diff options
author | mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279> | 2008-09-29 22:37:26 +0000 |
---|---|---|
committer | mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279> | 2008-09-29 22:37:26 +0000 |
commit | 9ce186f5c31c4339d9a92aa73f6c895cc676a633 (patch) | |
tree | 6e98479704927635113057ad5699de5ac522e392 /templates | |
parent | e3ce449ff48f8245f7358cd98b59a86d8ddbf9bf (diff) | |
download | puppet-sshd-9ce186f5c31c4339d9a92aa73f6c895cc676a633.tar.gz puppet-sshd-9ce186f5c31c4339d9a92aa73f6c895cc676a633.tar.bz2 |
merged with riseup
git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2263 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
Diffstat (limited to 'templates')
-rw-r--r-- | templates/sshd_config/CentOS.erb (renamed from templates/sshd_config/CentOS_normal.erb) | 86 | ||||
-rw-r--r-- | templates/sshd_config/Debian_etch.erb | 163 | ||||
-rw-r--r-- | templates/sshd_config/Debian_lenny.erb | 169 | ||||
-rw-r--r-- | templates/sshd_config/Debian_normal.erb | 102 | ||||
-rw-r--r-- | templates/sshd_config/Gentoo.erb (renamed from templates/sshd_config/Gentoo_normal.erb) | 83 | ||||
-rw-r--r-- | templates/sshd_config/OpenBSD.erb (renamed from templates/sshd_config/OpenBSD_normal.erb) | 83 |
6 files changed, 543 insertions, 143 deletions
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS.erb index a14120f..6a16d77 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,13 +10,19 @@ # possible, but leave them commented. Uncommented options change a # default value. -#Port 22 +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any #Protocol 2,1 Protocol 2 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 @@ -41,22 +47,57 @@ PermitRootLogin <%= real_sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -#StrictModes yes + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + #MaxAuthTries 6 -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> @@ -64,11 +105,20 @@ PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> -#PermitEmptyPasswords no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no @@ -101,7 +151,13 @@ UsePAM no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -#AllowTcpForwarding yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no #X11Forwarding no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb new file mode 100644 index 0000000..09be201 --- /dev/null +++ b/templates/sshd_config/Debian_etch.erb @@ -0,0 +1,163 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb new file mode 100644 index 0000000..bb39736 --- /dev/null +++ b/templates/sshd_config/Debian_lenny.erb @@ -0,0 +1,169 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb deleted file mode 100644 index 70c1a34..0000000 --- a/templates/sshd_config/Debian_normal.erb +++ /dev/null @@ -1,102 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for defails - -# What ports, IPs and protocols we listen for -# Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# rhosts authentication should not be used -#RhostsAuthentication no -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Uncomment to disable s/key passwords -#ChallengeResponseAuthentication no - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -#Subsystem sftp /usr/lib/sftp-server - -<%- if real_sshd_use_pam.to_s == 'yes' then %> -UsePAM yes -<%- else %> -UsePAM no -<%- end %> - -HostbasedUsesNameFromPacketOnly yes -AllowTcpForwarding yes - -ChallengeResponseAuthentication no - -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo.erb index aa98ae8..1b9b98e 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,10 +10,17 @@ # possible, but leave them commented. Uncommented options change a # default value. -#Port 22 +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit @@ -39,7 +46,13 @@ Protocol 2 #LoginGraceTime 2m PermitRootLogin without-password -#StrictModes yes + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + <%- unless real_sshd_permit_root_login.to_s.empty? then %> PermitRootLogin <%= real_sshd_permit_root_login %> <%- else %> @@ -47,19 +60,48 @@ PermitRootLogin without-password <%- end %> #MaxAuthTries 6 -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> @@ -67,10 +109,20 @@ PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> -#PermitEmptyPasswords no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no @@ -99,7 +151,12 @@ UsePAM yes UsePAM no <%- end %> -#AllowTcpForwarding yes +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD.erb index 0b84d25..32f6780 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,11 +8,18 @@ # possible, but leave them commented. Uncommented options change a # default value. -#Port 22 +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> #Protocol 2,1 #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key @@ -37,22 +44,57 @@ PermitRootLogin <%= real_sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -#StrictModes yes + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + #MaxAuthTries 6 -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> @@ -60,10 +102,20 @@ PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> -#PermitEmptyPasswords no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no @@ -75,7 +127,12 @@ PasswordAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -#AllowTcpForwarding yes +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes |