From 96bbe0adb8323ecb8e95e6be8900e6dd1b57b419 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 20 Oct 2008 22:46:50 +0000 Subject: new options, cleaned up real_ hack git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2527 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- templates/sshd_config/OpenBSD.erb | 51 ++++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 20 deletions(-) (limited to 'templates/sshd_config/OpenBSD.erb') diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 32f6780..a6e0763 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,14 +8,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -39,13 +39,13 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no @@ -53,33 +53,33 @@ StrictModes no #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -90,28 +90,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -127,14 +127,14 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no <%- end %> #GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -159,10 +159,17 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/libexec/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> +<%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> <%- end %> # Example of overriding settings on a per-user basis @@ -170,3 +177,7 @@ AllowUsers <%= real_sshd_allowed_users %> # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> -- cgit v1.2.3