diff options
Diffstat (limited to 'templates/sshd_config')
-rw-r--r-- | templates/sshd_config/Debian_etch.erb | 126 |
1 files changed, 0 insertions, 126 deletions
diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb deleted file mode 100644 index 104e641..0000000 --- a/templates/sshd_config/Debian_etch.erb +++ /dev/null @@ -1,126 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> -<%= s %> -<% end -%> - -# What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> -<% if port == 'off' -%> -#Port -- disabled by puppet -<% else -%> -Port <%= port %> -<% end -%> -<% end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> -HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key -<% end -%> - -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - -# similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> - -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> -AllowUsers <%= s %> -<% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> -AllowGroups <%= s %> -<%- end -%> - -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> - -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha1 -<% end -%> - -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> -<%= s %> -<% end -%> |