diff options
| -rw-r--r-- | manifests/ssh_authorized_key.pp | 60 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 2 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_wheezy.erb | 4 | ||||
| l--------- | templates/sshd_config/XenServer_xenenterprise.erb (renamed from templates/sshd_config/RedHat_xenenterprise.erb) | 0 |
4 files changed, 30 insertions, 36 deletions
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 2436df6..80cb3b7 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -48,44 +48,38 @@ define sshd::ssh_authorized_key( # nothing a user can't already do by writing their own file resources, # we still depend on the filesystem permissions to keep things safe. if $override_builtin { - case $options { - 'absent': { - info("not setting any option for ssh_authorized_key: ${name}") + $header = "# HEADER: This file is managed by Puppet.\n" - file { '$real_target': - ensure => $ensure, - content => '$type $key', - owner => '$real_user', - mode => '0600'; - } - } - default: { - file { '$real_target': - ensure => $ensure, - content => '$options $type $key', - owner => '$real_user', - mode => '0600'; - } - } + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + $content = "${header}${type} ${key}\n" + } else { + $content = "${header}${options} ${type} ${key}\n" + } + + file { $real_target: + ensure => $ensure, + content => $content, + owner => $real_user, + mode => '0600', } + } else { - ssh_authorized_key{$name: - ensure => $ensure, - type => $type, - key => $key, - user => $real_user, - target => $real_target, + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + } else { + $real_options = $options } - case $options { - 'absent': { - info("not setting any option for ssh_authorized_key: ${name}") - } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } + ssh_authorized_key{$name: + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, + options => $real_options, } } + } diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 5ca1fd9..649b320 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -119,7 +119,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('::sshd::hardened') == 'yes' -%> Ciphers aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512 <% end -%> <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 117abe3..bcb1528 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -37,7 +37,7 @@ SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 +LoginGraceTime 120 PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> @@ -123,7 +123,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512 <% end -%> <% end -%> diff --git a/templates/sshd_config/RedHat_xenenterprise.erb b/templates/sshd_config/XenServer_xenenterprise.erb index 71b767a..71b767a 120000 --- a/templates/sshd_config/RedHat_xenenterprise.erb +++ b/templates/sshd_config/XenServer_xenenterprise.erb |