aboutsummaryrefslogtreecommitdiff
path: root/templates/sshd_config
diff options
context:
space:
mode:
Diffstat (limited to 'templates/sshd_config')
-rw-r--r--templates/sshd_config/CentOS.erb126
-rw-r--r--[l---------]templates/sshd_config/CentOS_Final.erb155
-rw-r--r--templates/sshd_config/Debian_etch.erb126
-rw-r--r--templates/sshd_config/Debian_lenny.erb132
-rw-r--r--templates/sshd_config/Debian_sid.erb162
-rw-r--r--templates/sshd_config/Debian_squeeze.erb162
-rw-r--r--[l---------]templates/sshd_config/Debian_wheezy.erb124
-rw-r--r--templates/sshd_config/FreeBSD.erb156
-rw-r--r--templates/sshd_config/Gentoo.erb136
-rw-r--r--templates/sshd_config/OpenBSD.erb124
-rw-r--r--[l---------]templates/sshd_config/Ubuntu.erb124
-rw-r--r--templates/sshd_config/Ubuntu_lucid.erb138
12 files changed, 723 insertions, 942 deletions
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 3d5b5b0..0f4bb1f 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -10,22 +10,22 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
# only protocol 2
Protocol 2
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
@@ -48,83 +48,39 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login %>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
#KerberosAuthentication no
@@ -145,33 +101,21 @@ ChallengeResponseAuthentication no
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
#X11Forwarding no
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
#X11DisplayOffset 10
#X11UseLocalhost yes
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
@@ -191,24 +135,20 @@ PrintMotd <%= sshd_print_motd %>
#Banner /some/path
# override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then -%>
-Subsystem sftp /usr/libexec/openssh/sftp-server
-<%- else -%>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end -%>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %>
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users %>
-<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then -%>
-AllowGroups <%= sshd_allowed_groups %>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
<%- end -%>
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
+<% end -%>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/CentOS_Final.erb b/templates/sshd_config/CentOS_Final.erb
index 03246aa..0f4bb1f 120000..100644
--- a/templates/sshd_config/CentOS_Final.erb
+++ b/templates/sshd_config/CentOS_Final.erb
@@ -1 +1,154 @@
-CentOS.erb \ No newline at end of file
+# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options change a
+# default value.
+
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
+
+# only protocol 2
+Protocol 2
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= port %>
+<% end -%>
+<% end -%>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
+ListenAddress <%= address %>
+<% end -%>
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 768
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
+
+#MaxAuthTries 6
+
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
+
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
+
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
+
+# similar for protocol version 2
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
+
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication mechanism.
+# Depending on your PAM configuration, this may bypass the setting of
+# PasswordAuthentication, PermitEmptyPasswords, and
+# "PermitRootLogin without-password". If you just want the PAM account and
+# session checks to run without PAM authentication, then enable this but set
+# ChallengeResponseAuthentication=no
+#UsePAM no
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner /some/path
+
+# override default of no subsystems
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
+
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb
index 1047222..ef4a5d1 100644
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_etch.erb
@@ -1,21 +1,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
# What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@@ -39,80 +39,36 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To change Kerberos options
#KerberosAuthentication no
@@ -123,11 +79,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
@@ -136,11 +88,7 @@ KeepAlive yes
#Banner /etc/issue.net
#ReverseMappingCheck yes
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -151,32 +99,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
+<% end -%>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index 4ffb94c..8cbea30 100644
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -1,21 +1,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
# What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@@ -39,80 +39,36 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To change Kerberos options
#KerberosAuthentication no
@@ -123,11 +79,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
@@ -139,11 +91,7 @@ KeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -154,38 +102,26 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
+<% end -%>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index b211708..9fc34d4 100644
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -3,21 +3,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
# What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@@ -37,115 +37,47 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# Kerberos options
-<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
-KerberosAuthentication yes
-<%- else -%>
-KerberosAuthentication no
-<%- end -%>
-<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
-KerberosOrLocalPasswd yes
-<%- else -%>
-KerberosOrLocalPasswd no
-<%- end -%>
-<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
-KerberosTicketCleanup yes
-<%- else -%>
-KerberosTicketCleanup no
-<%- end -%>
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPIAuthentication yes
