From 3bd90d741c35ae242befd955566e3f28cf76b81b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 16:57:59 -0400 Subject: Add the variable AllowAgentForwarding to be set, with the default of 'no', only the Debian template was adjusted for this, as my knowledge of the other operating systems is not good enough to determine the appropriate setting there --- manifests/init.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 95682fd..4e796f3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -43,6 +43,9 @@ # Valid Values: yes or no # Default: no # +# sshd_agent_forwarding: If you want to allow ssh-agent forwarding +# Valid Values: yes or no +# Default: no class sshd { include sshd::client @@ -81,6 +84,10 @@ class sshd::base { '' => 'no', default => $sshd_x11_forwarding } + $real_sshd_agent_forwarding = $sshd_agent_forwarding ? { + '' => 'no', + default => $sshd_agent_forwarding + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 51c18b6b8f71a925e3c94b459dbc257f2466c453 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:05:49 -0400 Subject: added sshd_challenge_response_authentication variable, with the default value set to no --- manifests/init.pp | 9 +++++++++ templates/sshd_config/CentOS_normal.erb | 5 ++++- templates/sshd_config/Debian_normal.erb | 8 ++++++-- templates/sshd_config/Gentoo_normal.erb | 6 +++++- templates/sshd_config/OpenBSD_normal.erb | 6 +++++- 5 files changed, 29 insertions(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 4e796f3..029ab95 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -38,6 +38,11 @@ # sshd_password_authentication: If you want to enable password authentication or not # Valid values: yes or no # Default: no +# +# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not +# When disabled, s/key passowords are disabled +# Valid values: yes or no +# Default: no # # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no @@ -88,6 +93,10 @@ class sshd::base { '' => 'no', default => $sshd_agent_forwarding } + $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? { + '' => 'no', + default => $sshd_challenge_response_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index a14120f..a053001 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -67,8 +67,11 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index d9237c6..a1d7a45 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -52,8 +52,12 @@ HostbasedAuthentication no # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -# Uncomment to disable s/key passwords -#ChallengeResponseAuthentication no +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index aa98ae8..5605f14 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -70,7 +70,11 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 0b84d25..954b420 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -63,7 +63,11 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> # Kerberos options #KerberosAuthentication no -- cgit v1.2.3 From 6f5a865b583b1cc2c51484ce03f88be52e2c5b8d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:10:33 -0400 Subject: add sshd_pubkey_authentication variable, with the default set to yes --- manifests/init.pp | 8 ++++++++ templates/sshd_config/CentOS_normal.erb | 6 +++++- templates/sshd_config/Debian_normal.erb | 5 +++++ templates/sshd_config/Gentoo_normal.erb | 6 +++++- templates/sshd_config/OpenBSD_normal.erb | 7 ++++++- 5 files changed, 29 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 029ab95..413c46a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -51,6 +51,10 @@ # sshd_agent_forwarding: If you want to allow ssh-agent forwarding # Valid Values: yes or no # Default: no +# +# sshd_pubkey_authentication: If you want to enable public key authentication +# Valid Values: yes or no +# Default: yes class sshd { include sshd::client @@ -97,6 +101,10 @@ class sshd::base { '' => 'no', default => $sshd_challenge_response_authentication } + $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { + '' => 'no', + default => $sshd_pubkey_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index a053001..b0bea46 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -45,7 +45,11 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index a1d7a45..d105ecc 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -35,7 +35,12 @@ PermitRootLogin without-password StrictModes yes RSAAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 5605f14..3538754 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -48,7 +48,11 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 954b420..bee3548 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -41,7 +41,12 @@ PermitRootLogin without-password #MaxAuthTries 6 #RSAAuthentication yes -#PubkeyAuthentication yes +<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -- cgit v1.2.3 From 19b49e80ee3b468ce1754f7b5dd62995f37b5e86 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:21:01 -0400 Subject: add the sshd_rsa_authentication option, default set to no --- manifests/init.pp | 8 ++++++++ templates/sshd_config/CentOS_normal.erb | 7 ++++++- templates/sshd_config/Debian_normal.erb | 5 +++++ templates/sshd_config/Gentoo_normal.erb | 7 ++++++- templates/sshd_config/OpenBSD_normal.erb | 7 ++++++- 5 files changed, 31 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 413c46a..a58ee58 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -55,6 +55,10 @@ # sshd_pubkey_authentication: If you want to enable public key authentication # Valid Values: yes or no # Default: yes +# +# sshd_rsa_authentication: If you wat to enable RSA Authentication +# Valid Values: yes or no +# Default: no class sshd { include sshd::client @@ -105,6 +109,10 @@ class sshd::base { '' => 'no', default => $sshd_pubkey_authentication } + $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { + '' => 'no', + default => $sshd_rsa_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index b0bea46..a5c9c89 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -44,7 +44,12 @@ PermitRootLogin without-password #StrictModes yes #MaxAuthTries 6 -#RSAAuthentication yes +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + <%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index d105ecc..985840c 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -34,7 +34,12 @@ PermitRootLogin without-password <%- end %> StrictModes yes +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + <%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 3538754..ee27732 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -47,7 +47,12 @@ PermitRootLogin without-password <%- end %> #MaxAuthTries 6 -#RSAAuthentication yes +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + <%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index bee3548..3043922 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -40,7 +40,12 @@ PermitRootLogin without-password #StrictModes yes #MaxAuthTries 6 -#RSAAuthentication yes +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + <%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> -- cgit v1.2.3 From ba8d788f89e2e8676985b40553a9f6794a322217 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:28:05 -0400 Subject: add the sshd_strict_modes variable, with the default set to yes --- manifests/init.pp | 10 +++++++++- templates/sshd_config/CentOS_normal.erb | 8 +++++++- templates/sshd_config/Debian_normal.erb | 5 +++++ templates/sshd_config/Gentoo_normal.erb | 8 +++++++- templates/sshd_config/OpenBSD_normal.erb | 8 +++++++- 5 files changed, 35 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index a58ee58..858e1b5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -56,9 +56,13 @@ # Valid Values: yes or no # Default: yes # -# sshd_rsa_authentication: If you wat to enable RSA Authentication +# sshd_rsa_authentication: If you want to enable RSA Authentication # Valid Values: yes or no # Default: no +# +# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) +# Valid Values: yes or no +# Default: yes class sshd { include sshd::client @@ -113,6 +117,10 @@ class sshd::base { '' => 'no', default => $sshd_rsa_authentication } + $real_sshd_strict_modes = $sshd_strict_modes ? { + '' => 'yes', + default => $sshd_strict_modes + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index dc57680..849d9fb 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -41,7 +41,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -#StrictModes yes + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + #MaxAuthTries 6 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index deed847..7105dfd 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -32,7 +32,12 @@ PermitRootLogin <%= real_sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> StrictModes yes +<%- else %> +StrictModes no +<%- end %> <%- if real_sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 3feb4ea..04712bd 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -39,7 +39,13 @@ Protocol 2 #LoginGraceTime 2m PermitRootLogin without-password -#StrictModes yes + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + <%- unless real_sshd_permit_root_login.to_s.empty? then %> PermitRootLogin <%= real_sshd_permit_root_login %> <%- else %> diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 47d4a08..b7e4673 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -37,7 +37,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -#StrictModes yes + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + #MaxAuthTries 6 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %> -- cgit v1.2.3 From 9edd2705d4c59ac8cb75a67b587d06d32cb5e6c6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:30:28 -0400 Subject: add sshd_ignore_rhosts option, default set to yes --- manifests/init.pp | 4 ++++ templates/sshd_config/CentOS_normal.erb | 7 ++++++- templates/sshd_config/Debian_normal.erb | 6 ++++++ templates/sshd_config/Gentoo_normal.erb | 7 ++++++- templates/sshd_config/OpenBSD_normal.erb | 7 ++++++- 5 files changed, 28 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 858e1b5..cf089bc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -121,6 +121,10 @@ class sshd::base { '' => 'yes', default => $sshd_strict_modes } + $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? { + '' => 'yes', + default => $sshd_ignore_rhosts + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index 849d9fb..e2b4005 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -70,8 +70,13 @@ PubkeyAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 7105dfd..155c4da 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -55,8 +55,14 @@ PubkeyAuthentication no # rhosts authentication should not be used #RhostsAuthentication no + # Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 04712bd..c8dbda4 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -73,8 +73,13 @@ PubkeyAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index b7e4673..420f9cc 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -67,8 +67,13 @@ PubkeyAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> # To disable tunneled clear text passwords, change to no here! <%- if real_sshd_password_authentication.to_s == 'yes' then %> -- cgit v1.2.3 From 06163fbb920bf7f8dbb7ae2018e1f861003ed9ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:34:09 -0400 Subject: added sshd_rhosts_rsa_authentication variable, default set to no added sshd_hostbased_authentication variable, default set to no --- manifests/init.pp | 16 ++++++++++++++++ templates/sshd_config/CentOS_normal.erb | 14 ++++++++++++-- templates/sshd_config/Debian_normal.erb | 15 +++++++++++---- templates/sshd_config/Gentoo_normal.erb | 14 ++++++++++++-- templates/sshd_config/OpenBSD_normal.erb | 14 ++++++++++++-- 5 files changed, 63 insertions(+), 10 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index cf089bc..02f2e42 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -60,6 +60,14 @@ # Valid Values: yes or no # Default: no # +# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication +# Valid Values: yes or no +# Default: no +# # sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) # Valid Values: yes or no # Default: yes @@ -125,6 +133,14 @@ class sshd::base { '' => 'yes', default => $sshd_ignore_rhosts } + $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? { + '' => 'no', + default => $sshd_rhosts_rsa_authentication + } + $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? { + '' => 'no', + default => $sshd_hostbased_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index e2b4005..0dbe4e6 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -64,9 +64,19 @@ PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 155c4da..28e799d 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -53,8 +53,12 @@ PubkeyAuthentication no #AuthorizedKeysFile %h/.ssh/authorized_keys -# rhosts authentication should not be used -#RhostsAuthentication no +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> # Don't read the user's ~/.rhosts and ~/.shosts files <%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> @@ -63,10 +67,13 @@ IgnoreRhosts yes IgnoreRhosts no <% end -%> -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no # similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> HostbasedAuthentication no +<% end -%> + # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index c8dbda4..443d8ac 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -67,9 +67,19 @@ PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 420f9cc..e6e9bbc 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -61,9 +61,19 @@ PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no -- cgit v1.2.3 From 58fef5f8092b937caa2a11648f3937e17f718d81 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:51:12 -0400 Subject: add variable sshd_permit_empty_passwords, with the default set to no --- manifests/init.pp | 9 +++++++++ templates/sshd_config/CentOS_normal.erb | 8 +++++++- templates/sshd_config/Debian_normal.erb | 4 ++++ templates/sshd_config/Gentoo_normal.erb | 8 +++++++- templates/sshd_config/OpenBSD_normal.erb | 8 +++++++- 5 files changed, 34 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 02f2e42..5ba3e22 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -71,6 +71,11 @@ # sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) # Valid Values: yes or no # Default: yes +# +# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords +# Valid Values: yes or no +# Default: no + class sshd { include sshd::client @@ -141,6 +146,10 @@ class sshd::base { '' => 'no', default => $sshd_hostbased_authentication } + $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? { + '' => 'no', + default => $sshd_permit_empty_passwords + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index a784842..92ba92e 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -94,7 +94,13 @@ PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> -#PermitEmptyPasswords no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> # Change to no to disable s/key passwords <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index cf24953..92cb7b0 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -78,7 +78,11 @@ HostbasedAuthentication no #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> PermitEmptyPasswords no +<% end -%> # Change to no to disable s/key passwords <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index 57a80a1..a9f9916 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -97,7 +97,13 @@ PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> -#PermitEmptyPasswords no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> # Change to no to disable s/key passwords <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 1de6a55..dd6bb69 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -91,7 +91,13 @@ PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> -#PermitEmptyPasswords no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> # Change to no to disable s/key passwords <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> -- cgit v1.2.3 From 0b180227270cf5d1a5e2176142c2a129940f523a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:55:02 -0400 Subject: add sshd_allow_tcp_forwarding variable, with the default changed to no (note this is opposite of what the existing template had enabled for Debian, but this is a better setting) --- manifests/init.pp | 9 +++++++++ templates/sshd_config/CentOS_normal.erb | 8 +++++++- templates/sshd_config/Debian_normal.erb | 6 ++++++ templates/sshd_config/Gentoo_normal.erb | 7 ++++++- templates/sshd_config/OpenBSD_normal.erb | 7 ++++++- 5 files changed, 34 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 