aboutsummaryrefslogtreecommitdiff
path: root/templates/sshd_config
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2008-09-27 16:42:08 -0400
committerMicah Anderson <micah@riseup.net>2008-09-27 16:42:08 -0400
commit57eb2df0371c53988244094e07b1b30486529d0d (patch)
tree50c56d4b69e95357b0891753cd514cd79c99521d /templates/sshd_config
parent0c7bc1b107f1f2b3e8e6ad045351d55390e1365b (diff)
downloadpuppet-sshd-57eb2df0371c53988244094e07b1b30486529d0d.tar.gz
puppet-sshd-57eb2df0371c53988244094e07b1b30486529d0d.tar.bz2
Change the template naming:
1. remove the _normal suffix, as it is not used 2. add a selector to look for the variable $lsbdistcodename being set and use that in selecting a template this is useful to create a Debian_Etch.erb and a Debian_Lenny.erb which can have different values. For example the Debian Etch version of openssh does not have the AllowAgentForwarding option, and if it is included, ssh will fail to start
Diffstat (limited to 'templates/sshd_config')
-rw-r--r--templates/sshd_config/CentOS.erb (renamed from templates/sshd_config/CentOS_normal.erb)0
-rw-r--r--templates/sshd_config/Debian_Etch.erb163
-rw-r--r--templates/sshd_config/Debian_Lenny.erb (renamed from templates/sshd_config/Debian_normal.erb)0
-rw-r--r--templates/sshd_config/Gentoo.erb (renamed from templates/sshd_config/Gentoo_normal.erb)0
-rw-r--r--templates/sshd_config/OpenBSD.erb (renamed from templates/sshd_config/OpenBSD_normal.erb)0
5 files changed, 163 insertions, 0 deletions
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS.erb
index 6a16d77..6a16d77 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS.erb
diff --git a/templates/sshd_config/Debian_Etch.erb b/templates/sshd_config/Debian_Etch.erb
new file mode 100644
index 0000000..09be201
--- /dev/null
+++ b/templates/sshd_config/Debian_Etch.erb
@@ -0,0 +1,163 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+<%- unless real_sshd_port.to_s.empty? then -%>
+Port <%= real_sshd_port -%>
+<%- else -%>
+Port 22
+<%- end -%>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+<% for address in real_sshd_listen_address -%>
+ListenAddress <%= address %>
+<% end -%>
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# ...but breaks Pam auth via kbdint, so we have to turn it off
+# Use PAM authentication via keyboard-interactive so PAM modules can
+# properly interface with the user (off due to PrivSep)
+#PAMAuthenticationViaKbdInt no
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 600
+<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
+PermitRootLogin <%= real_sshd_permit_root_login -%>
+<%- else -%>
+PermitRootLogin without-password
+<%- end -%>
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
+StrictModes yes
+<%- else -%>
+StrictModes no
+<%- end -%>
+
+<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
+RSAAuthentication yes
+<%- else -%>
+RSAAuthentication no
+<%- end -%>
+
+<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
+PubkeyAuthentication yes
+<%- else -%>
+PubkeyAuthentication no
+<%- end -%>
+
+<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
+AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+<%- else -%>
+AuthorizedKeysFile %h/.ssh/authorized_keys
+<%- end -%>
+
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
+RhostsRSAAuthentication yes
+<%- else -%>
+RhostsRSAAuthentication no
+<% end -%>
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
+IgnoreRhosts yes
+<%- else -%>
+IgnoreRhosts no
+<% end -%>
+
+# similar for protocol version 2
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
+HostbasedAuthentication yes
+<%- else -%>
+HostbasedAuthentication no
+<% end -%>
+
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
+PermitEmptyPasswords yes
+<% else -%>
+PermitEmptyPasswords no
+<% end -%>
+
+# Change to no to disable s/key passwords
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
+ChallengeResponseAuthentication yes
+<%- else -%>
+ChallengeResponseAuthentication no
+<%- end -%>
+
+# To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
+PasswordAuthentication yes
+<%- else -%>
+PasswordAuthentication no
+<%- end -%>
+
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
+X11Forwarding yes
+<%- else -%>
+X11Forwarding no
+<%- end -%>
+X11DisplayOffset 10
+KeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+#ReverseMappingCheck yes
+
+#Subsystem sftp /usr/lib/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+<%- if real_sshd_use_pam.to_s == 'yes' then -%>
+UsePAM yes
+<%- else -%>
+UsePAM no
+<%- end -%>
+
+HostbasedUsesNameFromPacketOnly yes
+
+<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
+AllowTcpForwarding yes
+<%- else -%>
+AllowTcpForwarding no
+<%- end -%>
+
+ChallengeResponseAuthentication no
+
+<%- unless real_sshd_allowed_users.to_s.empty? then -%>
+AllowUsers <%= real_sshd_allowed_users -%>
+<%- end -%>
+
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_Lenny.erb
index bb39736..bb39736 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_Lenny.erb
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo.erb
index 1b9b98e..1b9b98e 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo.erb
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD.erb
index 32f6780..32f6780 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD.erb