From 06163fbb920bf7f8dbb7ae2018e1f861003ed9ce Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Fri, 26 Sep 2008 17:34:09 -0400
Subject: added sshd_rhosts_rsa_authentication variable, default set to no
 added sshd_hostbased_authentication variable, default set to no

---
 manifests/init.pp                        | 16 ++++++++++++++++
 templates/sshd_config/CentOS_normal.erb  | 14 ++++++++++++--
 templates/sshd_config/Debian_normal.erb  | 15 +++++++++++----
 templates/sshd_config/Gentoo_normal.erb  | 14 ++++++++++++--
 templates/sshd_config/OpenBSD_normal.erb | 14 ++++++++++++--
 5 files changed, 63 insertions(+), 10 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index cf089bc..02f2e42 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -60,6 +60,14 @@
 # 				Valid Values: yes or no
 #				Default: no
 #				
+# sshd_rhosts_rsa_authentication:	If you want to enable rhosts RSA Authentication
+# 				Valid Values: yes or no
+#				Default: no
+#
+# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
+# 				 Valid Values: yes or no
+#				 Default: no
+#				
 # sshd_strict_modes:		If you want to set StrictModes (check file modes/ownership before accepting login)
 # 				Valid Values: yes or no
 #				Default: yes
@@ -125,6 +133,14 @@ class sshd::base {
         '' => 'yes',
 	default => $sshd_ignore_rhosts
     }
+    $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
+    	'' => 'no',
+	default => $sshd_rhosts_rsa_authentication
+    }
+    $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
+    	'' => 'no',
+	default => $sshd_hostbased_authentication
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index e2b4005..0dbe4e6 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -64,9 +64,19 @@ PubkeyAuthentication no
 #AuthorizedKeysFile	.ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
+
 # similar for protocol version 2
-#HostbasedAuthentication no
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
+HostbasedAuthentication no
+<% end -%>
+
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 155c4da..28e799d 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -53,8 +53,12 @@ PubkeyAuthentication no
 
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
 
-# rhosts authentication should not be used
-#RhostsAuthentication no
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 <%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
@@ -63,10 +67,13 @@ IgnoreRhosts yes
 IgnoreRhosts no
 <% end -%>
 
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
 # similar for protocol version 2
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
 HostbasedAuthentication no
+<% end -%>
+
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index c8dbda4..443d8ac 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -67,9 +67,19 @@ PubkeyAuthentication no
 #AuthorizedKeysFile	.ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
+
 # similar for protocol version 2
-#HostbasedAuthentication no
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
+HostbasedAuthentication no
+<% end -%>
+
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 420f9cc..e6e9bbc 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -61,9 +61,19 @@ PubkeyAuthentication no
 #AuthorizedKeysFile	.ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
+
 # similar for protocol version 2
-#HostbasedAuthentication no
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
+HostbasedAuthentication no
+<% end -%>
+
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
-- 
cgit v1.2.3