From 6f5a865b583b1cc2c51484ce03f88be52e2c5b8d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:10:33 -0400 Subject: add sshd_pubkey_authentication variable, with the default set to yes --- manifests/init.pp | 8 ++++++++ templates/sshd_config/CentOS_normal.erb | 6 +++++- templates/sshd_config/Debian_normal.erb | 5 +++++ templates/sshd_config/Gentoo_normal.erb | 6 +++++- templates/sshd_config/OpenBSD_normal.erb | 7 ++++++- 5 files changed, 29 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 029ab95..413c46a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -51,6 +51,10 @@ # sshd_agent_forwarding: If you want to allow ssh-agent forwarding # Valid Values: yes or no # Default: no +# +# sshd_pubkey_authentication: If you want to enable public key authentication +# Valid Values: yes or no +# Default: yes class sshd { include sshd::client @@ -97,6 +101,10 @@ class sshd::base { '' => 'no', default => $sshd_challenge_response_authentication } + $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { + '' => 'no', + default => $sshd_pubkey_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index a053001..b0bea46 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -45,7 +45,11 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index a1d7a45..d105ecc 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -35,7 +35,12 @@ PermitRootLogin without-password StrictModes yes RSAAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 5605f14..3538754 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -48,7 +48,11 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 954b420..bee3548 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -41,7 +41,12 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -- cgit v1.2.3