-<%- else -%>
-GSSAPIAuthentication no
-<%- end -%>
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPICleanupCredentials yes
-<%- else -%>
-GSSAPICleanupCredentials yes
-<%- end -%>
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
PrintLastLog yes
TCPKeepAlive yes
@@ -157,11 +89,7 @@ TCPKeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
+<% end -%>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index fb58e72..b2eb801 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -3,21 +3,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
# What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@@ -37,115 +37,47 @@ LogLevel INFO
# Authentication:
LoginGraceTime 120
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# Kerberos options
-<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
-KerberosAuthentication yes
-<%- else -%>
-KerberosAuthentication no
-<%- end -%>
-<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
-KerberosOrLocalPasswd yes
-<%- else -%>
-KerberosOrLocalPasswd no
-<%- end -%>
-<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
-KerberosTicketCleanup yes
-<%- else -%>
-KerberosTicketCleanup no
-<%- end -%>
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPIAuthentication yes
-<%- else -%>
-GSSAPIAuthentication no
-<%- end -%>
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPICleanupCredentials yes
-<%- else -%>
-GSSAPICleanupCredentials yes
-<%- end -%>
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
PrintLastLog yes
TCPKeepAlive yes
@@ -157,11 +89,7 @@ TCPKeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -172,36 +100,24 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
+<% end -%>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index 3faae05..9fc34d4 120000..100644
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -1 +1,123 @@
-Debian_sid.erb \ No newline at end of file
+# This file is managed by Puppet, all local modifications will be overwritten
+#
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
+
+# What ports, IPs and protocols we listen for
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= port %>
+<% end -%>
+<% end -%>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
+ListenAddress <%= address %>
+<% end -%>
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
+
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
+
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
+
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
+# similar for protocol version 2
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
+
+# Kerberos options
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
+
+# GSSAPI options
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
+
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
+X11DisplayOffset 10
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+PrintLastLog yes
+TCPKeepAlive yes
+
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
+
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb
index 9853f5d..9b98aec 100644
--- a/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@@ -16,21 +16,21 @@
#VersionAddendum FreeBSD-20100308
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
# What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
#AddressFamily any
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
@@ -55,52 +55,24 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
#MaxSessions 10
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
@@ -109,53 +81,21 @@ HostbasedAuthentication no
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable PAM authentication
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
-<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
-KerberosAuthentication yes
-<%- else -%>
-KerberosAuthentication no
-<%- end -%>
-<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
-KerberosOrLocalPasswd yes
-<%- else -%>
-KerberosOrLocalPasswd no
-<%- end -%>
-<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
-KerberosTicketCleanup yes
-<%- else -%>
-KerberosTicketCleanup no
-<%- end -%>
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
# GSSAPI options
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPIAuthentication yes
-<%- else -%>
-GSSAPIAuthentication no
-<%- end -%>
-<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
-GSSAPICleanupCredentials yes
-<%- else -%>
-GSSAPICleanupCredentials yes
-<%- end -%>
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -166,30 +106,14 @@ GSSAPICleanupCredentials yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
#X11UseLocalhost yes
@@ -212,11 +136,7 @@ TCPKeepAlive yes
#Banner none
# override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/libexec/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
# Example of overriding settings on a per-user basis
#Match User anoncvs
@@ -224,20 +144,18 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# AllowTcpForwarding no
# ForceCommand cvs server
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
-
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 8581804..1cb4522 100644
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -10,20 +10,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
#AddressFamily any
@@ -51,84 +51,39 @@ Protocol 2
# Authentication:
#LoginGraceTime 2m
-PermitRootLogin without-password
-
-<%- if sshd_strict_modes.to_s == 'yes' then %>
-StrictModes yes
-<%- else %>
-StrictModes no
-<%- end %>
-
-<%- unless sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= sshd_permit_root_login %>
-<%- else %>
-PermitRootLogin without-password
-<%- end %>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
+
#MaxAuthTries 6
-<%- if sshd_rsa_authentication.to_s == 'yes' then %>
-RSAAuthentication yes
-<%- else %>
-RSAAuthentication no
-<%- end %>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
-PubkeyAuthentication yes
-<%- else %>
