From 34863e959fcd05dd325a658561f14580d49b6764 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 6 Mar 2011 09:10:44 +0100 Subject: New opt-in support to only use strong SSL ciphers and MACs. The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git. --- templates/sshd_config/Debian_sid.erb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'templates/sshd_config/Debian_sid.erb') diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 6dc9333..0213342 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3 From 0e9e1b6f2c5dca80c946f7944d47f1d28ba76920 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 21 Jul 2011 11:01:33 -0300 Subject: Adding PrintMotd parameter to all templates and setting per-distro default value --- manifests/init.pp | 7 ++++++- templates/sshd_config/CentOS.erb | 2 +- templates/sshd_config/Debian_etch.erb | 4 +--- templates/sshd_config/Debian_lenny.erb | 4 +--- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/FreeBSD.erb | 2 +- templates/sshd_config/Gentoo.erb | 2 +- templates/sshd_config/OpenBSD.erb | 2 +- templates/sshd_config/Ubuntu_lucid.erb | 4 +--- 10 files changed, 15 insertions(+), 16 deletions(-) (limited to 'templates/sshd_config/Debian_sid.erb') diff --git a/manifests/init.pp b/manifests/init.pp index 66b7262..8b3361c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -93,7 +93,12 @@ class sshd { '': { $sshd_ensure_version = "present" } } case $sshd_print_motd { - '': { $sshd_print_motd = "yes" } + '': { + case $operatingsystem { + debian,ubuntu: { $sshd_print_motd = "no" } + default: { $sshd_print_motd = "yes" } + } + } } case $sshd_shared_ip { '': { $sshd_shared_ip = "no" } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 859759a..3d5b5b0 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end -%> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index dbef8b8..1047222 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -170,9 +170,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> - PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes256-ctr diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index c168114..4ffb94c 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -179,9 +179,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> -PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes256-ctr diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 0213342..b211708 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index dfebcc3..fb58e72 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 38738bc..9853f5d 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -193,7 +193,7 @@ X11Forwarding no X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 38674ce..8581804 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 7a20cd9..b6def87 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -147,7 +147,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 1c44c7b..304558b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -180,9 +180,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> -PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> -- cgit v1.2.3