add variable sshd_permit_empty_passwords, with the default set to no

5 files changed, 34 insertions, 3 deletions

diff --git a/manifests/init.pp b/manifests/init.pp
index 02f2e42..5ba3e22 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -71,6 +71,11 @@
 # sshd_strict_modes:		If you want to set StrictModes (check file modes/ownership before accepting login)
 # 				Valid Values: yes or no
 #				Default: yes
+#
+# sshd_permit_empty_passwords:	If you want enable PermitEmptyPasswords to allow empty passwords
+# 				Valid Values: yes or no
+#				Default: no
+
 
 class sshd {
     include sshd::client 
@@ -141,6 +146,10 @@ class sshd::base {
     	'' => 'no',
 	default => $sshd_hostbased_authentication
     }
+    $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
+    	'' => 'no',
+	default => $sshd_permit_empty_passwords
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index a784842..92ba92e 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -94,7 +94,13 @@ PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
-#PermitEmptyPasswords no
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
+PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index cf24953..92cb7b0 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -78,7 +78,11 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
 PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index 57a80a1..a9f9916 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -97,7 +97,13 @@ PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
-#PermitEmptyPasswords no
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
+PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 1de6a55..dd6bb69 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -91,7 +91,13 @@ PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
-#PermitEmptyPasswords no
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
+PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>