-PubkeyAuthentication no
-<%- end %>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else %>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end %>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
-RhostsRSAAuthentication yes
-<%- else %>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
-HostbasedAuthentication yes
-<%- else %>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
-IgnoreRhosts yes
-<%- else %>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then %>
-PasswordAuthentication yes
-<%- else %>
-PasswordAuthentication no
-<%- end %>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
-ChallengeResponseAuthentication yes
-<%- else %>
-ChallengeResponseAuthentication no
-<%- end %>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
#KerberosAuthentication no
@@ -151,27 +106,15 @@ ChallengeResponseAuthentication no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then %>
-UsePAM yes
-<%- else %>
-UsePAM no
-<%- end %>
-
-<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
-AllowTcpForwarding yes
-<%- else %>
-AllowTcpForwarding no
-<%- end %>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
-<%- if sshd_x11_forwarding.to_s == 'yes' then %>
-X11Forwarding yes
-<%- else %>
-X11Forwarding no
-<%- end %>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
#X11DisplayOffset 10
#X11UseLocalhost yes
-PrintMotd <%= sshd_print_motd %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
@@ -189,11 +132,7 @@ PrintMotd <%= sshd_print_motd %>
#Banner /some/path
# override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/lib/misc/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %>
# Example of overriding settings on a per-user basis
#Match User anoncvs
@@ -201,18 +140,19 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# AllowTcpForwarding no
# ForceCommand cvs server
-<%- unless sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= sshd_allowed_users %>
-<%- end %>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index b6def87..6b474d7 100644
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -8,20 +8,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
#Protocol 2,1
@@ -45,83 +45,39 @@ ListenAddress <%= address %>
# Authentication:
#LoginGraceTime 2m
-<%- unless sshd_permit_root_login.to_s.empty? then %>
-PermitRootLogin <%= sshd_permit_root_login %>
-<%- else %>
-PermitRootLogin without-password
-<%- end %>
-
-<%- if sshd_strict_modes.to_s == 'yes' then %>
-StrictModes yes
-<%- else %>
-StrictModes no
-<%- end %>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
-<%- if sshd_rsa_authentication.to_s == 'yes' then %>
-RSAAuthentication yes
-<%- else %>
-RSAAuthentication no
-<%- end %>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then %>
-PubkeyAuthentication yes
-<%- else %>
-PubkeyAuthentication no
-<%- end %>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then %>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else %>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end %>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
-RhostsRSAAuthentication yes
-<%- else %>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then %>
-HostbasedAuthentication yes
-<%- else %>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then %>
-IgnoreRhosts yes
-<%- else %>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then %>
-PasswordAuthentication yes
-<%- else %>
-PasswordAuthentication no
-<%- end %>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then %>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then %>
-ChallengeResponseAuthentication yes
-<%- else %>
-ChallengeResponseAuthentication no
-<%- end %>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# Kerberos options
#KerberosAuthentication no
@@ -133,18 +89,10 @@ ChallengeResponseAuthentication no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-<%- if sshd_tcp_forwarding.to_s == 'yes' then %>
-AllowTcpForwarding yes
-<%- else %>
-AllowTcpForwarding no
-<%- end %>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
#GatewayPorts no
-<%- if sshd_x11_forwarding.to_s == 'yes' then %>
-X11Forwarding yes
-<%- else %>
-X11Forwarding no
-<%- end %>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd <%= sshd_print_motd %>
@@ -165,18 +113,14 @@ PrintMotd <%= sshd_print_motd %>
#Banner /some/path
# override default of no subsystems
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/libexec/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
-
-<%- unless sshd_allowed_users.to_s.empty? then %>
-AllowUsers <%= sshd_allowed_users %>
-<%- end %>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
# Example of overriding settings on a per-user basis
#Match User anoncvs
@@ -184,11 +128,11 @@ AllowGroups <%= sshd_allowed_groups %>
# AllowTcpForwarding no
# ForceCommand cvs server
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
-<%- end -%>
+<% end -%>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb
index 11b0acc..b2eb801 120000..100644
--- a/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@@ -1 +1,123 @@
-Debian_squeeze.erb \ No newline at end of file
+# This file is managed by Puppet, all local modifications will be overwritten
+#
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
+
+# What ports, IPs and protocols we listen for
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= port %>
+<% end -%>
+<% end -%>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
+ListenAddress <%= address %>
+<% end -%>
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
+
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
+
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
+
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
+
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
+# similar for protocol version 2
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
+
+# Kerberos options
