diff options
| -rw-r--r-- | manifests/init.pp | 4 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS_normal.erb | 7 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_normal.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo_normal.erb | 7 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD_normal.erb | 7 |
5 files changed, 28 insertions, 3 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 858e1b5..cf089bc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -121,6 +121,10 @@ class sshd::base { '' => 'yes', default => $sshd_strict_modes } + $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? { + '' => 'yes', + default => $sshd_ignore_rhosts + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index 849d9fb..e2b4005 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -70,8 +70,13 @@ PubkeyAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 7105dfd..155c4da 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -55,8 +55,14 @@ PubkeyAuthentication no # rhosts authentication should not be used #RhostsAuthentication no + # Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 04712bd..c8dbda4 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -73,8 +73,13 @@ PubkeyAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index b7e4673..420f9cc 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -67,8 +67,13 @@ PubkeyAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> |