From d827a52614fc41ca98e2f2fc453da2e2ae4965ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 16:51:32 -0400 Subject: rename the templates to coincide with the downcased lsbdistcodename also add a missing comma in the content selector --- manifests/init.pp | 2 +- templates/sshd_config/Debian_Etch.erb | 163 ------------------------------- templates/sshd_config/Debian_Lenny.erb | 169 --------------------------------- templates/sshd_config/Debian_etch.erb | 163 +++++++++++++++++++++++++++++++ templates/sshd_config/Debian_lenny.erb | 169 +++++++++++++++++++++++++++++++++ 5 files changed, 333 insertions(+), 333 deletions(-) delete mode 100644 templates/sshd_config/Debian_Etch.erb delete mode 100644 templates/sshd_config/Debian_Lenny.erb create mode 100644 templates/sshd_config/Debian_etch.erb create mode 100644 templates/sshd_config/Debian_lenny.erb diff --git a/manifests/init.pp b/manifests/init.pp index be33d7d..519e242 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -191,7 +191,7 @@ class sshd::base { content => $lsbdistcodename ? { '' => template("sshd/sshd_config/${operatingsystem}.erb"), default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - } + }, notify => Service[sshd], } # Now add the key, if we've got one diff --git a/templates/sshd_config/Debian_Etch.erb b/templates/sshd_config/Debian_Etch.erb deleted file mode 100644 index 09be201..0000000 --- a/templates/sshd_config/Debian_Etch.erb +++ /dev/null @@ -1,163 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -# What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> -<%- else -%> -Port 22 -<%- end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> - -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -#Subsystem sftp /usr/lib/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> - -HostbasedUsesNameFromPacketOnly yes - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> - -ChallengeResponseAuthentication no - -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> -<%- end -%> - diff --git a/templates/sshd_config/Debian_Lenny.erb b/templates/sshd_config/Debian_Lenny.erb deleted file mode 100644 index bb39736..0000000 --- a/templates/sshd_config/Debian_Lenny.erb +++ /dev/null @@ -1,169 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -# What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> -<%- else -%> -Port 22 -<%- end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> - -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -#Subsystem sftp /usr/lib/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> - -HostbasedUsesNameFromPacketOnly yes - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> - -<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> - -ChallengeResponseAuthentication no - -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> -<%- end -%> - diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb new file mode 100644 index 0000000..09be201 --- /dev/null +++ b/templates/sshd_config/Debian_etch.erb @@ -0,0 +1,163 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb new file mode 100644 index 0000000..bb39736 --- /dev/null +++ b/templates/sshd_config/Debian_lenny.erb @@ -0,0 +1,169 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + -- cgit v1.2.3