5ba3e22..af716cd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,7 @@ # # ssh module # +# Copyright 2008, micah@riseup.net # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH # Marcel Härry haerry+puppet(at)puzzle.ch @@ -44,6 +45,10 @@ # Valid values: yes or no # Default: no # +# sshd_tcp_forwarding: If you want to enable TcpForwarding +# Valid Values: yes or no +# Default: no +# # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no # Default: no @@ -110,6 +115,10 @@ class sshd::base { '' => 'no', default => $sshd_password_authentication } + $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? { + '' => 'no', + default => $sshd_tcp_forwarding + } $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { '' => 'no', default => $sshd_x11_forwarding diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index 92ba92e..a0ec786 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -140,7 +140,13 @@ UsePAM no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -#AllowTcpForwarding yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no #X11Forwarding no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 92cb7b0..f6a2a81 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -138,7 +138,13 @@ UsePAM no <%- end %> HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + <%- if real_sshd_agent_forwarding.to_s == 'yes' then %> AllowAgentForwarding yes <%- else %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index a9f9916..ca6b90a 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -139,7 +139,12 @@ UsePAM yes UsePAM no <%- end %> -#AllowTcpForwarding yes +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index dd6bb69..96d8bbd 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -116,7 +116,12 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -#AllowTcpForwarding yes +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + #GatewayPorts no <%- if real_sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes -- cgit v1.2.3 From e525f18d129ac3b9adc8e6df89c9e5e48367439c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 18:16:58 -0400 Subject: minor fix to indentation --- manifests/init.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index af716cd..e48524d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -159,7 +159,7 @@ class sshd::base { '' => 'no', default => $sshd_permit_empty_passwords } - + file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, @@ -181,11 +181,11 @@ class sshd::base { } } service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], } } -- cgit v1.2.3 From 26e4ac53a93c61fad4c07c44009cd180e4196d36 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 18:23:25 -0400 Subject: add sshd_port variable enabling you to set a different port for sshd, default is 22 --- manifests/init.pp | 8 +++++++- templates/sshd_config/CentOS_normal.erb | 7 ++++++- templates/sshd_config/Debian_normal.erb | 8 +++++++- templates/sshd_config/Gentoo_normal.erb | 7 ++++++- templates/sshd_config/OpenBSD_normal.erb | 7 ++++++- 5 files changed, 32 insertions(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index e48524d..c2f318c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -80,7 +80,9 @@ # sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords # Valid Values: yes or no # Default: no - +# +# sshd_port: If you want to specify a different port than the default 22 +# Default: 22 class sshd { include sshd::client @@ -159,6 +161,10 @@ class sshd::base { '' => 'no', default => $sshd_permit_empty_passwords } + $real_sshd_port = $sshd_port ? { + '' => 22, + default => $sshd_port + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index a0ec786..3217b4e 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -10,7 +10,12 @@ # possible, but leave them commented. Uncommented options change a # default value. -#Port 22 +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + #Protocol 2,1 Protocol 2 #AddressFamily any diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index f6a2a81..7cdb5f2 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -2,7 +2,13 @@ # See the sshd(8) manpage for defails # What ports, IPs and protocols we listen for -# Port 22 + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index ca6b90a..c8e2ee1 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -10,7 +10,12 @@ # possible, but leave them commented. Uncommented options change a # default value. -#Port 22 +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 96d8bbd..139613a 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -8,7 +8,12 @@ # possible, but leave them commented. Uncommented options change a # default value. -#Port 22 +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + #Protocol 2,1 #AddressFamily any #ListenAddress 0.0.0.0 -- cgit v1.2.3 From ef6f137cff6cf749031423fd7384dbd0f29a7dfc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 20:03:10 -0400 Subject: add the variable sshd_authorized_keys_file with the default set to the normal: %h/.ssh/authorized_keys --- manifests/init.pp | 10 +++++++++- templates/sshd_config/CentOS_normal.erb | 7 ++++++- templates/sshd_config/Debian_normal.erb | 6 +++++- templates/sshd_config/Gentoo_normal.erb | 7 ++++++- templates/sshd_config/OpenBSD_normal.erb | 6 +++++- 5 files changed, 31 insertions(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index c2f318c..4841038 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -83,6 +83,10 @@ # # sshd_port: If you want to specify a different port than the default 22 # Default: 22 +# +# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) +# Default: AuthorizedKeysFile %h/.ssh/authorized_keys +# class sshd { include sshd::client @@ -165,7 +169,11 @@ class sshd::base { '' => 22, default => $sshd_port } - + $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? { + '' => "%h/.ssh/authorized_keys", + default => $sshd_authorized_keys_file + } + file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index 3217b4e..3ec0f41 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -66,7 +66,12 @@ PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -#AuthorizedKeysFile .ssh/authorized_keys + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts <%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 7cdb5f2..a1e1ece 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -57,7 +57,11 @@ PubkeyAuthentication yes PubkeyAuthentication no <%- end %> -#AuthorizedKeysFile %h/.ssh/authorized_keys +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> # For this to work you will also need host keys in /etc/ssh_known_hosts <%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index c8e2ee1..4acfb40 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -69,7 +69,12 @@ PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -#AuthorizedKeysFile .ssh/authorized_keys + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts <%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 139613a..b36a988 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -63,7 +63,11 @@ PubkeyAuthentication yes PubkeyAuthentication no <%- end %> -#AuthorizedKeysFile .ssh/authorized_keys +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts <%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> -- cgit v1.2.3 From 2391ef9bfe2e5960a024b68d8e19d3a0954dd48c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 13:30:52 -0400 Subject: add the ability to set the ListenAddress configuration option through sshd_listen_address --- manifests/init.pp | 11 ++++++++++- templates/sshd_config/CentOS_normal.erb | 9 +++++---- templates/sshd_config/Debian_normal.erb | 6 +++--- templates/sshd_config/Gentoo_normal.erb | 6 ++++-- templates/sshd_config/OpenBSD_normal.erb | 6 ++++-- 5 files changed, 26 insertions(+), 12 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 4841038..0fd2dfa 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,11 @@ # of variables, which you might consider to configure. # Checkout the following: # +# sshd_listen_address: specify the addresses sshd should listen on +# set this to "10.0.0.1 192.168.0.1" to have it listen on both +# addresses, or leave it unset to listen on all +# Default: empty -> results in listening on 0.0.0.0 +# # sshd_allowed_users: list of usernames separated by spaces. # set this for example to "foobar root" # to ensure that only user foobar and root @@ -104,7 +109,11 @@ class sshd { class sshd::base { - # prepare variables to use in templates + # prepare variables to use in templates + $real_sshd_listen_address = $sshd_sshd_listen_address ? { + '' => '', + default => $sshd_sshd_listen_address + } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', default => $sshd_allowed_users diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index e576a78..6a16d77 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -16,12 +16,13 @@ Port <%= real_sshd_port %> Port 22 <%- end %> +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any #Protocol 2,1 Protocol 2 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index d33064a..df8ebc8 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -2,7 +2,6 @@ # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for - <%- unless real_sshd_port.to_s.empty? then %> Port <%= real_sshd_port -%> <%- else -%> @@ -10,8 +9,9 @@ Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index dcbf9de..1b9b98e 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -16,9 +16,11 @@ Port <%= real_sshd_port %> Port 22 <%- end %> +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index e62b3c1..32f6780 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -14,10 +14,12 @@ Port <%= real_sshd_port %> Port 22 <%- end %> +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> #Protocol 2,1 #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key -- cgit v1.2.3 From 11be1b1f8c498bca58296dd98e3c586f65c301f7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 13:39:28 -0400 Subject: fix duplicate sshd word in variable name --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 0fd2dfa..7abc2ef 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -110,9 +110,9 @@ class sshd { class sshd::base { # prepare variables to use in templates - $real_sshd_listen_address = $sshd_sshd_listen_address ? { + $real_sshd_listen_address = $sshd_listen_address ? { '' => '', - default => $sshd_sshd_listen_address + default => $sshd_listen_address } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', -- cgit v1.2.3 From 57a0fd279ecd2b85f05797168b86b7ee1d709ed7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 15:19:43 -0400 Subject: fix the default of PubkeyAuthentication (supposed to be yes, but was set to no) --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 7abc2ef..af948f3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -147,7 +147,7 @@ class sshd::base { default => $sshd_challenge_response_authentication } $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { - '' => 'no', + '' => 'yes', default => $sshd_pubkey_authentication } $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { -- cgit v1.2.3 From 57eb2df0371c53988244094e07b1b30486529d0d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 16:42:08 -0400 Subject: Change the template naming: 1. remove the _normal suffix, as it is not used 2. add a selector to look for the variable $lsbdistcodename being set and use that in selecting a template this is useful to create a Debian_Etch.erb and a Debian_Lenny.erb which can have different values. For example the Debian Etch version of openssh does not have the AllowAgentForwarding option, and if it is included, ssh will fail to start --- manifests/init.pp | 5 +- templates/sshd_config/CentOS.erb | 192 ++++++++++++++++++++++++++++++ templates/sshd_config/CentOS_normal.erb | 192 ------------------------------ templates/sshd_config/Debian_Etch.erb | 163 +++++++++++++++++++++++++ templates/sshd_config/Debian_Lenny.erb | 169 ++++++++++++++++++++++++++ templates/sshd_config/Debian_normal.erb | 169 -------------------------- templates/sshd_config/Gentoo.erb | 196 +++++++++++++++++++++++++++++++ templates/sshd_config/Gentoo_normal.erb | 196 ------------------------------- templates/sshd_config/OpenBSD.erb | 172 +++++++++++++++++++++++++++ templates/sshd_config/OpenBSD_normal.erb | 172 --------------------------- 10 files changed, 896 insertions(+), 730 deletions(-) create mode 100644 templates/sshd_config/CentOS.erb delete mode 100644 templates/sshd_config/CentOS_normal.erb create mode 100644 templates/sshd_config/Debian_Etch.erb create mode 100644 templates/sshd_config/Debian_Lenny.erb delete mode 100644 templates/sshd_config/Debian_normal.erb create mode 100644 templates/sshd_config/Gentoo.erb delete mode 100644 templates/sshd_config/Gentoo_normal.erb create mode 100644 templates/sshd_config/OpenBSD.erb delete mode 100644 templates/sshd_config/OpenBSD_normal.erb (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index af948f3..be33d7d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -188,7 +188,10 @@ class sshd::base { owner => root, group => 0, mode => 600, - content => template("sshd/sshd_config/${operatingsystem}_normal.erb"), + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + } notify => Service[sshd], } # Now add the key, if we've got one diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb new file mode 100644 index 0000000..6a16d77 --- /dev/null +++ b/templates/sshd_config/CentOS.erb @@ -0,0 +1,192 @@ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any +#Protocol 2,1 +Protocol 2 +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> +UsePAM no +<%- end %> + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +#X11Forwarding no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb deleted file mode 100644 index 6a16d77..0000000 --- a/templates/sshd_config/CentOS_normal.erb +++ /dev/null @@ -1,192 +0,0 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> -<%- else %> -Port 22 -<%- end %> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -#AddressFamily any -#Protocol 2,1 -Protocol 2 -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> - -<%- if real_sshd_strict_modes.to_s == 'yes' then %> -StrictModes yes -<%- else %> -StrictModes no -<%- end %> - -#MaxAuthTries 6 - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> -RSAAuthentication yes -<%- else %> -RSAAuthentication no -<%- end %> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> -PubkeyAuthentication yes -<%- else %> -PubkeyAuthentication no -<%- end %> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else %> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> -RhostsRSAAuthentication yes -<%- else %> -RhostsRSAAuthentication no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> -HostbasedAuthentication yes -<%- else %> -HostbasedAuthentication no -<% end -%> - -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> -IgnoreRhosts yes -<%- else %> -IgnoreRhosts no -<% end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> -ChallengeResponseAuthentication yes -<%- else %> -ChallengeResponseAuthentication no -<%- end %> - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -GSSAPIAuthentication yes -#GSSAPICleanupCredentials yes -GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no -#UsePAM no -<%- if real_sshd_use_pam.to_s == 'yes' then %> -UsePAM yes -<%- else %> -UsePAM no -<%- end %> - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> -AllowTcpForwarding yes -<%- else %> -AllowTcpForwarding no -<%- end %> - -#GatewayPorts no -#X11Forwarding no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> diff --git a/templates/sshd_config/Debian_Etch.erb b/templates/sshd_config/Debian_Etch.erb new file mode 100644 index 0000000..09be201 --- /dev/null +++ b/templates/sshd_config/Debian_Etch.erb @@ -0,0 +1,163 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_Lenny.erb b/templates/sshd_config/Debian_Lenny.erb new file mode 100644 index 0000000..bb39736 --- /dev/null +++ b/templates/sshd_config/Debian_Lenny.erb @@ -0,0 +1,169 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb deleted file mode 100644 index bb39736..0000000 --- a/templates/sshd_config/Debian_normal.erb +++ /dev/null @@ -1,169 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -# What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> -<%- else -%> -Port 22 -<%- end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> - -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -#Subsystem sftp /usr/lib/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> - -HostbasedUsesNameFromPacketOnly yes - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> - -<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> - -ChallengeResponseAuthentication no - -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> -<%- end -%> - diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb new file mode 100644 index 0000000..1b9b98e --- /dev/null +++ b/templates/sshd_config/Gentoo.erb @@ -0,0 +1,196 @@ +# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any + +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin without-password + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> +UsePAM no +<%- end %> + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/lib/misc/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb deleted file mode 100644 index 1b9b98e..0000000 --- a/templates/sshd_config/Gentoo_normal.erb +++ /dev/null @@ -1,196 +0,0 @@ -# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> -<%- else %> -Port 22 -<%- end %> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -#AddressFamily any - -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin without-password - -<%- if real_sshd_strict_modes.to_s == 'yes' then %> -StrictModes yes -<%- else %> -StrictModes no -<%- end %> - -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> -#MaxAuthTries 6 - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> -RSAAuthentication yes -<%- else %> -RSAAuthentication no -<%- end %> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> -PubkeyAuthentication yes -<%- else %> -PubkeyAuthentication no -<%- end %> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else %> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> -RhostsRSAAuthentication yes -<%- else %> -RhostsRSAAuthentication no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> -HostbasedAuthentication yes -<%- else %> -HostbasedAuthentication no -<% end -%> - -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> -IgnoreRhosts yes -<%- else %> -IgnoreRhosts no -<% end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> -ChallengeResponseAuthentication yes -<%- else %> -ChallengeResponseAuthentication no -<%- end %> - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then %> -UsePAM yes -<%- else %> -UsePAM no -<%- end %> - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> -AllowTcpForwarding yes -<%- else %> -AllowTcpForwarding no -<%- end %> - -#GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/lib/misc/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server - -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb new file mode 100644 index 0000000..32f6780 --- /dev/null +++ b/templates/sshd_config/OpenBSD.erb @@ -0,0 +1,172 @@ +# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#Protocol 2,1 +#AddressFamily any + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb deleted file mode 100644 index 32f6780..0000000 --- a/templates/sshd_config/OpenBSD_normal.erb +++ /dev/null @@ -1,172 +0,0 @@ -# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> -<%- else %> -Port 22 -<%- end %> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -#Protocol 2,1 -#AddressFamily any - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> - -<%- if real_sshd_strict_modes.to_s == 'yes' then %> -StrictModes yes -<%- else %> -StrictModes no -<%- end %> - -#MaxAuthTries 6 - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> -RSAAuthentication yes -<%- else %> -RSAAuthentication no -<%- end %> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> -PubkeyAuthentication yes -<%- else %> -PubkeyAuthentication no -<%- end %> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else %> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> -RhostsRSAAuthentication yes -<%- else %> -RhostsRSAAuthentication no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> -HostbasedAuthentication yes -<%- else %> -HostbasedAuthentication no -<% end -%> - -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> -IgnoreRhosts yes -<%- else %> -IgnoreRhosts no -<% end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> -ChallengeResponseAuthentication yes -<%- else %> -ChallengeResponseAuthentication no -<%- end %> - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> -AllowTcpForwarding yes -<%- else %> -AllowTcpForwarding no -<%- end %> - -#GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server - -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server -- cgit v1.2.3 From d827a52614fc41ca98e2f2fc453da2e2ae4965ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 16:51:32 -0400 Subject: rename the templates to coincide with the downcased lsbdistcodename also add a missing comma in the content selector --- manifests/init.pp | 2 +- templates/sshd_config/Debian_Etch.erb | 163 ------------------------------- templates/sshd_config/Debian_Lenny.erb | 169 --------------------------------- templates/sshd_config/Debian_etch.erb | 163 +++++++++++++++++++++++++++++++ templates/sshd_config/Debian_lenny.erb | 169 +++++++++++++++++++++++++++++++++ 5 files changed, 333 insertions(+), 333 deletions(-) delete mode 100644 templates/sshd_config/Debian_Etch.erb delete mode 100644 templates/sshd_config/Debian_Lenny.erb create mode 100644 templates/sshd_config/Debian_etch.erb create mode 100644 templates/sshd_config/Debian_lenny.erb (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index be33d7d..519e242 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -191,7 +191,7 @@ class sshd::base { content => $lsbdistcodename ? { '' => template("sshd/sshd_config/${operatingsystem}.erb"), default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - } + }, notify => Service[sshd], } # Now add the key, if we've got one diff --git a/templates/sshd_config/Debian_Etch.erb b/templates/sshd_config/Debian_Etch.erb deleted file mode 100644 index 09be201..0000000 --- a/templates/sshd_config/Debian_Etch.erb +++ /dev/null @@ -1,163 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -# What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> -<%- else -%> -Port 22 -<%- end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> - -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -#Subsystem sftp /usr/lib/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> - -HostbasedUsesNameFromPacketOnly yes - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> - -ChallengeResponseAuthentication no - -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> -<%- end -%> - diff --git a/templates/sshd_config/Debian_Lenny.erb b/templates/sshd_config/Debian_Lenny.erb deleted file mode 100644 index bb39736..0000000 --- a/templates/sshd_config/Debian_Lenny.erb +++ /dev/null @@ -1,169 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -# What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> -<%- else -%> -Port 22 -<%- end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> -<%- else -%> -PermitRootLogin without-password -<%- end -%> - -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> -StrictModes yes -<%- else -%> -StrictModes no -<%- end -%> - -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> -RSAAuthentication yes -<%- else -%> -RSAAuthentication no -<%- end -%> - -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> -PubkeyAuthentication yes -<%- else -%> -PubkeyAuthentication no -<%- end -%> - -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> -<%- else -%> -AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end -%> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> -RhostsRSAAuthentication yes -<%- else -%> -RhostsRSAAuthentication no -<% end -%> - -# Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> -IgnoreRhosts yes -<%- else -%> -IgnoreRhosts no -<% end -%> - -# similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> -HostbasedAuthentication yes -<%- else -%> -HostbasedAuthentication no -<% end -%> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> -PermitEmptyPasswords yes -<% else -%> -PermitEmptyPasswords no -<% end -%> - -# Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> -ChallengeResponseAuthentication yes -<%- else -%> -ChallengeResponseAuthentication no -<%- end -%> - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> -PasswordAuthentication yes -<%- else -%> -PasswordAuthentication no -<%- end -%> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> -X11Forwarding yes -<%- else -%> -X11Forwarding no -<%- end -%> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -#Subsystem sftp /usr/lib/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> -UsePAM yes -<%- else -%> -UsePAM no -<%- end -%> - -HostbasedUsesNameFromPacketOnly yes - -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> -AllowTcpForwarding yes -<%- else -%> -AllowTcpForwarding no -<%- end -%> - -<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> -AllowAgentForwarding yes -<%- else -%> -AllowAgentForwarding no -<%- end -%> - -ChallengeResponseAuthentication no - -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> -<%- end -%> - diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb new file mode 100644 index 0000000..09be201 --- /dev/null +++ b/templates/sshd_config/Debian_etch.erb @@ -0,0 +1,163 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb new file mode 100644 index 0000000..bb39736 --- /dev/null +++ b/templates/sshd_config/Debian_lenny.erb @@ -0,0 +1,169 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + -- cgit v1.2.3 From c751cf22ede55b3dde21dbc15813c33e24bc7b3d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 17:45:57 -0400 Subject: clarify in the example about how you can set multiple ListenAddresses with the right syntax also set the default to be 0.0.0.0 and :: which is the normal default for all IPv4 and all IPv6 addresses --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 519e242..8e6ff8b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -23,7 +23,7 @@ # Checkout the following: # # sshd_listen_address: specify the addresses sshd should listen on -# set this to "10.0.0.1 192.168.0.1" to have it listen on both +# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both # addresses, or leave it unset to listen on all # Default: empty -> results in listening on 0.0.0.0 # @@ -111,7 +111,7 @@ class sshd { class sshd::base { # prepare variables to use in templates $real_sshd_listen_address = $sshd_listen_address ? { - '' => '', + '' => [ '0.0.0.0', '::' ], default => $sshd_listen_address } $real_sshd_allowed_users = $sshd_allowed_users ? { -- cgit v1.2.3 From aa3badea817c1b44af7910a83777e39868b3dfb9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 28 Sep 2008 12:38:18 -0400 Subject: add some comments to clarify how to set variables, and provide examples --- manifests/init.pp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 8e6ff8b..56f34ae 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,10 +17,18 @@ # # sshd-config: # -# The configuration of the sshd is rather strict and -# might not fit all needs. However there are a bunch -# of variables, which you might consider to configure. -# Checkout the following: +# The configuration of the sshd is rather strict and might not fit all +# needs. However there are a bunch of variables, which you might +# consider configuring. +# +# To set any of the following, simply set them as variables in your manifests +# before the class is included, for example: +# +# $sshd_listen_address = ['10.0.0.1 192.168.0.1'] +# $sshd_use_pam = yes +# include sshd::debian +# +# The following is a list of the currently available variables: # # sshd_listen_address: specify the addresses sshd should listen on # set this to ['10.0.0.1 192.168.0.1'] to have it listen on both -- cgit v1.2.3 From 16dd74a7de341c0e8bf385b7bd8d0e082f7342bb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 28 Sep 2008 13:40:35 -0400 Subject: include assert_lsbdistcodename for debian --- manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 56f34ae..96e6d08 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -239,6 +239,10 @@ class sshd::gentoo inherits sshd::linux { } class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include assert_lsbdistcodename + Package[openssh]{ name => 'openssh-server', } -- cgit v1.2.3 From 96760cc558a2e6f72b138f2fc3e16820f3bf2036 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 23 Oct 2008 14:59:42 -0400 Subject: debian has both status and restart options, in fact restart is preferable because a stop/start operation can leave sshd broken because the stop wont stop before the start is run. On the next puppet run ssh will be brought back up, but its a hair-raising few minutes while you wonder what happened --- manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 55a2714..aaf068e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -247,7 +247,8 @@ class sshd::debian inherits sshd::linux { } Service[sshd]{ name => 'ssh', - hasstatus => false, + hasstatus => true, + hasrestart => true, } } class sshd::ubuntu inherits sshd::debian {} -- cgit v1.2.3 From 1b2dcaf51031582fbd30185a7384f7816ad35eb1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 23 Oct 2008 15:04:47 -0400 Subject: update formatting to be consistent with upstream puppet emacs mode, if this is different from the vim mode, then there is a difference between these two editor's formatting that needs to be resolved --- manifests/init.pp | 307 +++++++++++++++++++++++++++--------------------------- 1 file changed, 154 insertions(+), 153 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 459088f..02f5e45 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -119,186 +119,187 @@ # Default: empty -> not added. class sshd { - include sshd::client - - case $operatingsystem { - gentoo: { include sshd::gentoo } - redhat: { include sshd::redhat } - centos: { include sshd::centos } - openbsd: { include sshd::openbsd } - debian: { include sshd::debian } - ubuntu: { include sshd::ubuntu } - default: { include sshd::default } - } + include sshd::client + + case $operatingsystem { + gentoo: { include sshd::gentoo } + redhat: { include sshd::redhat } + centos: { include sshd::centos } + openbsd: { include sshd::openbsd } + debian: { include sshd::debian } + ubuntu: { include sshd::ubuntu } + default: { include sshd::default } + } } class sshd::base { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - case $sshd_port { - '': { $sshd_port = 22 } - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } - } - - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey_key { - '': { info("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], - } + # prepare variables to use in templates + case $sshd_listen_address { + '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } + } + case $sshd_allowed_users { + '': { $sshd_allowed_users = '' } + } + case $sshd_allowed_groups { + '': { $sshd_allowed_groups = '' } + } + case $sshd_use_pam { + '': { $sshd_use_pam = 'no' } + } + case $sshd_permit_root_login { + '': { $sshd_permit_root_login = 'without-password' } + } + case $sshd_password_authentication { + '': { $sshd_password_authentication = 'no' } + } + case $sshd_tcp_forwarding { + '': { $sshd_tcp_forwarding = 'no' } + } + case $sshd_x11_forwarding { + '': { $sshd_x11_forwarding = 'no' } + } + case $sshd_agent_forwarding { + '': { $sshd_agent_forwarding = 'no' } + } + case $sshd_challenge_response_authentication { + '': { $sshd_challenge_response_authentication = 'no' } + } + case $sshd_pubkey_authentication { + '': { $sshd_pubkey_authentication = 'yes' } + } + case $sshd_rsa_authentication { + '': { $sshd_rsa_authentication = 'no' } + } + case $sshd_strict_modes { + '': { $sshd_strict_modes = 'yes' } + } + case $sshd_ignore_rhosts { + '': { $sshd_ignore_rhosts = 'yes' } + } + case $sshd_rhosts_rsa_authentication { + '': { $sshd_rhosts_rsa_authentication = 'no' } + } + case $sshd_hostbased_authentication { + '': { $sshd_hostbased_authentication = 'no' } + } + case $sshd_permit_empty_passwords { + '': { $sshd_permit_empty_passwords = 'no' } + } + case $sshd_port { + '': { $sshd_port = 22 } + } + case $sshd_authorized_keys_file { + '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } + } + case $sshd_sftp_subsystem { + '': { $sshd_sftp_subsystem = '' } + } + case $sshd_additional_options { + '': { $sshd_additional_options = '' } + } + + file { 'sshd_config': + path => '/etc/ssh/sshd_config', + owner => root, + group => 0, + mode => 600, + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, + notify => Service[sshd], + } + # Now add the key, if we've got one + case $sshrsakey_key { + '': { info("no sshrsakey on $fqdn") } + default: { + @@sshkey{"$hostname.