diff options
| -rw-r--r-- | manifests/init.pp | 16 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS_normal.erb | 14 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_normal.erb | 15 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo_normal.erb | 14 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD_normal.erb | 14 |
5 files changed, 63 insertions, 10 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index cf089bc..02f2e42 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -60,6 +60,14 @@ # Valid Values: yes or no # Default: no # +# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication +# Valid Values: yes or no +# Default: no +# # sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) # Valid Values: yes or no # Default: yes @@ -125,6 +133,14 @@ class sshd::base { '' => 'yes', default => $sshd_ignore_rhosts } + $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? { + '' => 'no', + default => $sshd_rhosts_rsa_authentication + } + $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? { + '' => 'no', + default => $sshd_hostbased_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index e2b4005..0dbe4e6 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -64,9 +64,19 @@ PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 155c4da..28e799d 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -53,8 +53,12 @@ PubkeyAuthentication no #AuthorizedKeysFile %h/.ssh/authorized_keys -# rhosts authentication should not be used -#RhostsAuthentication no +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> # Don't read the user's ~/.rhosts and ~/.shosts files <%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> @@ -63,10 +67,13 @@ IgnoreRhosts yes IgnoreRhosts no <% end -%> -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no # similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> HostbasedAuthentication no +<% end -%> + # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index c8dbda4..443d8ac 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -67,9 +67,19 @@ PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index 420f9cc..e6e9bbc 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -61,9 +61,19 @@ PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + # similar for protocol version 2 -#HostbasedAuthentication no +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no |