diff options
Diffstat (limited to 'templates/sshd_config/CentOS.erb')
| -rw-r--r-- | templates/sshd_config/CentOS.erb | 56 |
1 files changed, 35 insertions, 21 deletions
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 6a16d77..27880cb 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,14 +10,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -42,13 +42,13 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no @@ -56,33 +56,33 @@ StrictModes no #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -93,28 +93,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -141,7 +141,7 @@ GSSAPICleanupCredentials yes # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -<%- if real_sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then %> UsePAM yes <%- else %> UsePAM no @@ -152,7 +152,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no @@ -160,7 +160,7 @@ AllowTcpForwarding no #GatewayPorts no #X11Forwarding no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -186,7 +186,21 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/libexec/openssh/sftp-server -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> +<%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> <%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> + |