diff options
-rw-r--r-- | manifests/init.pp | 9 | ||||
-rw-r--r-- | templates/sshd_config/CentOS_normal.erb | 5 | ||||
-rw-r--r-- | templates/sshd_config/Debian_normal.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/Gentoo_normal.erb | 6 | ||||
-rw-r--r-- | templates/sshd_config/OpenBSD_normal.erb | 6 |
5 files changed, 29 insertions, 5 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 4e796f3..029ab95 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -38,6 +38,11 @@ # sshd_password_authentication: If you want to enable password authentication or not # Valid values: yes or no # Default: no +# +# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not +# When disabled, s/key passowords are disabled +# Valid values: yes or no +# Default: no # # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no @@ -88,6 +93,10 @@ class sshd::base { '' => 'no', default => $sshd_agent_forwarding } + $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? { + '' => 'no', + default => $sshd_challenge_response_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index a14120f..a053001 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -67,8 +67,11 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index d9237c6..a1d7a45 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -52,8 +52,12 @@ HostbasedAuthentication no # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -# Uncomment to disable s/key passwords -#ChallengeResponseAuthentication no +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index aa98ae8..5605f14 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -70,7 +70,11 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 0b84d25..954b420 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -63,7 +63,11 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no |