diff options
Diffstat (limited to 'templates/sshd_config/OpenBSD.erb')
| -rw-r--r-- | templates/sshd_config/OpenBSD.erb | 50 |
1 files changed, 28 insertions, 22 deletions
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index ea6e8a8..aec299c 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,11 +8,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -21,7 +21,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -45,39 +45,39 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -89,13 +89,13 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -113,12 +113,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> @@ -128,11 +128,17 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha2-512 <% end -%> +<% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> |