diff options
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/sshd_config/CentOS.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_etch.erb | 12 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_lenny.erb | 13 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_sid.erb | 202 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 12 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD.erb | 8 |
7 files changed, 225 insertions, 38 deletions
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index e1c8419..544effe 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -16,14 +16,12 @@ # only protocol 2 Protocol 2 -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 746a447..c90a5fe 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -6,14 +6,12 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -159,16 +157,12 @@ UsePAM yes UsePAM no <%- end -%> -HostbasedUsesNameFromPacketOnly yes - <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> AllowTcpForwarding no <%- end -%> -ChallengeResponseAuthentication no - <%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users -%> <%- end -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 3c3d562..14e32bf 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -6,14 +6,12 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -138,6 +136,9 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + <%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> @@ -159,8 +160,6 @@ UsePAM yes UsePAM no <%- end -%> -HostbasedUsesNameFromPacketOnly yes - <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb new file mode 100644 index 0000000..6dc9333 --- /dev/null +++ b/templates/sshd_config/Debian_sid.erb @@ -0,0 +1,202 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# +# Package generated configuration file +# See the sshd(8) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# Kerberos options +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> + +# GSSAPI options +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes + +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 56b1cab..cf50ddb 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -8,15 +8,14 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 -<%- end %> +<%- end -%> + # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> @@ -201,4 +200,3 @@ AllowGroups <%= sshd_allowed_groups %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 2112f0d..768d3f5 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -14,14 +14,12 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 69e8afa..51662d3 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -12,14 +12,12 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to |