diff options
Diffstat (limited to 'templates/sshd_config/OpenBSD.erb')
-rw-r--r-- | templates/sshd_config/OpenBSD.erb | 124 |
1 files changed, 34 insertions, 90 deletions
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index b6def87..6b474d7 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,20 +8,20 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_head_additional_options.to_s.empty? then %> -<%= sshd_head_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> -<%- sshd_ports.each do |port| -%> -<%- if port.to_s == 'off' then -%> +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> -<%- end -%> +<% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in sshd_listen_address -%> +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -45,83 +45,39 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -<%- unless sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> - -<%- if sshd_strict_modes.to_s == 'yes' then %> -StrictModes yes -<%- else %> -StrictModes no -<%- end %> +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> + +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> #MaxAuthTries 6 -<%- if sshd_rsa_authentication.to_s == 'yes' then %> -RSAAuthentication yes -<%- else %> -RSAAuthentication no -<%- end %> +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -<%- if sshd_pubkey_authentication.to_s == 'yes' then %> -PubkeyAuthentication yes -<%- else %> -PubkeyAuthentication no -<%- end %> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -<%- unless sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else %> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> -RhostsRSAAuthentication yes -<%- else %> -RhostsRSAAuthentication no -<% end -%> +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then %> -HostbasedAuthentication yes -<%- else %> -HostbasedAuthentication no -<% end -%> +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then %> -IgnoreRhosts yes -<%- else %> -IgnoreRhosts no -<% end -%> +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> -ChallengeResponseAuthentication yes -<%- else %> -ChallengeResponseAuthentication no -<%- end %> +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -133,18 +89,10 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -<%- if sshd_tcp_forwarding.to_s == 'yes' then %> -AllowTcpForwarding yes -<%- else %> -AllowTcpForwarding no -<%- end %> +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> #GatewayPorts no -<%- if sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd <%= sshd_print_motd %> @@ -165,18 +113,14 @@ PrintMotd <%= sshd_print_motd %> #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> -Subsystem sftp /usr/libexec/sftp-server -<%- else %> -Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> - -<%- unless sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= sshd_allowed_users %> -<%- end %> -<%- unless sshd_allowed_groups.to_s.empty? then %> -AllowGroups <%= sshd_allowed_groups %> -<%- end %> +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -184,11 +128,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server -<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 -<%- end -%> +<% end -%> -<%- unless sshd_tail_additional_options.to_s.empty? then %> -<%= sshd_tail_additional_options %> -<%- end %> +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> |