opuppet/module-sshd
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
module-sshd/templates/sshd_config/FreeBSD.erb
Micah Anderson d78749fd8f Add a $hostkey_type variable that allows you to set which hostkey 
types you want to support in your sshd_config.

We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.

Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
2014-11-21 21:20:29 -05:00

162 lines
5.1 KiB
Text
Raw Blame History

# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
# $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09:06 kensmith Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#VersionAddendum FreeBSD-20100308
<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
<%= s %>
<% end -%>
# What ports, IPs and protocols we listen for
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<% end -%>
#AddressFamily any
<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
<% end -%>
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable PAM authentication
ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %>
KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd <%= sshd_print_motd %>
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
AllowUsers <%= s %>
<% end -%>
<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
AllowGroups <%= s %>
<%- end -%>
<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>
Reference in a new issue View git blame Copy permalink