diff options
| -rw-r--r-- | manifests/init.pp | 7 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_normal.erb | 6 |
2 files changed, 13 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 95682fd..4e796f3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -43,6 +43,9 @@ # Valid Values: yes or no # Default: no # +# sshd_agent_forwarding: If you want to allow ssh-agent forwarding +# Valid Values: yes or no +# Default: no class sshd { include sshd::client @@ -81,6 +84,10 @@ class sshd::base { '' => 'no', default => $sshd_x11_forwarding } + $real_sshd_agent_forwarding = $sshd_agent_forwarding ? { + '' => 'no', + default => $sshd_agent_forwarding + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 70c1a34..989fa62 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -94,9 +94,15 @@ UsePAM no HostbasedUsesNameFromPacketOnly yes AllowTcpForwarding yes +<%- if real_sshd_agent_forwarding.to_s == 'yes' then %> +AllowAgentForwarding yes +<%- else %> +AllowAgentForwarding no +<%- end %> ChallengeResponseAuthentication no <%- unless real_sshd_allowed_users.to_s.empty? then %> AllowUsers <%= real_sshd_allowed_users %> <%- end %> + |