aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/init.pp116
-rw-r--r--templates/sshd_config/CentOS.erb56
-rw-r--r--templates/sshd_config/Debian_etch.erb55
-rw-r--r--templates/sshd_config/Debian_lenny.erb56
-rw-r--r--templates/sshd_config/Gentoo.erb56
-rw-r--r--templates/sshd_config/OpenBSD.erb51
6 files changed, 231 insertions, 159 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 21c21c6..1c7a3e8 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -40,6 +40,15 @@
# to ensure that only user foobar and root
# might login.
# Default: empty -> no restriction is set
+#
+# sshd_allowed_groups list of groups separated by spaces.
+# set this for example to "wheel sftponly"
+# to ensure that only users in the groups
+# wheel and sftponly might login.
+# Default: empty -> no restriction is set
+# Note: This is set after sshd_allowed_users,
+# take care of the behaviour if you use
+# these 2 options together.
#
# sshd_use_pam: if you want to use pam or not for authenticaton
# Values: no or yes.
@@ -100,6 +109,14 @@
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
#
+# sshd_sftp_subsystem: Set a different sftp-subystem than the default one.
+# Might be interesting for sftponly usage
+# Default: empty -> no change of the default
+#
+# sshd_additional_options: Set this to any additional sshd_options which aren't listed above.
+# As well this option might be usefull to define complexer Match Blocks
+# This string is going to be included, like it is defined. So take care!
+# Default: empty -> not added.
class sshd {
include sshd::client
@@ -118,77 +135,68 @@ class sshd {
class sshd::base {
# prepare variables to use in templates
- $real_sshd_listen_address = $sshd_listen_address ? {
- '' => [ '0.0.0.0', '::' ],
- default => $sshd_listen_address
+ case $sshd_listen_address {
+ '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
+ }
+ case $sshd_allowed_users {
+ '': { $sshd_allowed_users = '' }
+ }
+ case $sshd_allowed_groups {
+ '': { $sshd_allowed_groups = '' }
+ }
+ case $sshd_use_pam {
+ '': { $sshd_use_pam = 'no' }
}
- $real_sshd_allowed_users = $sshd_allowed_users ? {
- '' => '',
- default => $sshd_allowed_users
+ case $sshd_permit_root_login {
+ '': { $sshd_permit_root_login = 'without-password' }
}
- $real_sshd_use_pam = $sshd_use_pam ? {
- '' => 'no',
- default => $sshd_use_pam
+ case $sshd_password_authentication {
+ '': { $sshd_password_authentication = 'no' }
}
- $real_sshd_permit_root_login = $sshd_permit_root_login ? {
- '' => 'without-password',
- default => $sshd_permit_root_login
+ case $sshd_tcp_forwarding {
+ '': { $sshd_tcp_forwarding = 'no' }
}
- $real_sshd_password_authentication = $sshd_password_authentication ? {
- '' => 'no',
- default => $sshd_password_authentication
+ case $sshd_x11_forwarding {
+ '': { $sshd_x11_forwarding = 'no' }
}
- $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
- '' => 'no',
- default => $sshd_tcp_forwarding
+ case $sshd_agent_forwarding {
+ '': { $sshd_agent_forwarding = 'no' }
}
- $real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
- '' => 'no',
- default => $sshd_x11_forwarding
+ case $sshd_challenge_response_authentication {
+ '': { $sshd_challenge_response_authentication = 'no' }
}
- $real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
- '' => 'no',
- default => $sshd_agent_forwarding
+ case $sshd_pubkey_authentication {
+ '': { $sshd_pubkey_authentication = 'yes' }
}
- $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
- '' => 'no',
- default => $sshd_challenge_response_authentication
+ case $sshd_rsa_authentication {
+ '': { $sshd_rsa_authentication = 'no' }
}
- $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
- '' => 'yes',
- default => $sshd_pubkey_authentication
+ case $sshd_strict_modes {
+ '': { $sshd_strict_modes = 'yes' }
}
- $real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
- '' => 'no',
- default => $sshd_rsa_authentication
+ case $sshd_ignore_rhosts {
+ '': { $sshd_ignore_rhosts = 'yes' }
}
- $real_sshd_strict_modes = $sshd_strict_modes ? {
- '' => 'yes',
- default => $sshd_strict_modes
+ case $sshd_rhosts_rsa_authentication {
+ '': { $sshd_rhosts_rsa_authentication = 'no' }
}
- $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
- '' => 'yes',
- default => $sshd_ignore_rhosts
+ case $sshd_hostbased_authentication {
+ '': { $sshd_hostbased_authentication = 'no' }
}
- $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
- '' => 'no',
- default => $sshd_rhosts_rsa_authentication
+ case $sshd_permit_empty_passwords {
+ '': { $sshd_permit_empty_passwords = 'no' }
}
- $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
- '' => 'no',
- default => $sshd_hostbased_authentication
+ case $sshd_port {
+ '': { $sshd_port = 22 }
}
- $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
- '' => 'no',
- default => $sshd_permit_empty_passwords
+ case $sshd_authorized_keys_file {
+ '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
}
- $real_sshd_port = $sshd_port ? {
- '' => 22,
- default => $sshd_port
+ case $sshd_sftp_subsystem {
+ '': { $sshd_sftp_subsystem = '' }
}
- $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
- '' => "%h/.ssh/authorized_keys",
- default => $sshd_authorized_keys_file
+ case $sshd_additional_options {
+ '': { $sshd_additional_options = '' }
}
file { 'sshd_config':
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 6a16d77..27880cb 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -10,14 +10,14 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless real_sshd_port.to_s.empty? then %>
-Port <%= real_sshd_port %>
+<%- unless sshd_port.to_s.empty? then %>
+Port <%= sshd_port %>
<%- else %>
Port 22
<%- end %>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
#AddressFamily any
@@ -42,13 +42,13 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
-<%- unless real_sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- unless sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= sshd_permit_root_login %>
<%- else %>
PermitRootLogin without-password
<%- end %>
-<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+<%- if sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
@@ -56,33 +56,33 @@ StrictModes no
#MaxAuthTries 6
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rsa_authentication.to_s == 'yes' then %>
RSAAuthentication yes
<%- else %>
RSAAuthentication no
<%- end %>
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
@@ -93,28 +93,28 @@ HostbasedAuthentication no
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
# To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+<%- if sshd_password_authentication.to_s == 'yes' then %>
PasswordAuthentication yes
<%- else %>
PasswordAuthentication no
<%- end %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no
@@ -141,7 +141,7 @@ GSSAPICleanupCredentials yes
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
-<%- if real_sshd_use_pam.to_s == 'yes' then %>
+<%- if sshd_use_pam.to_s == 'yes' then %>
UsePAM yes
<%- else %>
UsePAM no
@@ -152,7 +152,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
@@ -160,7 +160,7 @@ AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding no
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+<%- if sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes
<%- else %>
X11Forwarding no
@@ -186,7 +186,21 @@ X11Forwarding no
#Banner /some/path
# override default of no subsystems
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/libexec/openssh/sftp-server
-<%- unless real_sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= real_sshd_allowed_users %>
+<%- else %>
+Subsystem sftp <%= sshd_sftp_subsystem %>
+<%- end %>
+
+<%- unless sshd_allowed_users.to_s.empty? then %>
+AllowUsers <%= sshd_allowed_users %>
+<%- end %>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>
+
diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb
index 09be201..28aa52c 100644
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_etch.erb
@@ -2,14 +2,14 @@
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
-<%- unless real_sshd_port.to_s.empty? then -%>
-Port <%= real_sshd_port -%>
+<%- unless sshd_port.to_s.empty? then -%>
+Port <%= sshd_port -%>
<%- else -%>
Port 22
<%- end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@@ -33,52 +33,52 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
-<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= real_sshd_permit_root_login -%>
+<%- unless sshd_permit_root_login.to_s.empty? then -%>
+PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
-<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
+<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
# For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
# similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
@@ -88,21 +88,21 @@ HostbasedAuthentication no
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
# To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
+<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
@@ -117,7 +117,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
+<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
@@ -130,7 +130,11 @@ KeepAlive yes
#Banner /etc/issue.net
#ReverseMappingCheck yes
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
#Subsystem sftp /usr/lib/sftp-server
+<%- else %>
+Subsystem sftp <%= sshd_sftp_subsystem %>
