diff options
| -rw-r--r-- | manifests/init.pp | 8 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS_normal.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_normal.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo_normal.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD_normal.erb | 7 |
5 files changed, 29 insertions, 3 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 029ab95..413c46a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -51,6 +51,10 @@ # sshd_agent_forwarding: If you want to allow ssh-agent forwarding # Valid Values: yes or no # Default: no +# +# sshd_pubkey_authentication: If you want to enable public key authentication +# Valid Values: yes or no +# Default: yes class sshd { include sshd::client @@ -97,6 +101,10 @@ class sshd::base { '' => 'no', default => $sshd_challenge_response_authentication } + $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { + '' => 'no', + default => $sshd_pubkey_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index a053001..b0bea46 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -45,7 +45,11 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index a1d7a45..d105ecc 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -35,7 +35,12 @@ PermitRootLogin without-password StrictModes yes RSAAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 5605f14..3538754 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -48,7 +48,11 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 954b420..bee3548 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -41,7 +41,12 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |