diff options
| -rw-r--r-- | README | 12 | ||||
| -rw-r--r-- | manifests/base.pp | 22 | ||||
| -rw-r--r-- | manifests/client.pp | 9 | ||||
| -rw-r--r-- | manifests/client/base.pp | 5 | ||||
| -rw-r--r-- | manifests/init.pp | 18 | ||||
| -rw-r--r-- | manifests/ssh_authorized_key.pp | 4 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS.erb | 7 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_etch.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_lenny.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_sid.erb | 7 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 7 | ||||
| l--------- | templates/sshd_config/Debian_wheezy.erb | 1 | ||||
| -rw-r--r-- | templates/sshd_config/FreeBSD.erb | 243 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD.erb | 7 | ||||
| -rw-r--r-- | templates/sshd_config/Ubuntu_lucid.erb | 192 |
16 files changed, 533 insertions, 25 deletions
@@ -170,6 +170,13 @@ The following is a list of the currently available variables: (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile %h/.ssh/authorized_keys + $sshd_hardened_ssl + Use only strong SSL ciphers and MAC. + Values: no or yes; Default: no. + + $sshd_print_motd + Show the Message of the day when a user logs in. + $sshd_sftp_subsystem Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default @@ -187,6 +194,11 @@ The following is a list of the currently available variables: be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added. + $sshd_shared_ip + Whether the server uses a shared network IP address. If it does, then we + don't want it to export an rsa key for its IP address. + Values: no or yes; Default: no + Defines and functions --------------------- diff --git a/manifests/base.pp b/manifests/base.pp index 2ac2385..848e547 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -10,18 +10,24 @@ class sshd::base { } # Now add the key, if we've got one - case $sshrsakey_key { + case $sshrsakey { '': { info("no sshrsakey on $fqdn") } default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, + @@sshkey{"$fqdn": + tag => "fqdn", + type => ssh-rsa, + key => $sshrsakey, ensure => present, } - @@sshkey{"$ipaddress": - type => ssh-rsa, - key => $sshrsakey, - ensure => present, + # In case the node has uses a shared network address, + # we don't define a sshkey resource using an IP address + if $sshd_shared_ip == "no" { + @@sshkey{"$ipaddress": + tag => "ipaddress", + type => ssh-rsa, + key => $sshrsakey, + ensure => present, + } } } } diff --git a/manifests/client.pp b/manifests/client.pp index 31785e9..5eed5fc 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,16 +1,23 @@ # manifests/client.pp class sshd::client { + + case $sshd_shared_ip { + '': { $sshd_shared_ip = "no" } + } + case $operatingsystem { debian,ubuntu: { include sshd::client::debian } default: { case $kernel { linux: { include sshd::client::linux } - default: { include sshd::client::base } + default: { include sshd::client::base } } } } + if $use_shorewall{ include shorewall::rules::out::ssh } + } diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 64d4f6f..1fe2b14 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -4,5 +4,8 @@ class sshd::client::base { } # Now collect all server keys - Sshkey <<||>> + case $sshd_shared_ip { + no: { Sshkey <<||>> } + yes: { Sshkey <<| tag == "fqdn" |>> } + } } diff --git a/manifests/init.pp b/manifests/init.pp index 991fbba..8b3361c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,6 +77,9 @@ class sshd { case $sshd_authorized_keys_file { '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } } + case $sshd_hardened_ssl { + '': { $sshd_hardened_ssl = 'no' } + } case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } @@ -89,8 +92,19 @@ class sshd { case $sshd_ensure_version { '': { $sshd_ensure_version = "present" } } + case $sshd_print_motd { + '': { + case $operatingsystem { + debian,ubuntu: { $sshd_print_motd = "no" } + default: { $sshd_print_motd = "yes" } + } + } + } + case $sshd_shared_ip { + '': { $sshd_shared_ip = "no" } + } - include sshd::client + include sshd::client case $operatingsystem { gentoo: { include sshd::gentoo } @@ -98,7 +112,7 @@ class sshd { centos: { include sshd::centos } openbsd: { include sshd::openbsd } debian,ubuntu: { include sshd::debian } - default: { include sshd::default } + default: { include sshd::base } } if $use_nagios { diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index bf188d8..40649b0 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -3,7 +3,7 @@ define sshd::ssh_authorized_key( $ensure = 'present', $type = 'ssh-dss', $key = 'absent', - $user = 'root', + $user = '', $target = undef, $options = 'absent' ){ @@ -22,7 +22,7 @@ define sshd::ssh_authorized_key( undef,'': { case $real_user { 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } + default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" } } } default: { diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 544effe..3d5b5b0 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end -%> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end -%> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index c90a5fe..1047222 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -170,9 +170,13 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -PrintMotd no +PrintMotd <%= sshd_print_motd %> + +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 14e32bf..4ffb94c 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -179,9 +179,13 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -PrintMotd no +PrintMotd <%= sshd_print_motd %> + +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 6dc9333..b211708 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index cf50ddb..fb58e72 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb new file mode 120000 index 0000000..3faae05 --- /dev/null +++ b/templates/sshd_config/Debian_wheezy.erb @@ -0,0 +1 @@ +Debian_sid.erb
\ No newline at end of file diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb new file mode 100644 index 0000000..9853f5d --- /dev/null +++ b/templates/sshd_config/FreeBSD.erb @@ -0,0 +1,243 @@ +# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ +# $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09:06 kensmith Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#VersionAddendum FreeBSD-20100308 + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<%- end -%> + +#AddressFamily any +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> + +# The default requires explicit activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: + +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +#MaxAuthTries 6 +#MaxSessions 10 + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable PAM authentication +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# Kerberos options +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> + +# GSSAPI options +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +#GatewayPorts no +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> + +X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd <%= sshd_print_motd %> +#PrintLastLog yes +TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/libexec/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> + +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 768d3f5..8581804 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -208,9 +208,11 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - - diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 51662d3..b6def87 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -147,7 +147,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb new file mode 100644 index 0000000..304558b --- /dev/null +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -0,0 +1,192 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +PrintMotd <%= sshd_print_motd %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes128-ctr +MACs hmac-sha1 +<%- end %> |