From fd82841c1f03d22acf4ed448cd22743a785f573e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 12:45:14 -0400 Subject: Change 'hardened_ssl' paramter to simply 'hardened', this makes more sense in general --- README.md | 8 ++++++-- manifests/init.pp | 2 +- templates/sshd_config/CentOS_6.erb | 2 +- templates/sshd_config/CentOS_7.erb | 2 +- templates/sshd_config/Debian_jessie.erb | 2 +- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 2 +- templates/sshd_config/FreeBSD.erb | 2 +- templates/sshd_config/Gentoo.erb | 2 +- templates/sshd_config/OpenBSD.erb | 2 +- templates/sshd_config/Ubuntu.erb | 2 +- templates/sshd_config/Ubuntu_lucid.erb | 2 +- 13 files changed, 18 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index cbe0bba..77e4d29 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ This puppet module manages OpenSSH configuration and services. +**!! Upgrade Notice (05/2015) !!** + +The hardened_ssl parameter name was changed to simply 'hardened'. + **!! Upgrade Notice (01/2013) !!** This module now uses parameterized classes, where it used global variables @@ -179,8 +183,8 @@ The following is a list of the currently available variables: Set this to the location of the AuthorizedKeysFile (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile %h/.ssh/authorized_keys` - - `hardened_ssl` - Use only strong SSL ciphers and MAC. + - `hardened` + Use only strong ciphers, MAC, KexAlgorithms, etc. Values: - `no` (default) - `yes` diff --git a/manifests/init.pp b/manifests/init.pp index 0f8c472..2dfc71c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -40,7 +40,7 @@ class sshd( OpenBSD => '%h/.ssh/authorized_keys', default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2', }, - $hardened_ssl = 'no', + $hardened = 'no', $sftp_subsystem = '', $head_additional_options = '', $tail_additional_options = '', diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 47cb077..97e9a5b 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -150,7 +150,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 7db2277..cad9f59 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -164,7 +164,7 @@ AllowGroups <%= s %> #Host *.local # CheckHostIP no -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 033f409..ada3891 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -111,7 +111,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 033f409..ada3891 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -111,7 +111,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 0ba323f..d42fac1 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -115,7 +115,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index cd4bf48..4633c09 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -114,7 +114,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index d4cd9b5..f5bd439 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -152,7 +152,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1cb4522..6e51b4c 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -147,7 +147,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index aa92eb6..7577bac 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -128,7 +128,7 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 0ba323f..d42fac1 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -115,7 +115,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index cff95a7..1ed8fd7 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -118,7 +118,7 @@ AllowGroups <%= s %> PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -- cgit v1.2.3