diff options
| -rw-r--r-- | manifests/init.pp | 11 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS_normal.erb | 9 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_normal.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo_normal.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD_normal.erb | 6 |
5 files changed, 26 insertions, 12 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 4841038..0fd2dfa 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,11 @@ # of variables, which you might consider to configure. # Checkout the following: # +# sshd_listen_address: specify the addresses sshd should listen on +# set this to "10.0.0.1 192.168.0.1" to have it listen on both +# addresses, or leave it unset to listen on all +# Default: empty -> results in listening on 0.0.0.0 +# # sshd_allowed_users: list of usernames separated by spaces. # set this for example to "foobar root" # to ensure that only user foobar and root @@ -104,7 +109,11 @@ class sshd { class sshd::base { - # prepare variables to use in templates + # prepare variables to use in templates + $real_sshd_listen_address = $sshd_sshd_listen_address ? { + '' => '', + default => $sshd_sshd_listen_address + } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', default => $sshd_allowed_users diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index e576a78..6a16d77 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -16,12 +16,13 @@ Port <%= real_sshd_port %> Port 22 <%- end %> +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any #Protocol 2,1 Protocol 2 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index d33064a..df8ebc8 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -2,7 +2,6 @@ # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for - <%- unless real_sshd_port.to_s.empty? then %> Port <%= real_sshd_port -%> <%- else -%> @@ -10,8 +9,9 @@ Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index dcbf9de..1b9b98e 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -16,9 +16,11 @@ Port <%= real_sshd_port %> Port 22 <%- end %> +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index e62b3c1..32f6780 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -14,10 +14,12 @@ Port <%= real_sshd_port %> Port 22 <%- end %> +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> #Protocol 2,1 #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key |