From d78749fd8f9ae2482b8e31c74698362c5c1f2341 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 21 Nov 2014 18:19:07 -0500 Subject: Add a $hostkey_type variable that allows you to set which hostkey types you want to support in your sshd_config. We use the ssh_version fact to determine the default hostkey types. Only enable rsa and ed25519 for ssh versions greater or equal to 6.5, otherwise enable rsa and dsa. Some distributions, such as debian, also enable ecdsa as a hostkey type, but this is a known bad NIST curve, so we do not enable that by default (thus deviating from the stock sshd config) --- templates/sshd_config/Ubuntu.erb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'templates/sshd_config/Ubuntu.erb') diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index befd25f..0ba323f 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -22,8 +22,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes -- cgit v1.2.3 From fd82841c1f03d22acf4ed448cd22743a785f573e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 12:45:14 -0400 Subject: Change 'hardened_ssl' paramter to simply 'hardened', this makes more sense in general --- README.md | 8 ++++++-- manifests/init.pp | 2 +- templates/sshd_config/CentOS_6.erb | 2 +- templates/sshd_config/CentOS_7.erb | 2 +- templates/sshd_config/Debian_jessie.erb | 2 +- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 2 +- templates/sshd_config/FreeBSD.erb | 2 +- templates/sshd_config/Gentoo.erb | 2 +- templates/sshd_config/OpenBSD.erb | 2 +- templates/sshd_config/Ubuntu.erb | 2 +- templates/sshd_config/Ubuntu_lucid.erb | 2 +- 13 files changed, 18 insertions(+), 14 deletions(-) (limited to 'templates/sshd_config/Ubuntu.erb') diff --git a/README.md b/README.md index cbe0bba..77e4d29 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ This puppet module manages OpenSSH configuration and services. +**!! Upgrade Notice (05/2015) !!** + +The hardened_ssl parameter name was changed to simply 'hardened'. + **!! Upgrade Notice (01/2013) !!** This module now uses parameterized classes, where it used global variables @@ -179,8 +183,8 @@ The following is a list of the currently available variables: Set this to the location of the AuthorizedKeysFile (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile %h/.ssh/authorized_keys` - - `hardened_ssl` - Use only strong SSL ciphers and MAC. + - `hardened` + Use only strong ciphers, MAC, KexAlgorithms, etc. Values: - `no` (default) - `yes` diff --git a/manifests/init.pp b/manifests/init.pp index 0f8c472..2dfc71c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -40,7 +40,7 @@ class sshd( OpenBSD => '%h/.ssh/authorized_keys', default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2', }, - $hardened_ssl = 'no', + $hardened = 'no', $sftp_subsystem = '', $head_additional_options = '', $tail_additional_options = '', diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 47cb077..97e9a5b 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -150,7 +150,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 7db2277..cad9f59 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -164,7 +164,7 @@ AllowGroups <%= s %> #Host *.local # CheckHostIP no -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 033f409..ada3891 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -111,7 +111,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 033f409..ada3891 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -111,7 +111,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 0ba323f..d42fac1 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -115,7 +115,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index cd4bf48..4633c09 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -114,7 +114,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index d4cd9b5..f5bd439 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -152,7 +152,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1cb4522..6e51b4c 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -147,7 +147,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index aa92eb6..7577bac 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -128,7 +128,7 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 0ba323f..d42fac1 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -115,7 +115,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index cff95a7..1ed8fd7 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -118,7 +118,7 @@ AllowGroups <%= s %> PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From 430c48200eeacf11fd3980f162ffa1994c2d0dd0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 13:48:19 -0400 Subject: Implement KexAlgorithms settings, based on Key exchange section of https://stribika.github.io/2015/01/04/secure-secure-shell.html Note, that on some systems it is uncertain if they will have a new enough version of openssh installed, so on those a version test is done to see before setting them. --- templates/sshd_config/CentOS_6.erb | 3 +++ templates/sshd_config/CentOS_7.erb | 3 +++ templates/sshd_config/Debian_jessie.erb | 1 + templates/sshd_config/Debian_sid.erb | 1 + templates/sshd_config/Debian_wheezy.erb | 3 +++ templates/sshd_config/FreeBSD.erb | 3 +++ templates/sshd_config/Gentoo.erb | 3 +++ templates/sshd_config/OpenBSD.erb | 3 +++ templates/sshd_config/Ubuntu.erb | 3 +++ templates/sshd_config/Ubuntu_lucid.erb | 3 +++ 10 files changed, 26 insertions(+) (limited to 'templates/sshd_config/Ubuntu.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 97e9a5b..f27e567 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -151,6 +151,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index cad9f59..c6ecd06 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -165,6 +165,9 @@ AllowGroups <%= s %> # CheckHostIP no <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index ada3891..19d4327 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -112,6 +112,7 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index ada3891..19d4327 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -112,6 +112,7 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 4633c09..e8465ea 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -115,6 +115,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index f5bd439..8655c53 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -153,6 +153,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 6e51b4c..1508d70 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -148,6 +148,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 7577bac..591d980 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -129,6 +129,9 @@ AllowGroups <%= s %> # ForceCommand cvs server <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index d42fac1..28ee5f6 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -116,6 +116,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 1ed8fd7..36f787b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -119,6 +119,9 @@ AllowGroups <%= s %> PrintMotd <%= scope.lookupvar('sshd::print_motd') %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From 1402e67b2143dca464905bb6d95410a4ee862255 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 13:57:37 -0400 Subject: Implement enhanced symmetric cipher selection, based on https://stribika.github.io/2015/01/04/secure-secure-shell.html and version of openssh installed --- templates/sshd_config/CentOS_6.erb | 4 +++- templates/sshd_config/CentOS_7.erb | 4 +++- templates/sshd_config/Debian_jessie.erb | 2 +- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 4 +++- templates/sshd_config/FreeBSD.erb | 4 +++- templates/sshd_config/Gentoo.erb | 4 +++- templates/sshd_config/OpenBSD.erb | 4 +++- templates/sshd_config/Ubuntu.erb | 4 +++- templates/sshd_config/Ubuntu_lucid.erb | 4 +++- 10 files changed, 26 insertions(+), 10 deletions(-) (limited to 'templates/sshd_config/Ubuntu.