From d827a52614fc41ca98e2f2fc453da2e2ae4965ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 16:51:32 -0400 Subject: rename the templates to coincide with the downcased lsbdistcodename also add a missing comma in the content selector --- templates/sshd_config/Debian_etch.erb | 163 ++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 templates/sshd_config/Debian_etch.erb (limited to 'templates/sshd_config/Debian_etch.erb') diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb new file mode 100644 index 0000000..09be201 --- /dev/null +++ b/templates/sshd_config/Debian_etch.erb @@ -0,0 +1,163 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + -- cgit v1.2.3 From 1f25b213e1ff1c953dac53f02d862612a5e09c0f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2008 15:45:11 -0400 Subject: Debian's sshd config typically has PrintMotd no set because its already printed via PAM. Without it set, it is defaulted to 'yes', which results in the MOTD being printed twice, so we return the Debian default configuration in this commit --- templates/sshd_config/Debian_etch.erb | 2 +- templates/sshd_config/Debian_lenny.erb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'templates/sshd_config/Debian_etch.erb') diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 28aa52c..f30242d 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -168,9 +168,9 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +PrintMotd no <%- unless sshd_additional_options.to_s.empty? then %> <%= sshd_additional_options %> <%- end %> - diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 8d68808..146e664 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -174,6 +174,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +PrintMotd no <%- unless sshd_additional_options.to_s.empty? then %> <%= sshd_additional_options %> -- cgit v1.2.3 From 78938cde2a23ad8daa0ecb4aff7abe870233048f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 7 Dec 2008 12:15:41 -0500 Subject: Fix location of default sftp-server on Debian, and uncomment the sftp configuration line to get the sshd_config file defaults to be more like the standard shipped defaults from Debian --- templates/sshd_config/Debian_etch.erb | 2 +- templates/sshd_config/Debian_lenny.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'templates/sshd_config/Debian_etch.erb') diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index f30242d..f030a62 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -131,7 +131,7 @@ KeepAlive yes #ReverseMappingCheck yes <%- if sshd_sftp_subsystem.to_s.empty? then %> -#Subsystem sftp /usr/lib/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> Subsystem sftp <%= sshd_sftp_subsystem %> <%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 146e664..1762da3 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -131,7 +131,7 @@ KeepAlive yes #ReverseMappingCheck yes <%- if sshd_sftp_subsystem.to_s.empty? then %> -#Subsystem sftp /usr/lib/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> Subsystem sftp <%= sshd_sftp_subsystem %> <%- end %> -- cgit v1.2.3 From f44776cbbf1f825e0961c6aedecf67f6652859a6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:52:40 -0400 Subject: replace the sshd_additional_options variable with two, one called sshd_head_additional_options and one called sshd_tail_additional_options. the first puts the value at the beginning of the file, and the second at the end. This is necessary due to some option ordering requiring things to be before others --- manifests/init.pp | 23 +++++++++++++++++------ templates/sshd_config/CentOS.erb | 10 ++++------ templates/sshd_config/Debian_etch.erb | 8 ++++++-- templates/sshd_config/Debian_lenny.erb | 8 ++++++-- templates/sshd_config/Gentoo.erb | 10 ++++------ templates/sshd_config/OpenBSD.erb | 10 ++++------ 6 files changed, 41 insertions(+), 28 deletions(-) (limited to 'templates/sshd_config/Debian_etch.erb') diff --git a/manifests/init.pp b/manifests/init.pp index 0480fee..b7ae200 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -113,10 +113,17 @@ # Might be interesting for sftponly usage # Default: empty -> no change of the default # -# sshd_additional_options: Set this to any additional sshd_options which aren't listed above. -# As well this option might be usefull to define complexer Match Blocks -# This string is going to be included, like it is defined. So take care! -# Default: empty -> not added. +# sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the beginning of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. +# +# sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the end of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. class sshd { include sshd::client @@ -195,8 +202,12 @@ class sshd::base { case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } + case $sshd_head_additional_options { + '': { $sshd_head_additional_options = '' } + } + case $sshd_tail_additional_options { + '': { $sshd_tail_additional_options = '' } + } } file { 'sshd_config': diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 27880cb..a3a9a52 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,10 +10,8 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -200,7 +198,7 @@ AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index f030a62..2524172 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -1,6 +1,10 @@ # Package generated configuration file # See the sshd(8) manpage for details +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> Port <%= sshd_port -%> @@ -170,7 +174,7 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 1762da3..c7f4ab4 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -1,6 +1,10 @@ # Package generated configuration file # See the sshd(8) manpage for details +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> Port <%= sshd_port -%> @@ -176,7 +180,7 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 77ed378..ad15031 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,10 +10,8 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -203,8 +201,8 @@ AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index a6e0763..045d9ba 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,10 +8,8 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -178,6 +176,6 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3 From 93e2f4d4c02d01fd430d1b9e1cf6860508a03773 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:55:13 -0400 Subject: Template out the possibility of specifying the key word 'off' to the $sshd_port parameter, which simply puts a comment in front of that option, rather than specifying it. --- templates/sshd_config/CentOS.erb | 10 ++++++++++ templates/sshd_config/Debian_etch.erb | 4 ++++ templates/sshd_config/Debian_lenny.erb | 4 ++++ templates/sshd_config/Gentoo.erb | 10 ++++++++++ templates/sshd_config/OpenBSD.erb | 10 ++++++++++ 5 files changed, 38 insertions(+) (limited to 'templates/sshd_config/Debian_etch.erb') diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index a3a9a52..bc5256a 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -14,6 +14,16 @@ <%= sshd_head_additional_options %> <%- end %> +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 2524172..746a447 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -7,7 +7,11 @@ # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> Port <%= sshd_port -%> +<% end -%> <%- else -%> Port 22 <%- end -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index c7f4ab4..18f3e4d 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -7,7 +7,11 @@ # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> Port <%= sshd_port -%> +<% end -%> <%- else -%> Port 22 <%- end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index ad15031..2112f0d 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -14,6 +14,16 @@ <%= sshd_head_additional_options %> <%- end %> +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 045d9ba..69e8afa 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -12,6 +12,16 @@ <%= sshd_head_additional_options %> <%- end %> +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> -- cgit v1.2.3