diff options
| author | Micah Anderson <micah@riseup.net> | 2008-09-27 16:42:08 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2008-09-27 16:42:08 -0400 |
| commit | 57eb2df0371c53988244094e07b1b30486529d0d (patch) | |
| tree | 50c56d4b69e95357b0891753cd514cd79c99521d /templates/sshd_config/OpenBSD.erb | |
| parent | 0c7bc1b107f1f2b3e8e6ad045351d55390e1365b (diff) | |
| download | puppet-sshd-57eb2df0371c53988244094e07b1b30486529d0d.tar.gz puppet-sshd-57eb2df0371c53988244094e07b1b30486529d0d.tar.bz2 | |
Change the template naming:
1. remove the _normal suffix, as it is not used
2. add a selector to look for the variable $lsbdistcodename being set and use that in selecting a template
this is useful to create a Debian_Etch.erb and a Debian_Lenny.erb which can have different values. For example
the Debian Etch version of openssh does not have the AllowAgentForwarding option, and if it is included, ssh will
fail to start
Diffstat (limited to 'templates/sshd_config/OpenBSD.erb')
| -rw-r--r-- | templates/sshd_config/OpenBSD.erb | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb new file mode 100644 index 0000000..32f6780 --- /dev/null +++ b/templates/sshd_config/OpenBSD.erb @@ -0,0 +1,172 @@ +# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#Protocol 2,1 +#AddressFamily any + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server |