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index f27e567..325c73a 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -153,8 +153,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index c6ecd06..b120356 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -167,8 +167,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 19d4327..7b74e76 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -113,7 +113,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org -Ciphers aes256-ctr +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 19d4327..7b74e76 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -113,7 +113,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org -Ciphers aes256-ctr +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index e8465ea..214fbd9 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -117,8 +117,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 8655c53..3e13328 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -155,8 +155,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1508d70..3d37d62 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -150,8 +150,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 591d980..aa6868e 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -131,8 +131,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 28ee5f6..2f8cb3e 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -118,8 +118,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 36f787b..109b49f 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -121,8 +121,10 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From e4a9c15987372e63ace244a92619bdd2e4c5407a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 14:00:56 -0400 Subject: Implement enhanced MAC (Message Authentication Codes) according to installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html --- templates/sshd_config/CentOS_6.erb | 3 ++- templates/sshd_config/CentOS_7.erb | 3 ++- templates/sshd_config/Debian_jessie.erb | 2 +- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 3 ++- templates/sshd_config/FreeBSD.erb | 3 ++- templates/sshd_config/Gentoo.erb | 3 ++- templates/sshd_config/OpenBSD.erb | 3 ++- templates/sshd_config/Ubuntu.erb | 3 ++- templates/sshd_config/Ubuntu_lucid.erb | 3 ++- 10 files changed, 18 insertions(+), 10 deletions(-) (limited to 'templates/sshd_config/Ubuntu.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 325c73a..4c1e28a 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -154,11 +154,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index b120356..5acef6d 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -168,11 +168,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 7b74e76..0138acf 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -114,7 +114,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 7b74e76..0138acf 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -114,7 +114,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 214fbd9..961b26d 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -118,11 +118,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 3e13328..91b5e77 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -156,11 +156,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 3d37d62..ac6ae51 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -151,11 +151,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index aa6868e..cc1c2b9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -132,11 +132,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 2f8cb3e..29c1bf9 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -119,11 +119,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 109b49f..550243f 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -122,11 +122,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> -- cgit v1.2.3 From ac6e09ecde7b78acecb7eb357a2e559824f4cbe3 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 7 May 2015 11:34:07 -0400 Subject: Adjust variable lookup in templates to silence deprecation warnings, fixes #1 --- templates/sshd_config/CentOS_6.erb | 46 ++++++++++++------------ templates/sshd_config/CentOS_7.erb | 48 ++++++++++++------------- templates/sshd_config/Debian_jessie.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Debian_sid.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Debian_squeeze.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Debian_wheezy.erb | 60 ++++++++++++++++---------------- templates/sshd_config/FreeBSD.erb | 56 ++++++++++++++--------------- templates/sshd_config/Gentoo.erb | 46 ++++++++++++------------ templates/sshd_config/OpenBSD.erb | 44 +++++++++++------------ templates/sshd_config/Ubuntu.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Ubuntu_lucid.erb | 50 +++++++++++++------------- 11 files changed, 295 insertions(+), 295 deletions(-) (limited to 'templates/sshd_config/Ubuntu.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 4c1e28a..4593a91 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -10,11 +10,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -23,7 +23,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -51,39 +51,39 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -106,7 +106,7 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES @@ -115,13 +115,13 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no #X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -141,16 +141,16 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -167,6 +167,6 @@ MACs hmac-sha1 # AllowTcpForwarding no # ForceCommand cvs server # -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 5acef6d..f55fb9d 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -10,7 +10,7 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> @@ -18,14 +18,14 @@ # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> <% end -%> -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -35,7 +35,7 @@ ListenAddress <%= address %> # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -55,39 +55,39 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -114,16 +114,16 @@ GSSAPICleanupCredentials yes # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. #UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> #AllowAgentForwarding yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no #X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -151,12 +151,12 @@ AcceptEnv XMODIFIERS # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> @@ -164,7 +164,7 @@ AllowGroups <%= s %> #Host *.local # CheckHostIP no -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -181,6 +181,6 @@ MACs hmac-sha1 # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 0138acf..0f39252 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd_config(5) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> #Privilege Separation is turned on for security @@ -38,45 +38,45 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Change to no to disable tunnelled clear text passwords -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> #KerberosGetAFSToken no -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes #UseLogin no @@ -87,7 +87,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -98,25 +98,25 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 0138acf..0f39252 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd_config(5) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> #Privilege Separation is turned on for security @@ -38,45 +38,45 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Change to no to disable tunnelled clear text passwords -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> #KerberosGetAFSToken no -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes #UseLogin no @@ -87,7 +87,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -98,25 +98,25 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index d42fac1..5845a3d 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -39,47 +39,47 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -91,7 +91,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -102,24 +102,24 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 961b26d..bfa6ea8 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> #Privilege Separation is turned on for security @@ -38,47 +38,47 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -90,7 +90,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -101,20 +101,20 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -125,6 +125,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 91b5e77..5298ade 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -16,12 +16,12 @@ #VersionAddendum FreeBSD-20100308 -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -30,7 +30,7 @@ Port <%= port %> <% end -%> #AddressFamily any -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -40,7 +40,7 @@ Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -56,24 +56,24 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication @@ -82,21 +82,21 @@ HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> #IgnoreRhosts yes # Change to yes to enable built-in password authentication. -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable PAM authentication -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -107,14 +107,14 @@ GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 #X11UseLocalhost yes @@ -137,7 +137,7 @@ TCPKeepAlive yes #Banner none # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -145,14 +145,14 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -163,6 +163,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index ac6ae51..022a26e 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,11 +10,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -23,7 +23,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -51,39 +51,39 @@ Protocol 2 # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -106,15 +106,15 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -132,7 +132,7 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -140,14 +140,14 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -158,7 +158,7 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index cc1c2b9..db73030 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,11 +8,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -21,7 +21,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -45,39 +45,39 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -89,13 +89,13 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -113,12 +113,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> @@ -128,7 +128,7 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -139,6 +139,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 29c1bf9..c71e00b 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -39,47 +39,47 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -91,7 +91,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -102,20 +102,20 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -126,6 +126,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 550243f..7544f00 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -1,12 +1,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -15,12 +15,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -41,36 +41,36 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To change Kerberos options #KerberosAuthentication no @@ -81,7 +81,7 @@ PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 KeepAlive yes #UseLogin no @@ -90,7 +90,7 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -101,24 +101,24 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> HostbasedUsesNameFromPacketOnly yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -129,6 +129,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> -- cgit v1.2.3 From b682edaae3c4f44003fa188ff564c6ba4cd43927 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 22 May 2015 16:37:03 -0700 Subject: disable the debian/ubuntu package version from being sent to clients --- templates/sshd_config/Debian_jessie.erb | 2 ++ templates/sshd_config/Debian_sid.erb | 2 ++ templates/sshd_config/Debian_squeeze.erb | 2 ++ templates/sshd_config/Debian_wheezy.erb | 2 ++ templates/sshd_config/Ubuntu.erb | 2 ++ templates/sshd_config/Ubuntu_lucid.erb | 2 ++ 6 files changed, 12 insertions(+) (limited to 'templates/sshd_config/Ubuntu.erb') diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 0f39252..91dbfff 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -83,6 +83,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 0f39252..91dbfff 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -83,6 +83,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 5845a3d..5ca1fd9 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -87,6 +87,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index bfa6ea8..117abe3 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -86,6 +86,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index c71e00b..a326ab8 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -87,6 +87,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 7544f00..be7c56d 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -88,6 +88,8 @@ KeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no #ReverseMappingCheck yes Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> -- cgit v1.2.3