$domain": + type => ssh-rsa, + key => $sshrsakey_key, + ensure => present, + } + } + } + service{'sshd': + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], + } } class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, - } - File[sshd_config]{ - require +> Package[openssh], - } + package{openssh: + ensure => present, + } + File[sshd_config]{ + require +> Package[openssh], + } } class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } + Package[openssh]{ + category => 'net-misc', + } } class sshd::debian inherits sshd::linux { - + # the templates for Debian need lsbdistcodename include assert_lsbdistcodename - Package[openssh]{ - name => 'openssh-server', - } - Service[sshd]{ - name => 'ssh', - hasstatus => true, - hasrestart => true, - } + Package[openssh]{ + name => 'openssh-server', + } + Service[sshd]{ + name => 'ssh', + hasstatus => true, + hasrestart => true, + } } class sshd::ubuntu inherits sshd::debian {} class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } + Package[openssh]{ + name => 'openssh-server', + } } class sshd::centos inherits sshd::redhat {} class sshd::openbsd inherits sshd::base { - Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, - } + Service[sshd]{ + restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', + hasstatus => false, + } } ### defines # wrapper to have some defaults. define sshd::ssh_authorized_key( - $type = 'ssh-dss', - $key, - $user = 'root', - $target = undef, - $options = 'absent' -){ - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $user, - target => $target, - } - - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } - } + $type = 'ssh-dss', + $key, + $user = 'root', + $target = undef, + $options = 'absent' + ) +{ + ssh_authorized_key{$name: + type => $type, + key => $key, + user => $user, + target => $target, + } + + case $options { + 'absent': { info("not setting any option for ssh_authorized_key: $name") } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } + } + } } -- cgit v1.2.3 From 98ddbe8ef56d5a3552e4dd812d1a01cbae211eaf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 26 Oct 2008 12:39:45 -0400 Subject: change the debian 'hasrestart' option to a selector based on which $debian_version is detected, etch does not have a ssh restart option in the initscript, but lenny does --- manifests/init.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 02f5e45..d4d775f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -253,10 +253,17 @@ class sshd::debian inherits sshd::linux { Package[openssh]{ name => 'openssh-server', } + + $ssh_hasrestart = $debian_version ? { + etch => false, + lenny => true, + default => false + } + Service[sshd]{ name => 'ssh', hasstatus => true, - hasrestart => true, + hasrestart => $ssh_hasrestart, } } class sshd::ubuntu inherits sshd::debian {} -- cgit v1.2.3 From 49d840dab4c7cfeff8ca21d1ef0728832046f205 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2008 16:20:26 -0400 Subject: lsbdistcodename is the proper variable to check for if the system is debian or lenny --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index d4d775f..32b7109 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -254,7 +254,7 @@ class sshd::debian inherits sshd::linux { name => 'openssh-server', } - $ssh_hasrestart = $debian_version ? { + $ssh_hasrestart = $lsbdistcodename ? { etch => false, lenny => true, default => false -- cgit v1.2.3 From 6fb10939afd72a8e1243681f1ae9062abf0975fa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2008 17:00:39 -0400 Subject: In debian, the daemon is run as 'sshd', but the initscript is /etc/init.d/ssh, which means that name needs to be set to 'ssh', and pattern needs to be set to 'sshd', and then we set the hassstatus and hasrestart depending on the lsbdistcodename --- manifests/init.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 32b7109..1ac65f5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -254,7 +254,7 @@ class sshd::debian inherits sshd::linux { name => 'openssh-server', } - $ssh_hasrestart = $lsbdistcodename ? { + $sshd_restartandstatus = $lsbdistcodename ? { etch => false, lenny => true, default => false @@ -262,8 +262,9 @@ class sshd::debian inherits sshd::linux { Service[sshd]{ name => 'ssh', - hasstatus => true, - hasrestart => $ssh_hasrestart, + pattern => 'sshd', + hasstatus => $sshd_restartandstatus, + hasrestart => $sshd_restartandstatus, } } class sshd::ubuntu inherits sshd::debian {} -- cgit v1.2.3 From fa072188dc8f1b475d4000fe61ea4fcf5e82cf98 Mon Sep 17 00:00:00 2001 From: Antoine Beaupre Date: Tue, 2 Dec 2008 16:56:19 -0500 Subject: make saner defaults for authorized_keys note that this removes the user => root default --- manifests/init.pp | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 1ac65f5..20dd1fb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -290,16 +290,29 @@ class sshd::openbsd inherits sshd::base { define sshd::ssh_authorized_key( $type = 'ssh-dss', $key, - $user = 'root', + $user = '', $target = undef, $options = 'absent' ) { + $real_user = $user ? { + false => $name, + "" => $name, + default => $user, + } + case $target { + undef: { + $real_target = "/home/$real_user/.ssh/authorized_keys" + } + default: { + $real_target = $target + } + } ssh_authorized_key{$name: type => $type, key => $key, - user => $user, - target => $target, + user => $real_user, + target => $real_target, } case $options { -- cgit v1.2.3 From 992e6e0f07ea70c2e39df30035f414f33babf6c0 Mon Sep 17 00:00:00 2001 From: Antoine Beaupre Date: Sat, 6 Dec 2008 18:39:53 -0500 Subject: use the proper fact to export ssh keys. See http://projects.reductivelabs.com/issues/show/1799#note-1 --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 20dd1fb..6eb15b3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -211,12 +211,12 @@ class sshd::base { notify => Service[sshd], } # Now add the key, if we've got one - case $sshrsakey_key { + case $sshrsakey { '': { info("no sshrsakey on $fqdn") } default: { @@sshkey{"$hostname.$domain": type => ssh-rsa, - key => $sshrsakey_key, + key => $sshrsakey, ensure => present, } } -- cgit v1.2.3 From 461bc0c2f0c7cb11b08c3fa22175bfea2fd4b8f8 Mon Sep 17 00:00:00 2001 From: Antoine Beaupre Date: Sat, 6 Dec 2008 19:12:17 -0500 Subject: emit a warning instead of info when the ssh server doesn't have an sshrsa key also export the key based on ip address, removing all warnings --- manifests/init.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 6eb15b3..9d34f50 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -212,13 +212,18 @@ class sshd::base { } # Now add the key, if we've got one case $sshrsakey { - '': { info("no sshrsakey on $fqdn") } + '': { warning("no sshrsakey on $fqdn") } default: { @@sshkey{"$hostname.$domain": type => ssh-rsa, key => $sshrsakey, ensure => present, } + @@sshkey{"$ipaddress": + type => ssh-rsa, + key => $sshrsakey, + ensure => present, + } } } service{'sshd': -- cgit v1.2.3 From f44776cbbf1f825e0961c6aedecf67f6652859a6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:52:40 -0400 Subject: replace the sshd_additional_options variable with two, one called sshd_head_additional_options and one called sshd_tail_additional_options. the first puts the value at the beginning of the file, and the second at the end. This is necessary due to some option ordering requiring things to be before others --- manifests/init.pp | 23 +++++++++++++++++------ templates/sshd_config/CentOS.erb | 10 ++++------ templates/sshd_config/Debian_etch.erb | 8 ++++++-- templates/sshd_config/Debian_lenny.erb | 8 ++++++-- templates/sshd_config/Gentoo.erb | 10 ++++------ templates/sshd_config/OpenBSD.erb | 10 ++++------ 6 files changed, 41 insertions(+), 28 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 0480fee..b7ae200 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -113,10 +113,17 @@ # Might be interesting for sftponly usage # Default: empty -> no change of the default # -# sshd_additional_options: Set this to any additional sshd_options which aren't listed above. -# As well this option might be usefull to define complexer Match Blocks -# This string is going to be included, like it is defined. So take care! -# Default: empty -> not added. +# sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the beginning of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. +# +# sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the end of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. class sshd { include sshd::client @@ -195,8 +202,12 @@ class sshd::base { case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } + case $sshd_head_additional_options { + '': { $sshd_head_additional_options = '' } + } + case $sshd_tail_additional_options { + '': { $sshd_tail_additional_options = '' } + } } file { 'sshd_config': diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 27880cb..a3a9a52 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,10 +10,8 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -200,7 +198,7 @@ AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index f030a62..2524172 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -1,6 +1,10 @@ # Package generated configuration file # See the sshd(8) manpage for details +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> Port <%= sshd_port -%> @@ -170,7 +174,7 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 1762da3..c7f4ab4 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -1,6 +1,10 @@ # Package generated configuration file # See the sshd(8) manpage for details +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> Port <%= sshd_port -%> @@ -176,7 +180,7 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 77ed378..ad15031 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,10 +10,8 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -203,8 +201,8 @@ AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index a6e0763..045d9ba 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,10 +8,8 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -178,6 +176,6 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3 From dfebe2a9b537a63c7ff0cf4aeb6cda7a132f77a0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:55:01 -0400 Subject: make it possible to override what version of openssh-server and client are installed by providing the variable $sshd_ensure_version, which defaults to the previous value of present when not specified --- manifests/client.pp | 23 ++++++++++++++++------- manifests/init.pp | 6 ++++++ 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index 34308b4..7dfe913 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -13,13 +13,22 @@ class sshd::client { } class sshd::client::base { - # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - mode => 0644, owner => root, group => 0; - } - - # Now collect all server keys - Sshkey <<||>> + + case $sshd_ensure_version { + '': { $sshd_ensure_version = "present" } + } + + package{openssh-clients: + ensure => $sshd_ensure_version, + } + + # this is needed because the gid might have changed + file { '/etc/ssh/ssh_known_hosts': + mode => 0644, owner => root, group => 0; + } + + # Now collect all server keys + Sshkey <<||>> } class sshd::client::linux inherits sshd::client::base { diff --git a/manifests/init.pp b/manifests/init.pp index b7ae200..5179e08 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -208,6 +208,12 @@ class sshd::base { case $sshd_tail_additional_options { '': { $sshd_tail_additional_options = '' } } + case $sshd_ensure_version { + '': { $sshd_ensure_version = "present" } + } + + package{openssh: + ensure => $sshd_ensure_version, } file { 'sshd_config': -- cgit v1.2.3 From 55e0a6178ba2831231400a23aab97b4d41ecfffc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 21:02:31 -0400 Subject: the sshd::linux class cannot also define the openssh package if we are to have the possibility of potentially overriding the version number it must be done in the base class --- manifests/init.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 5179e08..ee233db 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -260,9 +260,6 @@ class sshd::base { } class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, - } File[sshd_config]{ require +> Package[openssh], } -- cgit v1.2.3 From d86ec97ab0d15c00d53a61fbac4edde70724486f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 21:04:23 -0400 Subject: same problem with the openssh-clients in the sshd::client::linux class --- manifests/client.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index 7dfe913..47340b8 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -32,9 +32,6 @@ class sshd::client::base { } class sshd::client::linux inherits sshd::client::base { - package {'openssh-clients': - ensure => installed, - } } class sshd::client::debian inherits sshd::client::linux { -- cgit v1.2.3 From 2c3f632e902d10780dcf9b24914e963ef6520af2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 9 Jul 2009 12:15:10 -0400 Subject: fix previous change which took the client/server packages out of the linux class and instead allow for a version change through an if variable. thanks ng! --- manifests/client.pp | 14 +++++--------- manifests/init.pp | 15 +++++++++++---- 2 files changed, 16 insertions(+), 13 deletions(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index 47340b8..d473e3c 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -14,14 +14,6 @@ class sshd::client { class sshd::client::base { - case $sshd_ensure_version { - '': { $sshd_ensure_version = "present" } - } - - package{openssh-clients: - ensure => $sshd_ensure_version, - } - # this is needed because the gid might have changed file { '/etc/ssh/ssh_known_hosts': mode => 0644, owner => root, group => 0; @@ -32,9 +24,13 @@ class sshd::client::base { } class sshd::client::linux inherits sshd::client::base { + if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } + package {'openssh-clients': + ensure => $ssh_ensure_version, + } } -class sshd::client::debian inherits sshd::client::linux { +class sshd::client::debian inherits sshd::client::linux { Package['openssh-clients']{ name => 'openssh-client', } diff --git a/manifests/init.pp b/manifests/init.pp index ee233db..386bd77 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,6 +28,13 @@ # $sshd_use_pam = yes # include sshd::debian # +# If you need to install a version of the ssh daemon or client package other than +# the default one that would be installed by 'ensure => installed', then you can +# set the following variables: +# +# $sshd_ensure_version = "1:5.2p2-6" +# $ssh_ensure_version = "1:5.2p2-6" +# # The following is a list of the currently available variables: # # sshd_listen_address: specify the addresses sshd should listen on @@ -212,10 +219,6 @@ class sshd::base { '': { $sshd_ensure_version = "present" } } - package{openssh: - ensure => $sshd_ensure_version, - } - file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, @@ -260,6 +263,10 @@ class sshd::base { } class sshd::linux inherits sshd::base { + if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } + package {'openssh': + ensure => $sshd_ensure_version, + } File[sshd_config]{ require +> Package[openssh], } -- cgit v1.2.3 From d4fba70a51eeb253b0155f378ce7735df9479cd4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Sep 2009 15:32:36 -0400 Subject: fix missing curly brace --- manifests/init.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 386bd77..092697c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -263,9 +263,10 @@ class sshd::base { } class sshd::linux inherits sshd::base { - if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } - package {'openssh': - ensure => $sshd_ensure_version, + if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } { + package {'openssh': + ensure => $sshd_ensure_version, + } } File[sshd_config]{ require +> Package[openssh], -- cgit v1.2.3 From 6601c382962824e7467fb00ea5a84894a901b937 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 1 Oct 2009 18:30:02 -0400 Subject: Revert "fix missing curly brace" -- this was actually correct This reverts commit d4fba70a51eeb253b0155f378ce7735df9479cd4. --- manifests/init.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 092697c..386bd77 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -263,10 +263,9 @@ class sshd::base { } class sshd::linux inherits sshd::base { - if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } { - package {'openssh': - ensure => $sshd_ensure_version, - } + if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } + package {'openssh': + ensure => $sshd_ensure_version, } File[sshd_config]{ require +> Package[openssh], -- cgit v1.2.3