From c99ff17b1fc6769cc1323a7857a1234dc408dc9b Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 21 Feb 2011 18:29:25 +0100 Subject: Resync Debian sid template with the Squeeze's one. Currently, the only difference is LoginGraceTime, that defaults to 600 in sid. --- templates/sshd_config/Debian_sid.erb | 50 ++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 13895b7..acb79e3 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -1,19 +1,19 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# # Package generated configuration file -# See the sshd_config(5) manpage for details +# See the sshd(8) manpage for details <%- unless sshd_head_additional_options.to_s.empty? then %> <%= sshd_head_additional_options %> <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -85,7 +85,6 @@ HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no <% end -%> - # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes @@ -104,7 +103,7 @@ ChallengeResponseAuthentication yes ChallengeResponseAuthentication no <%- end -%> -# Change to no to disable tunnelled clear text passwords +# To disable tunneled clear text passwords, change to no here! <%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> @@ -112,14 +111,33 @@ PasswordAuthentication no <%- end -%> # Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> # GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> <%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes @@ -130,6 +148,7 @@ X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes + #UseLogin no #MaxStartups 10:30:60 @@ -159,7 +178,7 @@ UsePAM yes UsePAM no <%- end -%> -#HostbasedUsesNameFromPacketOnly yes +HostbasedUsesNameFromPacketOnly yes <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes @@ -183,4 +202,3 @@ AllowGroups <%= sshd_allowed_groups %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -- cgit v1.2.3