diff options
Diffstat (limited to 'templates/sshd_config/CentOS_7.erb')
| -rw-r--r-- | templates/sshd_config/CentOS_7.erb | 48 |
1 files changed, 24 insertions, 24 deletions
diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 5acef6d..f55fb9d 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -10,7 +10,7 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> @@ -18,14 +18,14 @@ # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> <% end -%> -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -35,7 +35,7 @@ ListenAddress <%= address %> # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -55,39 +55,39 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -114,16 +114,16 @@ GSSAPICleanupCredentials yes # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. #UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> #AllowAgentForwarding yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no #X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -151,12 +151,12 @@ AcceptEnv XMODIFIERS # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> @@ -164,7 +164,7 @@ AllowGroups <%= s %> #Host *.local # CheckHostIP no -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -181,6 +181,6 @@ MACs hmac-sha1 # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> |