diff options
| author | intrigeri <intrigeri@boum.org> | 2011-02-14 17:17:31 +0100 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2011-02-14 17:17:31 +0100 |
| commit | 2f7903bcc4b27ebe4098fb91c14098521da8dd7a (patch) | |
| tree | 5b0268ee2f39a39b8fdf5fd566f3c13a58f3ebde /templates/sshd_config/Debian_squeeze.erb | |
| parent | 7c046e3fdf9a4bc4558290205de57df39e86ac70 (diff) | |
| parent | 2188f46db75d74d00ac4a2cb3cdaa34f98d1148d (diff) | |
Merge remote branch 'shared/master'
Conflicts:
templates/sshd_config/Debian_squeeze.erb
I always picked the shared repository version when conflicts arose.
The only exception to this rule was:
I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order
to be consistent with existing Etch and Lenny templates.
This is not the default Debian setting, but I would find it weird if a host
had this setting changed by Puppet after upgrading to Squeeze.
The right way to proceed would probably be to make this configurable.
Diffstat (limited to 'templates/sshd_config/Debian_squeeze.erb')
| -rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 43 |
1 files changed, 30 insertions, 13 deletions
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 950a53c..79fef15 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -1,5 +1,7 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# # Package generated configuration file -# See the sshd_config(5) manpage for details +# See the sshd(8) manpage for details <%- unless sshd_head_additional_options.to_s.empty? then %> <%= sshd_head_additional_options %> @@ -71,21 +73,18 @@ IgnoreRhosts yes <%- else -%> IgnoreRhosts no <% end -%> - # For this to work you will also need host keys in /etc/ssh_known_hosts <%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes <%- else -%> RhostsRSAAuthentication no <% end -%> - # similar for protocol version 2 <%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no <% end -%> - # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes @@ -104,7 +103,7 @@ ChallengeResponseAuthentication yes ChallengeResponseAuthentication no <%- end -%> -# Change to no to disable tunnelled clear text passwords +# To disable tunneled clear text passwords, change to no here! <%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> @@ -112,14 +111,33 @@ PasswordAuthentication no <%- end -%> # Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> # GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> <%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes @@ -130,6 +148,7 @@ X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes + #UseLogin no #MaxStartups 10:30:60 @@ -173,8 +192,6 @@ AllowAgentForwarding yes AllowAgentForwarding no <%- end -%> -ChallengeResponseAuthentication no - <%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users -%> <%- end -%> |