new options, cleaned up real_ hack

git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2527 d66ca3ae-40d7-4aa7-90d4-87d79ca94279

1 files changed, 34 insertions, 22 deletions

diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index bb39736..8d68808 100644
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -2,14 +2,14 @@
 # See the sshd(8) manpage for details
 
 # What ports, IPs and protocols we listen for
-<%- unless real_sshd_port.to_s.empty? then -%>
-Port <%= real_sshd_port -%>
+<%- unless sshd_port.to_s.empty? then -%>
+Port <%= sshd_port -%>
 <%- else -%>
 Port 22
 <%- end -%>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
 ListenAddress <%= address %>
 <% end -%>
 Protocol 2
@@ -33,52 +33,52 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
-<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= real_sshd_permit_root_login -%>
+<%- unless sshd_permit_root_login.to_s.empty? then -%>
+PermitRootLogin <%= sshd_permit_root_login -%>
 <%- else -%>
 PermitRootLogin without-password
 <%- end -%>
 
-<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
+<%- if sshd_strict_modes.to_s == 'yes' then -%>
 StrictModes yes
 <%- else -%>
 StrictModes no
 <%- end -%>
 
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
 RSAAuthentication yes
 <%- else -%>
 RSAAuthentication no
 <%- end -%>
 
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
 PubkeyAuthentication yes
 <%- else -%>
 PubkeyAuthentication no
 <%- end -%>
 
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
 <%- else -%>
 AuthorizedKeysFile %h/.ssh/authorized_keys
 <%- end -%>
 
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
 RhostsRSAAuthentication yes
 <%- else -%>
 RhostsRSAAuthentication no
 <% end -%>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
 IgnoreRhosts yes
 <%- else -%>
 IgnoreRhosts no
 <% end -%>
 
 # similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
 HostbasedAuthentication yes
 <%- else -%>
 HostbasedAuthentication no
@@ -88,21 +88,21 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
 PermitEmptyPasswords yes
 <% else -%>
 PermitEmptyPasswords no
 <% end -%>
 
 # Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
 ChallengeResponseAuthentication yes
 <%- else -%>
 ChallengeResponseAuthentication no
 <%- end -%>
 
 # To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
+<%- if sshd_password_authentication.to_s == 'yes' then -%>
 PasswordAuthentication yes
 <%- else -%>
 PasswordAuthentication no
@@ -117,7 +117,7 @@ PasswordAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
+<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
 X11Forwarding yes
 <%- else -%>
 X11Forwarding no
@@ -130,7 +130,11 @@ KeepAlive yes
 #Banner /etc/issue.net
 #ReverseMappingCheck yes
 
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
 #Subsystem	sftp	/usr/lib/sftp-server
+<%- else %>
+Subsystem      sftp    <%= sshd_sftp_subsystem %>
+<%- end %>
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -141,7 +145,7 @@ KeepAlive yes
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-<%- if real_sshd_use_pam.to_s == 'yes' then -%>
+<%- if sshd_use_pam.to_s == 'yes' then -%>
 UsePAM yes
 <%- else -%>
 UsePAM no
@@ -149,13 +153,13 @@ UsePAM no
 
 HostbasedUsesNameFromPacketOnly yes
 
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
 AllowTcpForwarding yes
 <%- else -%>
 AllowTcpForwarding no
 <%- end -%>
 
-<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%>
+<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
 AllowAgentForwarding yes
 <%- else -%>
 AllowAgentForwarding no
@@ -163,7 +167,15 @@ AllowAgentForwarding no
 
 ChallengeResponseAuthentication no
 
-<%- unless real_sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= real_sshd_allowed_users -%>
+<%- unless sshd_allowed_users.to_s.empty? then -%>
+AllowUsers <%= sshd_allowed_users -%>
 <%- end -%>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>