aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2008-09-26 17:55:02 -0400
committerMicah Anderson <micah@riseup.net>2008-09-26 17:55:02 -0400
commit0b180227270cf5d1a5e2176142c2a129940f523a (patch)
treeab355003385280d8a226e0a6b05a885232aaa110
parent58fef5f8092b937caa2a11648f3937e17f718d81 (diff)
downloadpuppet-sshd-0b180227270cf5d1a5e2176142c2a129940f523a.tar.gz
puppet-sshd-0b180227270cf5d1a5e2176142c2a129940f523a.tar.bz2
add sshd_allow_tcp_forwarding variable, with the default changed to no (note this is opposite of
what the existing template had enabled for Debian, but this is a better setting)
-rw-r--r--manifests/init.pp9
-rw-r--r--templates/sshd_config/CentOS_normal.erb8
-rw-r--r--templates/sshd_config/Debian_normal.erb6
-rw-r--r--templates/sshd_config/Gentoo_normal.erb7
-rw-r--r--templates/sshd_config/OpenBSD_normal.erb7
5 files changed, 34 insertions, 3 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 5ba3e22..af716cd 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,6 +1,7 @@
#
# ssh module
#
+# Copyright 2008, micah@riseup.net
# Copyright 2008, admin(at)immerda.ch
# Copyright 2008, Puzzle ITC GmbH
# Marcel Härry haerry+puppet(at)puzzle.ch
@@ -44,6 +45,10 @@
# Valid values: yes or no
# Default: no
#
+# sshd_tcp_forwarding: If you want to enable TcpForwarding
+# Valid Values: yes or no
+# Default: no
+#
# sshd_x11_forwarding: If you want to enable x11 forwarding
# Valid Values: yes or no
# Default: no
@@ -110,6 +115,10 @@ class sshd::base {
'' => 'no',
default => $sshd_password_authentication
}
+ $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
+ '' => 'no',
+ default => $sshd_tcp_forwarding
+ }
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
'' => 'no',
default => $sshd_x11_forwarding
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index 92ba92e..a0ec786 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -140,7 +140,13 @@ UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
-#AllowTcpForwarding yes
+
+<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+AllowTcpForwarding yes
+<%- else %>
+AllowTcpForwarding no
+<%- end %>
+
#GatewayPorts no
#X11Forwarding no
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 92cb7b0..f6a2a81 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -138,7 +138,13 @@ UsePAM no
<%- end %>
HostbasedUsesNameFromPacketOnly yes
+
+<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
+<%- else %>
+AllowTcpForwarding no
+<%- end %>
+
<%- if real_sshd_agent_forwarding.to_s == 'yes' then %>
AllowAgentForwarding yes
<%- else %>
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index a9f9916..ca6b90a 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -139,7 +139,12 @@ UsePAM yes
UsePAM no
<%- end %>
-#AllowTcpForwarding yes
+<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+AllowTcpForwarding yes
+<%- else %>
+AllowTcpForwarding no
+<%- end %>
+
#GatewayPorts no
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index dd6bb69..96d8bbd 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -116,7 +116,12 @@ ChallengeResponseAuthentication no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-#AllowTcpForwarding yes
+<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+AllowTcpForwarding yes
+<%- else %>
+AllowTcpForwarding no
+<%- end %>
+
#GatewayPorts no
<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes