diff options
author | Micah Anderson <micah@riseup.net> | 2008-09-26 17:55:02 -0400 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2008-09-26 17:55:02 -0400 |
commit | 0b180227270cf5d1a5e2176142c2a129940f523a (patch) | |
tree | ab355003385280d8a226e0a6b05a885232aaa110 | |
parent | 58fef5f8092b937caa2a11648f3937e17f718d81 (diff) | |
download | puppet-sshd-0b180227270cf5d1a5e2176142c2a129940f523a.tar.gz puppet-sshd-0b180227270cf5d1a5e2176142c2a129940f523a.tar.bz2 |
add sshd_allow_tcp_forwarding variable, with the default changed to no (note this is opposite of
what the existing template had enabled for Debian, but this is a better setting)
-rw-r--r-- | manifests/init.pp | 9 | ||||
-rw-r--r-- | templates/sshd_config/CentOS_normal.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/Debian_normal.erb | 6 | ||||
-rw-r--r-- | templates/sshd_config/Gentoo_normal.erb | 7 | ||||
-rw-r--r-- | templates/sshd_config/OpenBSD_normal.erb | 7 |
5 files changed, 34 insertions, 3 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 5ba3e22..af716cd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,7 @@ # # ssh module # +# Copyright 2008, micah@riseup.net # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH # Marcel Härry haerry+puppet(at)puzzle.ch @@ -44,6 +45,10 @@ # Valid values: yes or no # Default: no # +# sshd_tcp_forwarding: If you want to enable TcpForwarding +# Valid Values: yes or no +# Default: no +# # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no # Default: no @@ -110,6 +115,10 @@ class sshd::base { '' => 'no', default => $sshd_password_authentication } + $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? { + '' => 'no', + default => $sshd_tcp_forwarding + } $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { '' => 'no', default => $sshd_x11_forwarding diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index 92ba92e..a0ec786 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -140,7 +140,13 @@ UsePAM no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -#AllowTcpForwarding yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no #X11Forwarding no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 92cb7b0..f6a2a81 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -138,7 +138,13 @@ UsePAM no <%- end %> HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + <%- if real_sshd_agent_forwarding.to_s == 'yes' then %> AllowAgentForwarding yes <%- else %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index a9f9916..ca6b90a 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -139,7 +139,12 @@ UsePAM yes UsePAM no <%- end %> -#AllowTcpForwarding yes +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index dd6bb69..96d8bbd 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -116,7 +116,12 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -#AllowTcpForwarding yes +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes |