add the sshd_strict_modes variable, with the default set to yes

2008-09-26 17:28:05 -04:00 · 2008-09-26 17:28:05 -04:00 · ba8d788f89
commit ba8d788f89
parent 0a0236b107
5 changed files with 35 additions and 4 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -56,9 +56,13 @@
 # 				Valid Values: yes or no
 #				Default: yes
 #
-# sshd_rsa_authentication:	If you wat to enable RSA Authentication
+# sshd_rsa_authentication:	If you want to enable RSA Authentication
 # 				Valid Values: yes or no
 #				Default: no
+#				
+# sshd_strict_modes:		If you want to set StrictModes (check file modes/ownership before accepting login)
+# 				Valid Values: yes or no
+#				Default: yes

 class sshd {
    include sshd::client 
@ -113,6 +117,10 @@ class sshd::base {
    	'' => 'no',
 	default => $sshd_rsa_authentication
    }
+    $real_sshd_strict_modes = $sshd_strict_modes ? {
+    	'' => 'yes',
+	default => $sshd_strict_modes
+    }

    file { 'sshd_config':
        path => '/etc/ssh/sshd_config',
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@ -41,7 +41,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 #MaxAuthTries 6

 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@ -32,7 +32,12 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
 StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>

 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
 RSAAuthentication yes
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@ -39,7 +39,13 @@ Protocol 2

 #LoginGraceTime 2m
 PermitRootLogin without-password
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 <%- unless real_sshd_permit_root_login.to_s.empty? then %>
 PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@ -37,7 +37,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 #MaxAuthTries 6

 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>