merged with puzzle

git-svn-id: https://svn/ipuppet/trunk/modules/sshd@1614 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
author: mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279> 2008-06-13 21:01:39 +0000
committer: mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279> 2008-06-13 21:01:39 +0000
commit: ece3afde12bea114ea36be3186c069ed8403317b (patch)
tree: 7cd48024eefac2af137f142c59b1fdef7f7eb941 /templates
parent: 2e38f51bd6eb0b6a83a07dc55fb592848155730f (diff)
4 files changed, 74 insertions, 7 deletions
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index 739d43b..a14120f 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -36,7 +36,11 @@ SyslogFacility AUTHPRIV
 # Authentication:
 
 #LoginGraceTime 2m
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
 PermitRootLogin without-password
+<%- end %>
 #StrictModes yes
 #MaxAuthTries 6
 
@@ -55,7 +59,11 @@ PermitRootLogin without-password
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
 PasswordAuthentication no
+<%- end %>
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
@@ -83,7 +91,11 @@ GSSAPICleanupCredentials yes
 # session checks to run without PAM authentication, then enable this but set 
 # ChallengeResponseAuthentication=no
 #UsePAM no
+<%- if real_sshd_use_pam.to_s == 'yes' then %>
+UsePAM yes
+<%- else %>
 UsePAM no
+<%- end %>
 
 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
@@ -92,7 +104,11 @@ AcceptEnv LC_IDENTIFICATION LC_ALL
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
 X11Forwarding no
+<%- end %>
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
@@ -115,4 +131,6 @@ X11Forwarding no
 
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/openssh/sftp-server
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
 AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 746cc0b..c969836 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -2,7 +2,7 @@
 # See the sshd(8) manpage for defails
 
 # What ports, IPs and protocols we listen for
-Port 22
+# Port 22
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
@@ -27,7 +27,11 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 600
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
 PermitRootLogin without-password
+<%- end %>
 StrictModes yes
 
 RSAAuthentication yes
@@ -52,8 +56,11 @@ PermitEmptyPasswords no
 #ChallengeResponseAuthentication no
 
 # To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
 PasswordAuthentication no
-
+<%- end %>
 
 # To change Kerberos options
 #KerberosAuthentication no
@@ -64,7 +71,11 @@ PasswordAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
 X11Forwarding no
+<%- end %>
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog no
@@ -77,11 +88,17 @@ KeepAlive yes
 
 #Subsystem	sftp	/usr/lib/sftp-server
 
+<%- if real_sshd_use_pam.to_s == 'yes' then %>
+UsePAM yes
+<%- else %>
 UsePAM no
+<%- end %>
 
 HostbasedUsesNameFromPacketOnly yes
 AllowTcpForwarding yes
 
 ChallengeResponseAuthentication no
 
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
 AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index be78eb9..aa98ae8 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -40,6 +40,11 @@ Protocol 2
 #LoginGraceTime 2m
 PermitRootLogin without-password
 #StrictModes yes
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
+PermitRootLogin without-password
+<%- end %>
 #MaxAuthTries 6
 
 #RSAAuthentication yes
@@ -57,7 +62,11 @@ PermitRootLogin without-password
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
 PasswordAuthentication no
+<%- end %>
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
@@ -84,11 +93,19 @@ PasswordAuthentication no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
+<%- if real_sshd_use_pam.to_s == 'yes' then %>
+UsePAM yes
+<%- else %>
 UsePAM no
+<%- end %>
 
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
+X11Forwarding no
+<%- end %>
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
@@ -117,4 +134,6 @@ Subsystem	sftp	/usr/lib/misc/sftp-server
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
 AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index dbf18c8..0b84d25 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -8,8 +8,7 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-Port 22
-Port 2222
+#Port 22
 #Protocol 2,1
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -33,7 +32,11 @@ Port 2222
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin yes
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
+PermitRootLogin without-password
+<%- end %>
 #StrictModes yes
 #MaxAuthTries 6
 
@@ -52,7 +55,11 @@ Port 2222
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
 PasswordAuthentication no
+<%- end %>
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
@@ -70,7 +77,11 @@ PasswordAuthentication no
 
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
+X11Forwarding no
+<%- end %>
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
@@ -93,7 +104,9 @@ PasswordAuthentication no
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
 AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
author	mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279>	2008-06-13 21:01:39 +0000
committer	mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279>	2008-06-13 21:01:39 +0000
commit	ece3afde12bea114ea36be3186c069ed8403317b (patch)
tree	7cd48024eefac2af137f142c59b1fdef7f7eb941 /templates
parent	2e38f51bd6eb0b6a83a07dc55fb592848155730f (diff)