ -53,33 +53,33 @@ StrictModes no #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -90,28 +90,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -127,14 +127,14 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no <%- end %> #GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -159,10 +159,17 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/libexec/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> +<%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> <%- end %> # Example of overriding settings on a per-user basis @@ -170,3 +177,7 @@ AllowUsers <%= real_sshd_allowed_users %> # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %>