From 37736c895fd3b73366d7a1b7902de5e9455dfc12 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 17 Sep 2009 10:55:30 +0200 Subject: upstream capability, fix new lines - added new upstream options - don't put new lines for control statements --- templates/sshd_config/CentOS.erb | 108 ++++++++++++++++++++------------------- 1 file changed, 55 insertions(+), 53 deletions(-) (limited to 'templates/sshd_config/CentOS.erb') diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 1e060cb..fcaf4d6 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,19 +10,20 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> +<%- unless sshd_port.to_s.empty? then -%> Port <%= sshd_port %> -<%- else %> -Port 22 -<%- end %> +<%- else -%> +#Port 22 +<%- end -%> +#Protocol 2,1 +Protocol 2 +#AddressFamily any # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> -#AddressFamily any -#Protocol 2,1 -Protocol 2 + # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 @@ -42,49 +43,49 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -<%- unless sshd_permit_root_login.to_s.empty? then %> +<%- unless sshd_permit_root_login.to_s.empty? then -%> PermitRootLogin <%= sshd_permit_root_login %> -<%- else %> +<%- else -%> PermitRootLogin without-password -<%- end %> +<%- end -%> -<%- if sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes -<%- else %> +<%- else -%> StrictModes no -<%- end %> +<%- end -%> #MaxAuthTries 6 -<%- if sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes -<%- else %> +<%- else -%> RSAAuthentication no -<%- end %> +<%- end -%> -<%- if sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes -<%- else %> +<%- else -%> PubkeyAuthentication no -<%- end %> +<%- end -%> -<%- unless sshd_authorized_keys_file.to_s.empty? then %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else %> +<%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> +<%- end -%> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes -<%- else %> +<%- else -%> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes -<%- else %> +<%- else -%> HostbasedAuthentication no <% end -%> @@ -93,32 +94,32 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes -<%- else %> +<%- else -%> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes -<%- else %> +<%- else -%> PasswordAuthentication no -<%- end %> +<%- end -%> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes -<%- else %> +<%- else -%> ChallengeResponseAuthentication no -<%- end %> +<%- end -%> # Kerberos options #KerberosAuthentication no @@ -139,30 +140,30 @@ ChallengeResponseAuthentication no # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -<%- if sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes -<%- else %> +<%- else -%> UsePAM no -<%- end %> +<%- end -%> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -<%- if sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes -<%- else %> +<%- else -%> AllowTcpForwarding no -<%- end %> +<%- end -%> #GatewayPorts no #X11Forwarding no -<%- if sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes -<%- else %> +<%- else -%> X11Forwarding no -<%- end %> +<%- end -%> #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes @@ -179,26 +180,27 @@ X11Forwarding no #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no +#ChrootDirectory none # no default banner path #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> +<%- if sshd_sftp_subsystem.to_s.empty? then -%> Subsystem sftp /usr/libexec/openssh/sftp-server -<%- else %> +<%- else -%> Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +<%- end -%> -<%- unless sshd_allowed_users.to_s.empty? then %> +<%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users %> -<%- end %> -<%- unless sshd_allowed_groups.to_s.empty? then %> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then -%> AllowGroups <%= sshd_allowed_groups %> -<%- end %> +<%- end -%> -<%- unless sshd_additional_options.to_s.empty? then %> +<%- unless sshd_additional_options.to_s.empty? then -%> <%= sshd_additional_options %> -<%- end %> +<%- end -%> -- cgit v1.2.3