diff options
author | varac <varacanero@zeromail.org> | 2015-05-04 14:03:50 +0200 |
---|---|---|
committer | varac <varacanero@zeromail.org> | 2015-05-04 14:03:50 +0200 |
commit | 943dd94dfab1de9316a5ed4c0751b36a6c75447a (patch) | |
tree | ea8e120b7d7ef84ba71391f39870092e43391627 /templates/sshd_config | |
parent | 750a497758d94c2f5a6cad23cecc3dbde2d2f92f (diff) | |
parent | e9596d0f6d243ae00bb5b360a5c37bed577c5438 (diff) |
Merge remote-tracking branch 'shared/master' into leap_master
Conflicts:
templates/sshd_config/Debian_wheezy.erb
Diffstat (limited to 'templates/sshd_config')
-rw-r--r-- | templates/sshd_config/CentOS_7.erb | 6 | ||||
-rw-r--r-- | templates/sshd_config/Debian_jessie.erb (renamed from templates/sshd_config/Debian_etch.erb) | 63 | ||||
-rw-r--r-- | templates/sshd_config/Debian_sid.erb | 18 | ||||
-rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 6 | ||||
-rw-r--r-- | templates/sshd_config/Debian_wheezy.erb | 6 | ||||
-rw-r--r-- | templates/sshd_config/FreeBSD.erb | 5 | ||||
l--------- | templates/sshd_config/RedHat_xenenterprise.erb | 1 | ||||
-rw-r--r-- | templates/sshd_config/Ubuntu.erb | 6 | ||||
-rw-r--r-- | templates/sshd_config/Ubuntu_lucid.erb | 6 |
9 files changed, 61 insertions, 56 deletions
diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 1a2e339..7db2277 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -35,9 +35,9 @@ ListenAddress <%= address %> # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_jessie.erb index ef4a5d1..033f409 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -1,5 +1,7 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# # Package generated configuration file -# See the sshd(8) manpage for details +# See the sshd_config(5) manpage for details <% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> <%= s %> @@ -20,78 +22,75 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -ServerKeyBits 768 +ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 +LoginGraceTime 120 PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - StrictModes <%= scope.lookupvar('sshd::strict_modes') %> RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> -# Change to no to disable s/key passwords +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> -# To disable tunneled clear text passwords, change to no here! +# Change to no to disable tunnelled clear text passwords PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no +# Kerberos options +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +#KerberosGetAFSToken no +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes +# GSSAPI options +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> X11DisplayOffset 10 -KeepAlive yes +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintLastLog yes +TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net -#ReverseMappingCheck yes + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -103,6 +102,8 @@ UsePAM <%= scope.lookupvar('sshd::use_pam') %> AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + <% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> @@ -110,8 +111,6 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> - <% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 70bb4bf..033f409 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -1,7 +1,7 @@ # This file is managed by Puppet, all local modifications will be overwritten # # Package generated configuration file -# See the sshd(8) manpage for details +# See the sshd_config(5) manpage for details <% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> <%= s %> @@ -22,29 +22,27 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -ServerKeyBits 768 +ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 +LoginGraceTime 120 PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - StrictModes <%= scope.lookupvar('sshd::strict_modes') %> RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files @@ -63,11 +61,12 @@ PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # some PAM modules and threads) ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> -# To disable tunneled clear text passwords, change to no here! +# Change to no to disable tunnelled clear text passwords PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # Kerberos options KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +#KerberosGetAFSToken no KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> @@ -80,7 +79,6 @@ X11DisplayOffset 10 PrintMotd <%= scope.lookupvar('sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes - #UseLogin no #MaxStartups 10:30:60 diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index befd25f..0ba323f 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -22,8 +22,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index cdcebfe..cd4bf48 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -22,9 +22,9 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 090149b..d4cd9b5 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -40,8 +40,9 @@ Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h diff --git a/templates/sshd_config/RedHat_xenenterprise.erb b/templates/sshd_config/RedHat_xenenterprise.erb new file mode 120000 index 0000000..71b767a --- /dev/null +++ b/templates/sshd_config/RedHat_xenenterprise.erb @@ -0,0 +1 @@ +CentOS_6.erb
\ No newline at end of file diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index befd25f..0ba323f 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -22,8 +22,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index cc6e921..cff95a7 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -20,8 +20,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes |