From ba8d788f89e2e8676985b40553a9f6794a322217 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Fri, 26 Sep 2008 17:28:05 -0400
Subject: add the sshd_strict_modes variable, with the default set to yes

---
 manifests/init.pp                        | 10 +++++++++-
 templates/sshd_config/CentOS_normal.erb  |  8 +++++++-
 templates/sshd_config/Debian_normal.erb  |  5 +++++
 templates/sshd_config/Gentoo_normal.erb  |  8 +++++++-
 templates/sshd_config/OpenBSD_normal.erb |  8 +++++++-
 5 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index a58ee58..858e1b5 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -56,9 +56,13 @@
 # 				Valid Values: yes or no
 #				Default: yes
 #
-# sshd_rsa_authentication:	If you wat to enable RSA Authentication
+# sshd_rsa_authentication:	If you want to enable RSA Authentication
 # 				Valid Values: yes or no
 #				Default: no
+#				
+# sshd_strict_modes:		If you want to set StrictModes (check file modes/ownership before accepting login)
+# 				Valid Values: yes or no
+#				Default: yes
 
 class sshd {
     include sshd::client 
@@ -113,6 +117,10 @@ class sshd::base {
     	'' => 'no',
 	default => $sshd_rsa_authentication
     }
+    $real_sshd_strict_modes = $sshd_strict_modes ? {
+    	'' => 'yes',
+	default => $sshd_strict_modes
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index dc57680..849d9fb 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -41,7 +41,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 #MaxAuthTries 6
 
 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index deed847..7105dfd 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -32,7 +32,12 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
 StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
 
 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
 RSAAuthentication yes
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index 3feb4ea..04712bd 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -39,7 +39,13 @@ Protocol 2
 
 #LoginGraceTime 2m
 PermitRootLogin without-password
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 <%- unless real_sshd_permit_root_login.to_s.empty? then %>
 PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 47d4a08..b7e4673 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -37,7 +37,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 #MaxAuthTries 6
 
 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
-- 
cgit v1.2.3