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_aorlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
+
+# GSSAPI options
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
+
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
+X11DisplayOffset 10
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+PrintLastLog yes
+TCPKeepAlive yes
+
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
+
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
+
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
+<%- end -%>
+
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb
index 304558b..cc6e921 100644
--- a/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@@ -1,21 +1,21 @@
# Package generated configuration file
# See the sshd(8) manpage for details
-<%- unless sshd_head_additional_options.to_s.empty? then %>
-<%= sshd_head_additional_options %>
-<%- end %>
+<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
+<%= s %>
+<% end -%>
# What ports, IPs and protocols we listen for
-<%- sshd_ports.each do |port| -%>
-<%- if port.to_s == 'off' then -%>
+<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
+<% if port == 'off' -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
-<%- end -%>
+<% end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-<% for address in sshd_listen_address -%>
+<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
@@ -39,80 +39,36 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
-<%- unless sshd_permit_root_login.to_s.empty? then -%>
-PermitRootLogin <%= sshd_permit_root_login -%>
-<%- else -%>
-PermitRootLogin without-password
-<%- end -%>
+PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-<%- if sshd_strict_modes.to_s == 'yes' then -%>
-StrictModes yes
-<%- else -%>
-StrictModes no
-<%- end -%>
+StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
-<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
-RSAAuthentication yes
-<%- else -%>
-RSAAuthentication no
-<%- end -%>
+RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
-PubkeyAuthentication yes
-<%- else -%>
-PubkeyAuthentication no
-<%- end -%>
+PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
-AuthorizedKeysFile <%= sshd_authorized_keys_file %>
-<%- else -%>
-AuthorizedKeysFile %h/.ssh/authorized_keys
-<%- end -%>
+AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
# For this to work you will also need host keys in /etc/ssh_known_hosts
-<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
-RhostsRSAAuthentication yes
-<%- else -%>
-RhostsRSAAuthentication no
-<% end -%>
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
# Don't read the user's ~/.rhosts and ~/.shosts files
-<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
-IgnoreRhosts yes
-<%- else -%>
-IgnoreRhosts no
-<% end -%>
+IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
# similar for protocol version 2
-<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
-HostbasedAuthentication yes
-<%- else -%>
-HostbasedAuthentication no
-<% end -%>
+HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
-PermitEmptyPasswords yes
-<% else -%>
-PermitEmptyPasswords no
-<% end -%>
+PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
# Change to no to disable s/key passwords
-<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
-ChallengeResponseAuthentication yes
-<%- else -%>
-ChallengeResponseAuthentication no
-<%- end -%>
+ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
# To disable tunneled clear text passwords, change to no here!
-<%- if sshd_password_authentication.to_s == 'yes' then -%>
-PasswordAuthentication yes
-<%- else -%>
-PasswordAuthentication no
-<%- end -%>
+PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
# To change Kerberos options
#KerberosAuthentication no
@@ -123,11 +79,7 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
-<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
-X11Forwarding yes
-<%- else -%>
-X11Forwarding no
-<%- end -%>
+X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
X11DisplayOffset 10
KeepAlive yes
#UseLogin no
@@ -136,11 +88,7 @@ KeepAlive yes
#Banner /etc/issue.net
#ReverseMappingCheck yes
-<%- if sshd_sftp_subsystem.to_s.empty? then %>
-Subsystem sftp /usr/lib/openssh/sftp-server
-<%- else %>
-Subsystem sftp <%= sshd_sftp_subsystem %>
-<%- end %>
+Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -151,42 +99,28 @@ Subsystem sftp <%= sshd_sftp_subsystem %>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-<%- if sshd_use_pam.to_s == 'yes' then -%>
-UsePAM yes
-<%- else -%>
-UsePAM no
-<%- end -%>
+UsePAM <%= scope.lookupvar('sshd::use_pam') %>
HostbasedUsesNameFromPacketOnly yes
-<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
-AllowTcpForwarding yes
-<%- else -%>
-AllowTcpForwarding no
-<%- end -%>
-
-<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
-AllowAgentForwarding yes
-<%- else -%>
-AllowAgentForwarding no
-<%- end -%>
+AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
-ChallengeResponseAuthentication no
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
-<%- unless sshd_allowed_users.to_s.empty? then -%>
-AllowUsers <%= sshd_allowed_users -%>
+<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
+AllowUsers <%= s %>
+<% end -%>
+<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
+AllowGroups <%= s %>
<%- end -%>
-<%- unless sshd_allowed_groups.to_s.empty? then %>
-AllowGroups <%= sshd_allowed_groups %>
-<%- end %>
-
-PrintMotd <%= sshd_print_motd %>
-<%- unless sshd_tail_additional_options.to_s.empty? then %>
-<%= sshd_tail_additional_options %>
-<%- end %>
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
-<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
-Ciphers aes128-ctr
+<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+Ciphers aes256-ctr
MACs hmac-sha1
-<%- end %>
+<% end -%>
+
+<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+<%= s %>
+<% end -%>