+<%- end %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -141,7 +145,7 @@ KeepAlive yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if real_sshd_use_pam.to_s == 'yes' then -%>
+<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
@@ -149,7 +153,7 @@ UsePAM no
HostbasedUsesNameFromPacketOnly yes
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
@@ -157,7 +161,16 @@ AllowTcpForwarding no
ChallengeResponseAuthentication no
-<%- unless real_sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= real_sshd_allowed_users -%>
+<%- unless sshd_allowed_users.to_s.empty? then -%>
+AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>
+
diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index bb39736..8d68808 100644
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -2,14 +2,14 @@
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
-<%- unless real_sshd_port.to_s.empty? then -%>
-Port <%= real_sshd_port -%>
+<%- unless sshd_port.to_s.empty? then -%>
+Port <%= sshd_port -%>
<%- else -%>
Port 22
<%- end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@@ -33,52 +33,52 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
-<%- unless real_sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= real_sshd_permit_root_login -%>
+<%- unless sshd_permit_root_login.to_s.empty? then -%>
+PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
-<%- if real_sshd_strict_modes.to_s == 'yes' then -%>
+<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
# For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
# similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
@@ -88,21 +88,21 @@ HostbasedAuthentication no
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
# To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then -%>
+<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
@@ -117,7 +117,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%>
+<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
@@ -130,7 +130,11 @@ KeepAlive yes
#Banner /etc/issue.net
#ReverseMappingCheck yes
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
#Subsystem sftp /usr/lib/sftp-server
+<%- else %>
+Subsystem sftp <%= sshd_sftp_subsystem %>
+<%- end %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -141,7 +145,7 @@ KeepAlive yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if real_sshd_use_pam.to_s == 'yes' then -%>
+<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
@@ -149,13 +153,13 @@ UsePAM no
HostbasedUsesNameFromPacketOnly yes
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
-<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%>
+<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
@@ -163,7 +167,15 @@ AllowAgentForwarding no
ChallengeResponseAuthentication no
-<%- unless real_sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= real_sshd_allowed_users -%>
+<%- unless sshd_allowed_users.to_s.empty? then -%>
+AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 1b9b98e..77ed378 100644
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -10,14 +10,14 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless real_sshd_port.to_s.empty? then %>
-Port <%= real_sshd_port %>
+<%- unless sshd_port.to_s.empty? then %>
+Port <%= sshd_port %>
<%- else %>
Port 22
<%- end %>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
#AddressFamily any
@@ -47,46 +47,46 @@ Protocol 2
#LoginGraceTime 2m
PermitRootLogin without-password
-<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+<%- if sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
<%- end %>
-<%- unless real_sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- unless sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= sshd_permit_root_login %>
<%- else %>
PermitRootLogin without-password
<%- end %>
#MaxAuthTries 6
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rsa_authentication.to_s == 'yes' then %>
RSAAuthentication yes
<%- else %>
RSAAuthentication no
<%- end %>
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
@@ -97,28 +97,28 @@ HostbasedAuthentication no
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
# To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+<%- if sshd_password_authentication.to_s == 'yes' then %>
PasswordAuthentication yes
<%- else %>
PasswordAuthentication no
<%- end %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no
@@ -145,20 +145,20 @@ ChallengeResponseAuthentication no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if real_sshd_use_pam.to_s == 'yes' then %>
+<%- if sshd_use_pam.to_s == 'yes' then %>
UsePAM yes
<%- else %>
UsePAM no
<%- end %>
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
