aboutsummaryrefslogtreecommitdiff
path: root/templates
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2011-02-14 17:17:31 +0100
committerintrigeri <intrigeri@boum.org>2011-02-14 17:17:31 +0100
commit2f7903bcc4b27ebe4098fb91c14098521da8dd7a (patch)
tree5b0268ee2f39a39b8fdf5fd566f3c13a58f3ebde /templates
parent7c046e3fdf9a4bc4558290205de57df39e86ac70 (diff)
parent2188f46db75d74d00ac4a2cb3cdaa34f98d1148d (diff)
downloadpuppet-sshd-2f7903bcc4b27ebe4098fb91c14098521da8dd7a.tar.gz
puppet-sshd-2f7903bcc4b27ebe4098fb91c14098521da8dd7a.tar.bz2
Merge remote branch 'shared/master'
Conflicts: templates/sshd_config/Debian_squeeze.erb I always picked the shared repository version when conflicts arose. The only exception to this rule was: I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order to be consistent with existing Etch and Lenny templates. This is not the default Debian setting, but I would find it weird if a host had this setting changed by Puppet after upgrading to Squeeze. The right way to proceed would probably be to make this configurable.
Diffstat (limited to 'templates')
-rw-r--r--templates/sshd_config/Debian_squeeze.erb43
1 files changed, 30 insertions, 13 deletions
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index 950a53c..79fef15 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -1,5 +1,7 @@
+# This file is managed by Puppet, all local modifications will be overwritten
+#
# Package generated configuration file
-# See the sshd_config(5) manpage for details
+# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
@@ -71,21 +73,18 @@ IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
-
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
-
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
-
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
@@ -104,7 +103,7 @@ ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
<%- end -%>
-# Change to no to disable tunnelled clear text passwords
+# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
@@ -112,14 +111,33 @@ PasswordAuthentication no
<%- end -%>
# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
+<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
+KerberosAuthentication yes
+<%- else -%>
+KerberosAuthentication no
+<%- end -%>
+<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
+KerberosOrLocalPasswd yes
+<%- else -%>
+KerberosOrLocalPasswd no
+<%- end -%>
+<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
+KerberosTicketCleanup yes
+<%- else -%>
+KerberosTicketCleanup no
+<%- end -%>
# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
+GSSAPIAuthentication yes
+<%- else -%>
+GSSAPIAuthentication no
+<%- end -%>
+<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
+GSSAPICleanupCredentials yes
+<%- else -%>
+GSSAPICleanupCredentials yes
+<%- end -%>
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
@@ -130,6 +148,7 @@ X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
+
#UseLogin no
#MaxStartups 10:30:60
@@ -173,8 +192,6 @@ AllowAgentForwarding yes
AllowAgentForwarding no
<%- end -%>
-ChallengeResponseAuthentication no
-
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>