diff options
Diffstat (limited to 'templates/sshd_config/FreeBSD.erb')
| -rw-r--r-- | templates/sshd_config/FreeBSD.erb | 156 |
1 files changed, 37 insertions, 119 deletions
diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 9853f5d..9b98aec 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -16,21 +16,21 @@ #VersionAddendum FreeBSD-20100308 -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> # What ports, IPs and protocols we listen for -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> #AddressFamily any -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -55,52 +55,24 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -<%- if sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -<%- if sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication @@ -109,53 +81,21 @@ HostbasedAuthentication no #IgnoreRhosts yes # Change to yes to enable built-in password authentication. -<%- if sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> -<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable PAM authentication -<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # Kerberos options -<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> -KerberosAuthentication yes -<%- else -%> -KerberosAuthentication no -<%- end -%> -<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> -KerberosOrLocalPasswd yes -<%- else -%> -KerberosOrLocalPasswd no -<%- end -%> -<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> -KerberosTicketCleanup yes -<%- else -%> -KerberosTicketCleanup no -<%- end -%> +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> # GSSAPI options -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPIAuthentication yes -<%- else -%> -GSSAPIAuthentication no -<%- end -%> -<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> -GSSAPICleanupCredentials yes -<%- else -%> -GSSAPICleanupCredentials yes -<%- end -%> +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -166,30 +106,14 @@ GSSAPICleanupCredentials yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> +UsePAM <%= scope.lookupvar('sshd::use_pam') %> -<%- if sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> -<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> #GatewayPorts no -<%- if sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 #X11UseLocalhost yes @@ -212,11 +136,7 @@ TCPKeepAlive yes #Banner none # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/libexec/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -224,20 +144,18 @@ Subsystem sftp <%= sshd_sftp_subsystem %> # AllowTcpForwarding no # ForceCommand cvs server -<%- unless sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= sshd_allowed_users -%> +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> <%- end -%> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> - -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> - -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> |