aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/init.pp9
-rw-r--r--templates/sshd_config/CentOS_normal.erb5
-rw-r--r--templates/sshd_config/Debian_normal.erb8
-rw-r--r--templates/sshd_config/Gentoo_normal.erb6
-rw-r--r--templates/sshd_config/OpenBSD_normal.erb6
5 files changed, 29 insertions, 5 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 4e796f3..029ab95 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -38,6 +38,11 @@
# sshd_password_authentication: If you want to enable password authentication or not
# Valid values: yes or no
# Default: no
+#
+# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
+# When disabled, s/key passowords are disabled
+# Valid values: yes or no
+# Default: no
#
# sshd_x11_forwarding: If you want to enable x11 forwarding
# Valid Values: yes or no
@@ -88,6 +93,10 @@ class sshd::base {
'' => 'no',
default => $sshd_agent_forwarding
}
+ $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
+ '' => 'no',
+ default => $sshd_challenge_response_authentication
+ }
file { 'sshd_config':
path => '/etc/ssh/sshd_config',
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index a14120f..a053001 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -67,8 +67,11 @@ PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
ChallengeResponseAuthentication no
+<%- end %>
# Kerberos options
#KerberosAuthentication no
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index d9237c6..a1d7a45 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -52,8 +52,12 @@ HostbasedAuthentication no
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
-# Uncomment to disable s/key passwords
-#ChallengeResponseAuthentication no
+# Change to no to disable s/key passwords
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>
# To disable tunneled clear text passwords, change to no here!
<%- if real_sshd_password_authentication.to_s == 'yes' then %>
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index aa98ae8..5605f14 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -70,7 +70,11 @@ PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>
# Kerberos options
#KerberosAuthentication no
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 0b84d25..954b420 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -63,7 +63,11 @@ PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>
# Kerberos options
#KerberosAuthentication no