diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2016-03-19 10:17:30 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2016-03-19 10:17:30 -0300 |
commit | ff79bc6295e9f089285ccc26c04cc72893a8384f (patch) | |
tree | 1a84dad2d03bc3814305eeaedb4cfd8d8dc09f36 /templates | |
parent | 9b1d0f06fee4b0c457d0154c4153415758c10425 (diff) | |
parent | 672b0985d1c2acfde58fecc4c635517522c86268 (diff) | |
download | puppet-sshd-ff79bc6295e9f089285ccc26c04cc72893a8384f.tar.gz puppet-sshd-ff79bc6295e9f089285ccc26c04cc72893a8384f.tar.bz2 |
Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshd
Conflicts:
README
templates/sshd_config/CentOS.erb
templates/sshd_config/CentOS_Final.erb
templates/sshd_config/Debian_etch.erb
templates/sshd_config/Debian_jessie.erb
templates/sshd_config/Debian_sid.erb
templates/sshd_config/Debian_squeeze.erb
templates/sshd_config/Debian_wheezy.erb
templates/sshd_config/Ubuntu_trusty.erb
Diffstat (limited to 'templates')
25 files changed, 699 insertions, 837 deletions
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb deleted file mode 100644 index 7498517..0000000 --- a/templates/sshd_config/CentOS.erb +++ /dev/null @@ -1,154 +0,0 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> -<%= s %> -<% end -%> - -# only protocol 2 -Protocol 2 -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> -<% if port == 'off' -%> -#Port -- disabled by puppet -<% else -%> -Port <%= port %> -<% end -%> -<% end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> -ListenAddress <%= address %> -<% end -%> - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -#MaxAuthTries 6 - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - -# similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no -#UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL - -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - -#GatewayPorts no -#X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> - -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> -AllowUsers <%= s %> -<% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> -AllowGroups <%= s %> -<%- end -%> - -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha2-512 -<% end -%> - -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> -<%= s %> -<% end -%> diff --git a/templates/sshd_config/CentOS_5.erb b/templates/sshd_config/CentOS_5.erb new file mode 120000 index 0000000..71b767a --- /dev/null +++ b/templates/sshd_config/CentOS_5.erb @@ -0,0 +1 @@ +CentOS_6.erb
\ No newline at end of file diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb new file mode 100644 index 0000000..4593a91 --- /dev/null +++ b/templates/sshd_config/CentOS_6.erb @@ -0,0 +1,172 @@ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> + +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<% end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> +ListenAddress <%= address %> +<% end -%> + +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> + +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> + +#MaxAuthTries 6 + +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> +#AuthorizedKeysCommand none +#AuthorizedKeysCommandRunAs nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> + +# similar for protocol version 2 +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +#AllowAgentForwarding yes +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> +#GatewayPorts no +#X11Forwarding no +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> + +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> + +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<% end -%> +<% end -%> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server +# +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb new file mode 100644 index 0000000..f55fb9d --- /dev/null +++ b/templates/sshd_config/CentOS_7.erb @@ -0,0 +1,186 @@ +# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<% end -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> +ListenAddress <%= address %> +<% end -%> + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> +#MaxAuthTries 6 +#MaxSessions 10 + +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> +#AuthorizedPrincipalsFile none +#AuthorizedKeysCommand none +#AuthorizedKeysCommandRunAs nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> + +# similar for protocol version 2 +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +GSSAPIAuthentication no +GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several +# problems. +#UsePAM no +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> + +#AllowAgentForwarding yes +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> +#GatewayPorts no +#X11Forwarding no +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation sandbox # Default for new installations. +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + + +# override default of no subsystems +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> + +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> + +# Uncomment this if you want to use .local domain +#Host *.local +# CheckHostIP no + +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<% end -%> +<% end -%> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> diff --git a/templates/sshd_config/CentOS_Final.erb b/templates/sshd_config/CentOS_Final.erb deleted file mode 100644 index 7498517..0000000 --- a/templates/sshd_config/CentOS_Final.erb +++ /dev/null @@ -1,154 +0,0 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> -<%= s %> -<% end -%> - -# only protocol 2 -Protocol 2 -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> -<% if port == 'off' -%> -#Port -- disabled by puppet -<% else -%> -Port <%= port %> -<% end -%> -<% end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> -ListenAddress <%= address %> -<% end -%> - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -#MaxAuthTries 6 - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - -# similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no -#UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL - -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - -#GatewayPorts no -#X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> - -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> -AllowUsers <%= s %> -<% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> -AllowGroups <%= s %> -<%- end -%> - -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha2-512 -<% end -%> - -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> -<%= s %> -<% end -%> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb deleted file mode 100644 index 75b2931..0000000 --- a/templates/sshd_config/Debian_etch.erb +++ /dev/null @@ -1,122 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> -<%= s %> -<% end -%> - -# What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> -<% if port == 'off' -%> -#Port -- disabled by puppet -<% else -%> -Port <%= port %> -<% end -%> -<% end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - -# similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> - -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> -AllowUsers <%= s %> -<% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> -AllowGroups <%= s %> -<%- end -%> - -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> - -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha2-512 -<% end -%> - -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> -<%= s %> -<% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 737f7a7..91dbfff 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -1,14 +1,14 @@ # This file is managed by Puppet, all local modifications will be overwritten # # Package generated configuration file -# See the sshd(8) manpage for details +# See the sshd_config(5) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,80 +17,79 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -ServerKeyBits 768 +ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +LoginGraceTime 120 +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +#KerberosGetAFSToken no +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes - #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -101,24 +100,25 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha2-512 +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb deleted file mode 100644 index 8cbea30..0000000 --- a/templates/sshd_config/Debian_lenny.erb +++ /dev/null @@ -1,127 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> -<%= s %> -<% end -%> - -# What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> -<% if port == 'off' -%> -#Port -- disabled by puppet -<% else -%> -Port <%= port %> -<% end -%> -<% end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - -# similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> - -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> - -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> -AllowUsers <%= s %> -<% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> -AllowGroups <%= s %> -<%- end -%> - -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> - -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha1 -<% end -%> - -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> -<%= s %> -<% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 60c15fa..91dbfff 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -1,14 +1,14 @@ # This file is managed by Puppet, all local modifications will be overwritten # # Package generated configuration file -# See the sshd(8) manpage for details +# See the sshd_config(5) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,79 +17,79 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -ServerKeyBits 768 +ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +LoginGraceTime 120 +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +#KerberosGetAFSToken no +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes - #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -100,24 +100,25 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha2-512 +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 375846a..649b320 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,13 +17,15 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -37,47 +39,47 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -85,11 +87,13 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -100,24 +104,24 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> Ciphers aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512 <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 737f7a7..bcb1528 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,14 +17,14 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -37,48 +37,48 @@ SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +LoginGraceTime 120 +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -86,11 +86,13 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -101,24 +103,30 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha2-512 <% end -%> +<% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 81b7e10..40a4caa 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -16,12 +16,12 @@ #VersionAddendum FreeBSD-20100308 -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -30,7 +30,7 @@ Port <%= port %> <% end -%> #AddressFamily any -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -40,8 +40,9 @@ Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h @@ -55,24 +56,24 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication @@ -81,21 +82,21 @@ HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> #IgnoreRhosts yes # Change to yes to enable built-in password authentication. -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable PAM authentication -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -106,14 +107,14 @@ GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 #X11UseLocalhost yes @@ -136,7 +137,7 @@ TCPKeepAlive yes #Banner none # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -144,18 +145,24 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha2-512 <% end -%> +<% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index cdd51d8..753e24a 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,11 +10,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -23,7 +23,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -51,39 +51,39 @@ Protocol 2 # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -106,15 +106,15 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -132,7 +132,7 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -140,19 +140,25 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha2-512 <% end -%> +<% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index ea6e8a8..aec299c 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,11 +8,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -21,7 +21,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -45,39 +45,39 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -89,13 +89,13 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -113,12 +113,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> @@ -128,11 +128,17 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha2-512 <% end -%> +<% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 40040d1..1adb4f2 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,13 +17,15 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -37,47 +39,47 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -85,11 +87,13 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -100,24 +104,30 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha2-512 <% end -%> +<% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 4d5f640..4d147a2 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -1,12 +1,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -15,13 +15,15 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -39,36 +41,36 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To change Kerberos options #KerberosAuthentication no @@ -79,16 +81,18 @@ PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no #ReverseMappingCheck yes -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -99,28 +103,34 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> HostbasedUsesNameFromPacketOnly yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha2-512 <% end -%> +<% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Ubuntu_quantal.erb b/templates/sshd_config/Ubuntu_quantal.erb new file mode 120000 index 0000000..6502bfc --- /dev/null +++ b/templates/sshd_config/Ubuntu_quantal.erb @@ -0,0 +1 @@ +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu_raring.erb b/templates/sshd_config/Ubuntu_raring.erb new file mode 120000 index 0000000..6502bfc --- /dev/null +++ b/templates/sshd_config/Ubuntu_raring.erb @@ -0,0 +1 @@ +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu_saucy.erb b/templates/sshd_config/Ubuntu_saucy.erb new file mode 120000 index 0000000..6502bfc --- /dev/null +++ b/templates/sshd_config/Ubuntu_saucy.erb @@ -0,0 +1 @@ +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu_trusty.erb b/templates/sshd_config/Ubuntu_trusty.erb index ccfb67c..6502bfc 120000 --- a/templates/sshd_config/Ubuntu_trusty.erb +++ b/templates/sshd_config/Ubuntu_trusty.erb @@ -1 +1 @@ -Ubuntu_lucid.erb
\ No newline at end of file +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu_utopic.erb b/templates/sshd_config/Ubuntu_utopic.erb new file mode 120000 index 0000000..6502bfc --- /dev/null +++ b/templates/sshd_config/Ubuntu_utopic.erb @@ -0,0 +1 @@ +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu_vivid.erb b/templates/sshd_config/Ubuntu_vivid.erb new file mode 120000 index 0000000..6502bfc --- /dev/null +++ b/templates/sshd_config/Ubuntu_vivid.erb @@ -0,0 +1 @@ +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu_wily.erb b/templates/sshd_config/Ubuntu_wily.erb new file mode 120000 index 0000000..6502bfc --- /dev/null +++ b/templates/sshd_config/Ubuntu_wily.erb @@ -0,0 +1 @@ +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu_xenial.erb b/templates/sshd_config/Ubuntu_xenial.erb new file mode 120000 index 0000000..6502bfc --- /dev/null +++ b/templates/sshd_config/Ubuntu_xenial.erb @@ -0,0 +1 @@ +Ubuntu.erb
\ No newline at end of file diff --git a/templates/sshd_config/XenServer_xenenterprise.erb b/templates/sshd_config/XenServer_xenenterprise.erb new file mode 120000 index 0000000..71b767a --- /dev/null +++ b/templates/sshd_config/XenServer_xenenterprise.erb @@ -0,0 +1 @@ +CentOS_6.erb
\ No newline at end of file |