From 35768ed1e839ffa4c23d7a9ce06e8b34cec0228f Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 17:13:39 -0500 Subject: Add an sshd_config template for FreeBSD Since there is no "catch-all" default configuration file for sshd, we need to add for each OS. Add a template for FreeBSD so that sshd can be configured on this OS. Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 220 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 templates/sshd_config/FreeBSD.erb (limited to 'templates/sshd_config/FreeBSD.erb') diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb new file mode 100644 index 0000000..1d3de07 --- /dev/null +++ b/templates/sshd_config/FreeBSD.erb @@ -0,0 +1,220 @@ +# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ +# $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09:06 kensmith Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#VersionAddendum FreeBSD-20100308 + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +#AddressFamily any +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> + +# The default requires explicit activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: + +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +#MaxAuthTries 6 +#MaxSessions 10 + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable PAM authentication +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +#GatewayPorts no +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> + +X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/libexec/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> + +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + -- cgit v1.2.3 From 95bf6e032bda5c2799d44b5fb6aa6c46c109d0d8 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Mon, 21 Feb 2011 15:18:14 -0500 Subject: FreeBSD: Use variables for the Kerberos options Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) (limited to 'templates/sshd_config/FreeBSD.erb') diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 1d3de07..4e4329a 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -130,14 +130,33 @@ ChallengeResponseAuthentication no <%- end -%> # Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> # GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -- cgit v1.2.3 From b221570654920306e59948dde08378a95fa4612d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Jul 2011 13:15:27 -0300 Subject: Updating FreeBSD template for new sshd_ports variable --- templates/sshd_config/FreeBSD.erb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'templates/sshd_config/FreeBSD.erb') diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 4e4329a..6714003 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -20,14 +20,13 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +# What ports, IPs and protocols we listen for +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> #AddressFamily any -- cgit v1.2.3 From a5312442b6426951d4f6fa0c89128f4be5d93a5d Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sat, 16 Jul 2011 23:45:24 -0400 Subject: Enable $ssh_hardened_ssl for FreeBSD It is the only sshd_config template that didn't have this option, so copy it from the other templates. Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'templates/sshd_config/FreeBSD.erb') diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 6714003..38738bc 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -232,6 +232,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3 From 0e9e1b6f2c5dca80c946f7944d47f1d28ba76920 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 21 Jul 2011 11:01:33 -0300 Subject: Adding PrintMotd parameter to all templates and setting per-distro default value --- manifests/init.pp | 7 ++++++- templates/sshd_config/CentOS.erb | 2 +- templates/sshd_config/Debian_etch.erb | 4 +--- templates/sshd_config/Debian_lenny.erb | 4 +--- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/FreeBSD.erb | 2 +- templates/sshd_config/Gentoo.erb | 2 +- templates/sshd_config/OpenBSD.erb | 2 +- templates/sshd_config/Ubuntu_lucid.erb | 4 +--- 10 files changed, 15 insertions(+), 16 deletions(-) (limited to 'templates/sshd_config/FreeBSD.erb') diff --git a/manifests/init.pp b/manifests/init.pp index 66b7262..8b3361c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -93,7 +93,12 @@ class sshd { '': { $sshd_ensure_version = "present" } } case $sshd_print_motd { - '': { $sshd_print_motd = "yes" } + '': { + case $operatingsystem { + debian,ubuntu: { $sshd_print_motd = "no" } + default: { $sshd_print_motd = "yes" } + } + } } case $sshd_shared_ip { '': { $sshd_shared_ip = "no" } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 859759a..3d5b5b0 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end -%> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index dbef8b8..1047222 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -170,9 +170,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> - PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes256-ctr diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index c168114..4ffb94c 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -179,9 +179,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> -PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes256-ctr diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 0213342..b211708 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index dfebcc3..fb58e72 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 38738bc..9853f5d 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -193,7 +193,7 @@ X11Forwarding no X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 38674ce..8581804 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 7a20cd9..b6def87 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -147,7 +147,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 1c44c7b..304558b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -180,9 +180,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> -PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> -- cgit v1.2.3