Graphe des révisions

21 commits

Auteur SHA1 Message Date
Micah Anderson
fd82841c1f Change 'hardened_ssl' paramter to simply 'hardened', this makes more
sense in general
2015-05-04 15:42:26 -04:00
Micah Anderson
d78749fd8f Add a $hostkey_type variable that allows you to set which hostkey
types you want to support in your sshd_config.

We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.

Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
2014-11-21 21:20:29 -05:00
mh
5b86606d59 correct variable naming 2012-06-18 17:43:48 -03:00
mh
2204eb01f6 new style for 2.7 2012-06-05 18:23:03 -03:00
Silvio Rhatto
0e9e1b6f2c Adding PrintMotd parameter to all templates and setting per-distro default value 2011-07-21 11:01:33 -03:00
Silvio Rhatto
57d8883d48 Removing sshd_use_strong_ciphers parameter as sshd_hardened_ssl does the job 2011-07-13 18:41:59 -03:00
Silvio Rhatto
99928cd61e Merge branch 'master' of git://labs.riseup.net/shared-sshd 2011-07-13 18:39:18 -03:00
intrigeri
34863e959f New opt-in support to only use strong SSL ciphers and MACs.
The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.
2011-06-21 00:27:55 +02:00
Silvio Rhatto
75105d66d8 Adding sshd_use_strong_ciphers to all sshd_config templates 2011-02-23 14:40:02 -03:00
Silvio Rhatto
9ac4697eb5 Changing parameter name sshd_perfect_forward_secrecy to sshd_use_strong_ciphers as sshd already does PFS 2011-02-23 14:25:18 -03:00
Micah Anderson
ac240412cc remove HostbasedUsesNameFromPacketOnly yes from Debian sshd_config templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used 2011-02-21 12:45:49 -05:00
Silvio Rhatto
474b23271d Merge branch 'master' of git://labs.riseup.net/shared-sshd
Conflicts:
	templates/sshd_config/Debian_squeeze.erb
2011-02-19 18:08:02 -02:00
intrigeri
2f7903bcc4 Merge remote branch 'shared/master'
Conflicts:
	templates/sshd_config/Debian_squeeze.erb

I always picked the shared repository version when conflicts arose.
The only exception to this rule was:
I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order
to be consistent with existing Etch and Lenny templates.
This is not the default Debian setting, but I would find it weird if a host
had this setting changed by Puppet after upgrading to Squeeze.
The right way to proceed would probably be to make this configurable.
2011-02-14 17:17:31 +01:00
Silvio Rhatto
ac30247bf9 Perfect forward secrecy config at squeeze template 2011-02-13 18:42:36 -02:00
Micah Anderson
2188f46db7 fix debian squeeze sshd_config template to add a missing newline 2010-12-20 14:18:30 -05:00
Micah Anderson
0ec0562257 remote KerberosGetAFSToken, its actually not a functional configuration option, even though it is listed in the man page, and commented out in the default config file. I filed a bug with debian (#607238) 2010-12-15 20:38:07 -05:00
Micah Anderson
72e24df3b6 add Debian Squeeze sshd template. Enabled kerberos and gssapi options, using the defaults when not specified 2010-12-14 13:22:43 -05:00
intrigeri
8cb562f87c Syntax fix. 2010-10-16 22:32:25 +02:00
intrigeri
a643172a79 New option sshd_ports that obsoletes sshd_port.
Backward compatibility is preserved.
2010-10-16 16:05:00 +02:00
intrigeri
23efb583bf Cleanup templates: sshd_port is guaranteed by init.pp not to be empty. 2010-10-16 16:01:24 +02:00
intrigeri
b9a8b7b3df Add template for Debian Squeeze. 2010-10-03 19:56:48 +02:00