<%- end %>
#GatewayPorts no
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+<%- if sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes
<%- else %>
X11Forwarding no
@@ -183,7 +183,11 @@ X11Forwarding no
#Banner /some/path
# override default of no subsystems
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/misc/sftp-server
+<%- else %>
+Subsystem sftp <%= sshd_sftp_subsystem %>
+<%- end %>
# Example of overriding settings on a per-user basis
#Match User anoncvs
@@ -191,6 +195,16 @@ Subsystem sftp /usr/lib/misc/sftp-server
# AllowTcpForwarding no
# ForceCommand cvs server
-<%- unless real_sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= real_sshd_allowed_users %>
+<%- unless sshd_allowed_users.to_s.empty? then %>
+AllowUsers <%= sshd_allowed_users %>
+<%- end %>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
+<%- end %>
+
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
<%- end %>
+
+
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index 32f6780..a6e0763 100644
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -8,14 +8,14 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless real_sshd_port.to_s.empty? then %>
-Port <%= real_sshd_port %>
+<%- unless sshd_port.to_s.empty? then %>
+Port <%= sshd_port %>
<%- else %>
Port 22
<%- end %>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in real_sshd_listen_address -%>
+<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
#Protocol 2,1
@@ -39,13 +39,13 @@ ListenAddress <%= address %>
# Authentication:
#LoginGraceTime 2m
-<%- unless real_sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- unless sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= sshd_permit_root_login %>
<%- else %>
PermitRootLogin without-password
<%- end %>
-<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+<%- if sshd_strict_modes.to_s == 'yes' then %>
StrictModes yes
<%- else %>
StrictModes no
@@ -53,33 +53,33 @@ StrictModes no
#MaxAuthTries 6
-<%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rsa_authentication.to_s == 'yes' then %>
RSAAuthentication yes
<%- else %>
RSAAuthentication no
<%- end %>
-<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
PubkeyAuthentication yes
<%- else %>
PubkeyAuthentication no
<%- end %>
-<%- unless real_sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= real_sshd_authorized_keys_file %>
+<%- unless sshd_authorized_keys_file.to_s.empty? then %>
+AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
RhostsRSAAuthentication yes
<%- else %>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2
-<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
HostbasedAuthentication yes
<%- else %>
HostbasedAuthentication no
@@ -90,28 +90,28 @@ HostbasedAuthentication no
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %>
+<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
IgnoreRhosts yes
<%- else %>
IgnoreRhosts no
<% end -%>
# To disable tunneled clear text passwords, change to no here!
-<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+<%- if sshd_password_authentication.to_s == 'yes' then %>
PasswordAuthentication yes
<%- else %>
PasswordAuthentication no
<%- end %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %>
+<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable s/key passwords
-<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
ChallengeResponseAuthentication yes
<%- else %>
ChallengeResponseAuthentication no
@@ -127,14 +127,14 @@ ChallengeResponseAuthentication no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %>
+<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
AllowTcpForwarding yes
<%- else %>
AllowTcpForwarding no
<%- end %>
#GatewayPorts no
-<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+<%- if sshd_x11_forwarding.to_s == 'yes' then %>
X11Forwarding yes
<%- else %>
X11Forwarding no
@@ -159,10 +159,17 @@ X11Forwarding no
#Banner /some/path
# override default of no subsystems
+<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/libexec/sftp-server
+<%- else %>
+Subsystem sftp <%= sshd_sftp_subsystem %>
+<%- end %>
-<%- unless real_sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= real_sshd_allowed_users %>
+<%- unless sshd_allowed_users.to_s.empty? then %>
+AllowUsers <%= sshd_allowed_users %>
+<%- end %>
+<%- unless sshd_allowed_groups.to_s.empty? then %>
+AllowGroups <%= sshd_allowed_groups %>
<%- end %>
# Example of overriding settings on a per-user basis
@@ -170,3 +177,7 @@ AllowUsers <%= real_sshd_allowed_users %>
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
+
+<%- unless sshd_additional_options.to_s.empty? then %>
+<%= sshd_additional_options %>
+<%- end %>