9 files changed, 61 insertions, 56 deletions

diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb
index 1a2e339..7db2277 100644
--- a/templates/sshd_config/CentOS_7.erb
+++ b/templates/sshd_config/CentOS_7.erb
@@ -35,9 +35,9 @@ ListenAddress <%= address %>
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 
 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_jessie.erb
index ef4a5d1..033f409 100644
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_jessie.erb
@@ -1,5 +1,7 @@
+# This file is managed by Puppet, all local modifications will be overwritten
+#
 # Package generated configuration file
-# See the sshd(8) manpage for details
+# See the sshd_config(5) manpage for details
 
 <% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
 <%= s %>
@@ -20,78 +22,75 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
-# ...but breaks Pam auth via kbdint, so we have to turn it off
-# Use PAM authentication via keyboard-interactive so PAM modules can
-# properly interface with the user (off due to PrivSep)
-#PAMAuthenticationViaKbdInt no
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
-ServerKeyBits 768
+ServerKeyBits 1024
 
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
 
 # Authentication:
-LoginGraceTime 600
+LoginGraceTime 120
 PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-
 StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
 RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-
 PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-
 AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
-
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
-
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
 # similar for protocol version 2
 HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
-
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 
-# Change to no to disable s/key passwords
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
 ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
-# To disable tunneled clear text passwords, change to no here!
+# Change to no to disable tunnelled clear text passwords
 PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
-# To change Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#AFSTokenPassing no
-#KerberosTicketCleanup no
+# Kerberos options
+KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+#KerberosGetAFSToken no
+KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %>
+KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
 
-# Kerberos TGT Passing does only work with the AFS kaserver
-#KerberosTgtPassing yes
+# GSSAPI options
+GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %>
+GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %>
 
 X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
 X11DisplayOffset 10
-KeepAlive yes
+PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+PrintLastLog yes
+TCPKeepAlive yes
 #UseLogin no
 
 #MaxStartups 10:30:60
 #Banner /etc/issue.net
-#ReverseMappingCheck yes
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
 
 Subsystem      sftp    <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %>
 
-# Set this to 'yes' to enable PAM authentication, account processing, 
-# and session processing. If this is enabled, PAM authentication will 
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
@@ -103,6 +102,8 @@ UsePAM <%= scope.lookupvar('sshd::use_pam') %>
 
 AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
 
+AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %>
+
 <% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
 AllowUsers <%= s %>
 <% end -%>
@@ -110,8 +111,6 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
-
 <% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index 70bb4bf..033f409 100644
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -1,7 +1,7 @@
 # This file is managed by Puppet, all local modifications will be overwritten
 #
 # Package generated configuration file
-# See the sshd(8) manpage for details
+# See the sshd_config(5) manpage for details
 
 <% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
 <%= s %>
@@ -22,29 +22,27 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
-ServerKeyBits 768
+ServerKeyBits 1024
 
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
 
 # Authentication:
-LoginGraceTime 600
+LoginGraceTime 120
 PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-
 StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
 
 RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-
 PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-
 AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
@@ -63,11 +61,12 @@ PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
 # some PAM modules and threads)
 ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
 
-# To disable tunneled clear text passwords, change to no here!
+# Change to no to disable tunnelled clear text passwords
 PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
 
 # Kerberos options
 KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %>
+#KerberosGetAFSToken no
 KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %>
 KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %>
 
@@ -80,7 +79,6 @@ X11DisplayOffset 10
 PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 PrintLastLog yes
 TCPKeepAlive yes
-
 #UseLogin no
 
 #MaxStartups 10:30:60
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index befd25f..0ba323f 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -22,8 +22,10 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index cdcebfe..cd4bf48 100644
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -22,9 +22,9 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb
index 090149b..d4cd9b5 100644
--- a/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@@ -40,8 +40,9 @@ Protocol 2
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 
 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
diff --git a/templates/sshd_config/RedHat_xenenterprise.erb b/templates/sshd_config/RedHat_xenenterprise.erb
new file mode 120000
index 0000000..71b767a
--- /dev/null
+++ b/templates/sshd_config/RedHat_xenenterprise.erb
@@ -0,0 +1 @@
+CentOS_6.erb
\ No newline at end of file
diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb
index befd25f..0ba323f 100644
--- a/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@@ -22,8 +22,10 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb
index cc6e921..cff95a7 100644
--- a/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@@ -20,8 +20,10 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes