From 42d4597ca9e07ae8e5f93a876822c4fb02b001b1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 12:49:37 -0400 Subject: remove Debian Lenny support --- templates/sshd_config/Debian_lenny.erb | 127 --------------------------------- 1 file changed, 127 deletions(-) delete mode 100644 templates/sshd_config/Debian_lenny.erb diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb deleted file mode 100644 index 8cbea30..0000000 --- a/templates/sshd_config/Debian_lenny.erb +++ /dev/null @@ -1,127 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> -<%= s %> -<% end -%> - -# What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> -<% if port == 'off' -%> -#Port -- disabled by puppet -<% else -%> -Port <%= port %> -<% end -%> -<% end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> -ListenAddress <%= address %> -<% end -%> -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> - -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - -# similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> - -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> - -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> -AllowUsers <%= s %> -<% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> -AllowGroups <%= s %> -<%- end -%> - -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> - -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha1 -<% end -%> - -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> -<%= s %> -<% end -%> -- cgit v1.2.3 From fd82841c1f03d22acf4ed448cd22743a785f573e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 12:45:14 -0400 Subject: Change 'hardened_ssl' paramter to simply 'hardened', this makes more sense in general --- README.md | 8 ++++++-- manifests/init.pp | 2 +- templates/sshd_config/CentOS_6.erb | 2 +- templates/sshd_config/CentOS_7.erb | 2 +- templates/sshd_config/Debian_jessie.erb | 2 +- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 2 +- templates/sshd_config/FreeBSD.erb | 2 +- templates/sshd_config/Gentoo.erb | 2 +- templates/sshd_config/OpenBSD.erb | 2 +- templates/sshd_config/Ubuntu.erb | 2 +- templates/sshd_config/Ubuntu_lucid.erb | 2 +- 13 files changed, 18 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index cbe0bba..77e4d29 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ This puppet module manages OpenSSH configuration and services. +**!! Upgrade Notice (05/2015) !!** + +The hardened_ssl parameter name was changed to simply 'hardened'. + **!! Upgrade Notice (01/2013) !!** This module now uses parameterized classes, where it used global variables @@ -179,8 +183,8 @@ The following is a list of the currently available variables: Set this to the location of the AuthorizedKeysFile (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile %h/.ssh/authorized_keys` - - `hardened_ssl` - Use only strong SSL ciphers and MAC. + - `hardened` + Use only strong ciphers, MAC, KexAlgorithms, etc. Values: - `no` (default) - `yes` diff --git a/manifests/init.pp b/manifests/init.pp index 0f8c472..2dfc71c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -40,7 +40,7 @@ class sshd( OpenBSD => '%h/.ssh/authorized_keys', default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2', }, - $hardened_ssl = 'no', + $hardened = 'no', $sftp_subsystem = '', $head_additional_options = '', $tail_additional_options = '', diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 47cb077..97e9a5b 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -150,7 +150,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 7db2277..cad9f59 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -164,7 +164,7 @@ AllowGroups <%= s %> #Host *.local # CheckHostIP no -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 033f409..ada3891 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -111,7 +111,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 033f409..ada3891 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -111,7 +111,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 0ba323f..d42fac1 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -115,7 +115,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index cd4bf48..4633c09 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -114,7 +114,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index d4cd9b5..f5bd439 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -152,7 +152,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1cb4522..6e51b4c 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -147,7 +147,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index aa92eb6..7577bac 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -128,7 +128,7 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 0ba323f..d42fac1 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -115,7 +115,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index cff95a7..1ed8fd7 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -118,7 +118,7 @@ AllowGroups <%= s %> PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From 430c48200eeacf11fd3980f162ffa1994c2d0dd0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 13:48:19 -0400 Subject: Implement KexAlgorithms settings, based on Key exchange section of https://stribika.github.io/2015/01/04/secure-secure-shell.html Note, that on some systems it is uncertain if they will have a new enough version of openssh installed, so on those a version test is done to see before setting them. --- templates/sshd_config/CentOS_6.erb | 3 +++ templates/sshd_config/CentOS_7.erb | 3 +++ templates/sshd_config/Debian_jessie.erb | 1 + templates/sshd_config/Debian_sid.erb | 1 + templates/sshd_config/Debian_wheezy.erb | 3 +++ templates/sshd_config/FreeBSD.erb | 3 +++ templates/sshd_config/Gentoo.erb | 3 +++ templates/sshd_config/OpenBSD.erb | 3 +++ templates/sshd_config/Ubuntu.erb | 3 +++ templates/sshd_config/Ubuntu_lucid.erb | 3 +++ 10 files changed, 26 insertions(+) diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 97e9a5b..f27e567 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -151,6 +151,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index cad9f59..c6ecd06 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -165,6 +165,9 @@ AllowGroups <%= s %> # CheckHostIP no <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index ada3891..19d4327 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -112,6 +112,7 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index ada3891..19d4327 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -112,6 +112,7 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 4633c09..e8465ea 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -115,6 +115,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index f5bd439..8655c53 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -153,6 +153,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 6e51b4c..1508d70 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -148,6 +148,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 7577bac..591d980 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -129,6 +129,9 @@ AllowGroups <%= s %> # ForceCommand cvs server <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index d42fac1..28ee5f6 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -116,6 +116,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 1ed8fd7..36f787b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -119,6 +119,9 @@ AllowGroups <%= s %> PrintMotd <%= scope.lookupvar('sshd::print_motd') %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From 1402e67b2143dca464905bb6d95410a4ee862255 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 13:57:37 -0400 Subject: Implement enhanced symmetric cipher selection, based on https://stribika.github.io/2015/01/04/secure-secure-shell.html and version of openssh installed --- templates/sshd_config/CentOS_6.erb | 4 +++- templates/sshd_config/CentOS_7.erb | 4 +++- templates/sshd_config/Debian_jessie.erb | 2 +- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 4 +++- templates/sshd_config/FreeBSD.erb | 4 +++- templates/sshd_config/Gentoo.erb | 4 +++- templates/sshd_config/OpenBSD.erb | 4 +++- templates/sshd_config/Ubuntu.erb | 4 +++- templates/sshd_config/Ubuntu_lucid.erb | 4 +++- 10 files changed, 26 insertions(+), 10 deletions(-) diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index f27e567..325c73a 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -153,8 +153,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index c6ecd06..b120356 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -167,8 +167,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 19d4327..7b74e76 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -113,7 +113,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org -Ciphers aes256-ctr +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 19d4327..7b74e76 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -113,7 +113,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org -Ciphers aes256-ctr +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index e8465ea..214fbd9 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -117,8 +117,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 8655c53..3e13328 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -155,8 +155,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1508d70..3d37d62 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -150,8 +150,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 591d980..aa6868e 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -131,8 +131,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 28ee5f6..2f8cb3e 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -118,8 +118,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 36f787b..109b49f 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -121,8 +121,10 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From e4a9c15987372e63ace244a92619bdd2e4c5407a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 14:00:56 -0400 Subject: Implement enhanced MAC (Message Authentication Codes) according to installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html --- templates/sshd_config/CentOS_6.erb | 3 ++- templates/sshd_config/CentOS_7.erb | 3 ++- templates/sshd_config/Debian_jessie.erb | 2 +- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 3 ++- templates/sshd_config/FreeBSD.erb | 3 ++- templates/sshd_config/Gentoo.erb | 3 ++- templates/sshd_config/OpenBSD.erb | 3 ++- templates/sshd_config/Ubuntu.erb | 3 ++- templates/sshd_config/Ubuntu_lucid.erb | 3 ++- 10 files changed, 18 insertions(+), 10 deletions(-) diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 325c73a..4c1e28a 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -154,11 +154,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index b120356..5acef6d 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -168,11 +168,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 7b74e76..0138acf 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -114,7 +114,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 7b74e76..0138acf 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -114,7 +114,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 214fbd9..961b26d 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -118,11 +118,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 3e13328..91b5e77 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -156,11 +156,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 3d37d62..ac6ae51 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -151,11 +151,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index aa6868e..cc1c2b9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -132,11 +132,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 2f8cb3e..29c1bf9 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -119,11 +119,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 109b49f..550243f 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -122,11 +122,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> -- cgit v1.2.3 From ac6e09ecde7b78acecb7eb357a2e559824f4cbe3 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 7 May 2015 11:34:07 -0400 Subject: Adjust variable lookup in templates to silence deprecation warnings, fixes #1 --- templates/sshd_config/CentOS_6.erb | 46 ++++++++++++------------ templates/sshd_config/CentOS_7.erb | 48 ++++++++++++------------- templates/sshd_config/Debian_jessie.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Debian_sid.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Debian_squeeze.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Debian_wheezy.erb | 60 ++++++++++++++++---------------- templates/sshd_config/FreeBSD.erb | 56 ++++++++++++++--------------- templates/sshd_config/Gentoo.erb | 46 ++++++++++++------------ templates/sshd_config/OpenBSD.erb | 44 +++++++++++------------ templates/sshd_config/Ubuntu.erb | 60 ++++++++++++++++---------------- templates/sshd_config/Ubuntu_lucid.erb | 50 +++++++++++++------------- 11 files changed, 295 insertions(+), 295 deletions(-) diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 4c1e28a..4593a91 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -10,11 +10,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -23,7 +23,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -51,39 +51,39 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -106,7 +106,7 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES @@ -115,13 +115,13 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no #X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -141,16 +141,16 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -167,6 +167,6 @@ MACs hmac-sha1 # AllowTcpForwarding no # ForceCommand cvs server # -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 5acef6d..f55fb9d 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -10,7 +10,7 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> @@ -18,14 +18,14 @@ # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> Port <%= port %> <% end -%> <% end -%> -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -35,7 +35,7 @@ ListenAddress <%= address %> # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -55,39 +55,39 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -114,16 +114,16 @@ GSSAPICleanupCredentials yes # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. #UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> #AllowAgentForwarding yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no #X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -151,12 +151,12 @@ AcceptEnv XMODIFIERS # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> @@ -164,7 +164,7 @@ AllowGroups <%= s %> #Host *.local # CheckHostIP no -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -181,6 +181,6 @@ MACs hmac-sha1 # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 0138acf..0f39252 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd_config(5) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> #Privilege Separation is turned on for security @@ -38,45 +38,45 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Change to no to disable tunnelled clear text passwords -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> #KerberosGetAFSToken no -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes #UseLogin no @@ -87,7 +87,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -98,25 +98,25 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 0138acf..0f39252 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd_config(5) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> #Privilege Separation is turned on for security @@ -38,45 +38,45 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Change to no to disable tunnelled clear text passwords -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> #KerberosGetAFSToken no -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes #UseLogin no @@ -87,7 +87,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -98,25 +98,25 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index d42fac1..5845a3d 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -39,47 +39,47 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -91,7 +91,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -102,24 +102,24 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 961b26d..bfa6ea8 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> #Privilege Separation is turned on for security @@ -38,47 +38,47 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -90,7 +90,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -101,20 +101,20 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -125,6 +125,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 91b5e77..5298ade 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -16,12 +16,12 @@ #VersionAddendum FreeBSD-20100308 -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -30,7 +30,7 @@ Port <%= port %> <% end -%> #AddressFamily any -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -40,7 +40,7 @@ Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -56,24 +56,24 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 #MaxSessions 10 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication @@ -82,21 +82,21 @@ HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> #IgnoreRhosts yes # Change to yes to enable built-in password authentication. -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable PAM authentication -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -107,14 +107,14 @@ GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 #X11UseLocalhost yes @@ -137,7 +137,7 @@ TCPKeepAlive yes #Banner none # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -145,14 +145,14 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -163,6 +163,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index ac6ae51..022a26e 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,11 +10,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -23,7 +23,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -51,39 +51,39 @@ Protocol 2 # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -106,15 +106,15 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -132,7 +132,7 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/misc/sftp-server' : s %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -140,14 +140,14 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # AllowTcpForwarding no # ForceCommand cvs server -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -158,7 +158,7 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index cc1c2b9..db73030 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,11 +8,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -21,7 +21,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -45,39 +45,39 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -89,13 +89,13 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -113,12 +113,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> @@ -128,7 +128,7 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -139,6 +139,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 29c1bf9..c71e00b 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -3,12 +3,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -17,12 +17,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -39,47 +39,47 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # Kerberos options -KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> -KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> -KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> +KerberosAuthentication <%= scope.lookupvar('::sshd::kerberos_authentication') %> +KerberosOrLocalPasswd <%= scope.lookupvar('::sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('::sshd::kerberos_ticketcleanup') %> # GSSAPI options -GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> -GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> +GSSAPIAuthentication <%= scope.lookupvar('::sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('::sshd::gssapi_cleanupcredentials') %> -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes @@ -91,7 +91,7 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -102,20 +102,20 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -126,6 +126,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 550243f..7544f00 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -1,12 +1,12 @@ # Package generated configuration file # See the sshd(8) manpage for details -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> # What ports, IPs and protocols we listen for -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -15,12 +15,12 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +<% scope.lookupvar('::sshd::hostkey_type').to_a.each do |hostkey_type| -%> HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key <% end -%> @@ -41,36 +41,36 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To change Kerberos options #KerberosAuthentication no @@ -81,7 +81,7 @@ PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> X11DisplayOffset 10 KeepAlive yes #UseLogin no @@ -90,7 +90,7 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -101,24 +101,24 @@ Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> HostbasedUsesNameFromPacketOnly yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> -AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> +AllowAgentForwarding <%= scope.lookupvar('::sshd::agent_forwarding') %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -129,6 +129,6 @@ MACs hmac-sha1 <% end -%> <% end -%> -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> -- cgit v1.2.3 From d00986b0e0024a02ca5eb56aa493bfc8bd7ecb93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Wed, 13 May 2015 16:20:24 -0400 Subject: sync LoginGraceTime with debian defaults --- templates/sshd_config/Debian_wheezy.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index bfa6ea8..f9a476b 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -37,7 +37,7 @@ SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 +LoginGraceTime 120 PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> -- cgit v1.2.3 From e60fb9a027a4b86ad1646cb5daadef49ed5774ff Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Wed, 20 May 2015 14:55:09 -0700 Subject: add override_builtin parameter to handle the common authorized_key directory case --- manifests/ssh_authorized_key.pp | 69 +++++++++++++++++++++++++++++++++-------- 1 file changed, 56 insertions(+), 13 deletions(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 7201f8b..2436df6 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -5,7 +5,8 @@ define sshd::ssh_authorized_key( $key = 'absent', $user = '', $target = undef, - $options = 'absent' + $options = 'absent', + $override_builtin = undef ){ if ($ensure=='present') and ($key=='absent') { @@ -29,19 +30,61 @@ define sshd::ssh_authorized_key( $real_target = $target } } - ssh_authorized_key{$name: - ensure => $ensure, - type => $type, - key => $key, - user => $real_user, - target => $real_target, - } - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: ${name}") } - default: { - Ssh_authorized_key[$name]{ - options => $options, + # The ssh_authorized_key built-in function (in 2.7.23 at least) + # will not write an authorized_keys file for a mortal user to + # a directory they don't have write permission to, puppet attempts to + # create the file as the user specified with the user parameter and fails. + # Since ssh will refuse to use authorized_keys files not owned by the + # user, or in files/directories that allow other users to write, this + # behavior is deliberate in order to prevent typical non-working + # configurations. However, it also prevents the case of puppet, running + # as root, writing a file owned by a mortal user to a common + # authorized_keys directory such as one might specify in sshd_config with + # something like + # 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u' + # So we provide a way to override the built-in and instead just install + # via a file resource. There is no additional security risk here, it's + # nothing a user can't already do by writing their own file resources, + # we still depend on the filesystem permissions to keep things safe. + if $override_builtin { + case $options { + 'absent': { + info("not setting any option for ssh_authorized_key: ${name}") + + file { '$real_target': + ensure => $ensure, + content => '$type $key', + owner => '$real_user', + mode => '0600'; + } + } + default: { + file { '$real_target': + ensure => $ensure, + content => '$options $type $key', + owner => '$real_user', + mode => '0600'; + } + } + } + } else { + ssh_authorized_key{$name: + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, + } + + case $options { + 'absent': { + info("not setting any option for ssh_authorized_key: ${name}") + } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } } } } -- cgit v1.2.3 From 383f919ebbdebfc1426319c6dcf05f87adc7a767 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 21 May 2015 09:56:59 -0400 Subject: Fix invalid single quotes around variables --- manifests/ssh_authorized_key.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 2436df6..e93dde1 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -52,18 +52,18 @@ define sshd::ssh_authorized_key( 'absent': { info("not setting any option for ssh_authorized_key: ${name}") - file { '$real_target': + file { $real_target: ensure => $ensure, - content => '$type $key', - owner => '$real_user', + content => "${type} ${key}", + owner => $real_user, mode => '0600'; } } default: { - file { '$real_target': + file { $real_target: ensure => $ensure, - content => '$options $type $key', - owner => '$real_user', + content => "${options} ${type} ${key}", + owner => $real_user, mode => '0600'; } } -- cgit v1.2.3 From 4c87f6bd1e2b4cc4ed2d605386983623230c53af Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 21 May 2015 10:17:52 -0400 Subject: Add header to ssh_authorized_key when override_builting = 1 --- manifests/ssh_authorized_key.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index e93dde1..f942d62 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -51,10 +51,11 @@ define sshd::ssh_authorized_key( case $options { 'absent': { info("not setting any option for ssh_authorized_key: ${name}") + $header = "# HEADER: This file is managed by Puppet.\n" file { $real_target: ensure => $ensure, - content => "${type} ${key}", + content => "${header}${type} ${key}", owner => $real_user, mode => '0600'; } @@ -62,7 +63,7 @@ define sshd::ssh_authorized_key( default: { file { $real_target: ensure => $ensure, - content => "${options} ${type} ${key}", + content => "${header}${options} ${type} ${key}", owner => $real_user, mode => '0600'; } -- cgit v1.2.3 From f3c0115743cab9d4e6c08b654b67631566572d41 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 21 May 2015 10:29:03 -0400 Subject: Simplify ssh_authorized_key --- manifests/ssh_authorized_key.pp | 55 ++++++++++++++++------------------------- 1 file changed, 21 insertions(+), 34 deletions(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index f942d62..7702914 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -48,45 +48,32 @@ define sshd::ssh_authorized_key( # nothing a user can't already do by writing their own file resources, # we still depend on the filesystem permissions to keep things safe. if $override_builtin { - case $options { - 'absent': { - info("not setting any option for ssh_authorized_key: ${name}") - $header = "# HEADER: This file is managed by Puppet.\n" - file { $real_target: - ensure => $ensure, - content => "${header}${type} ${key}", - owner => $real_user, - mode => '0600'; - } - } - default: { - file { $real_target: - ensure => $ensure, - content => "${header}${options} ${type} ${key}", - owner => $real_user, - mode => '0600'; - } - } + $header = '# HEADER: This file is managed by Puppet.' + + file { $real_target: + ensure => $ensure, + owner => $real_user, + mode => '0600', + content => $options ? { + 'absent' => "${header}\n${type} ${key}", + default => "${header}\n${options} ${type} ${key}", + }, } + } else { + ssh_authorized_key{$name: - ensure => $ensure, - type => $type, - key => $key, - user => $real_user, - target => $real_target, + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, + options => $options ? { + 'absent' => undef, + default => $options, + }, } - case $options { - 'absent': { - info("not setting any option for ssh_authorized_key: ${name}") - } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } - } } } -- cgit v1.2.3 From cbfa047a71f7920d3cbed9bd963ad33ee1551e01 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 21 May 2015 13:12:18 -0400 Subject: Revert "Simplify ssh_authorized_key" puppet-lint complains about "selector inside resource" This reverts commit f3c0115743cab9d4e6c08b654b67631566572d41. --- manifests/ssh_authorized_key.pp | 55 +++++++++++++++++++++++++---------------- 1 file changed, 34 insertions(+), 21 deletions(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 7702914..f942d62 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -48,32 +48,45 @@ define sshd::ssh_authorized_key( # nothing a user can't already do by writing their own file resources, # we still depend on the filesystem permissions to keep things safe. if $override_builtin { + case $options { + 'absent': { + info("not setting any option for ssh_authorized_key: ${name}") + $header = "# HEADER: This file is managed by Puppet.\n" - $header = '# HEADER: This file is managed by Puppet.' - - file { $real_target: - ensure => $ensure, - owner => $real_user, - mode => '0600', - content => $options ? { - 'absent' => "${header}\n${type} ${key}", - default => "${header}\n${options} ${type} ${key}", - }, + file { $real_target: + ensure => $ensure, + content => "${header}${type} ${key}", + owner => $real_user, + mode => '0600'; + } + } + default: { + file { $real_target: + ensure => $ensure, + content => "${header}${options} ${type} ${key}", + owner => $real_user, + mode => '0600'; + } + } } - } else { - ssh_authorized_key{$name: - ensure => $ensure, - type => $type, - key => $key, - user => $real_user, - target => $real_target, - options => $options ? { - 'absent' => undef, - default => $options, - }, + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, } + case $options { + 'absent': { + info("not setting any option for ssh_authorized_key: ${name}") + } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } + } + } } } -- cgit v1.2.3 From feeb9400e5ffb107fe224e96ef8f504222cb5239 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 21 May 2015 13:19:40 -0400 Subject: Simplify ssh_authorized_key --- manifests/ssh_authorized_key.pp | 61 ++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 34 deletions(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index f942d62..6d98be4 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -48,45 +48,38 @@ define sshd::ssh_authorized_key( # nothing a user can't already do by writing their own file resources, # we still depend on the filesystem permissions to keep things safe. if $override_builtin { - case $options { - 'absent': { - info("not setting any option for ssh_authorized_key: ${name}") - $header = "# HEADER: This file is managed by Puppet.\n" + $header = "# HEADER: This file is managed by Puppet.\n" - file { $real_target: - ensure => $ensure, - content => "${header}${type} ${key}", - owner => $real_user, - mode => '0600'; - } - } - default: { - file { $real_target: - ensure => $ensure, - content => "${header}${options} ${type} ${key}", - owner => $real_user, - mode => '0600'; - } - } + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + $content = "${header}${type} ${key}" + } else { + $content = "${header}${options} ${type} ${key}" + } + + file { $real_target: + ensure => $ensure, + content => $content, + owner => $real_user, + mode => '0600', } + } else { - ssh_authorized_key{$name: - ensure => $ensure, - type => $type, - key => $key, - user => $real_user, - target => $real_target, + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + } else { + $real_options = $options } - case $options { - 'absent': { - info("not setting any option for ssh_authorized_key: ${name}") - } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } + ssh_authorized_key{$name: + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, + options => $real_options, } } + } -- cgit v1.2.3 From 1f6803708aa88c1957dfcfb2b10e20072820f5a5 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 21 May 2015 13:20:38 -0400 Subject: Add newline to ssh_authorized_key file content --- manifests/ssh_authorized_key.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 6d98be4..80cb3b7 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -52,9 +52,9 @@ define sshd::ssh_authorized_key( if $options == 'absent' { info("not setting any option for ssh_authorized_key: ${name}") - $content = "${header}${type} ${key}" + $content = "${header}${type} ${key}\n" } else { - $content = "${header}${options} ${type} ${key}" + $content = "${header}${options} ${type} ${key}\n" } file { $real_target: -- cgit v1.2.3 From b682edaae3c4f44003fa188ff564c6ba4cd43927 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 22 May 2015 16:37:03 -0700 Subject: disable the debian/ubuntu package version from being sent to clients --- templates/sshd_config/Debian_jessie.erb | 2 ++ templates/sshd_config/Debian_sid.erb | 2 ++ templates/sshd_config/Debian_squeeze.erb | 2 ++ templates/sshd_config/Debian_wheezy.erb | 2 ++ templates/sshd_config/Ubuntu.erb | 2 ++ templates/sshd_config/Ubuntu_lucid.erb | 2 ++ 6 files changed, 12 insertions(+) diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 0f39252..91dbfff 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -83,6 +83,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 0f39252..91dbfff 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -83,6 +83,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 5845a3d..5ca1fd9 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -87,6 +87,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index bfa6ea8..117abe3 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -86,6 +86,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index c71e00b..a326ab8 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -87,6 +87,8 @@ TCPKeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 7544f00..be7c56d 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -88,6 +88,8 @@ KeepAlive yes #MaxStartups 10:30:60 #Banner /etc/issue.net +# do not reveal debian version (default is yes) +DebianBanner no #ReverseMappingCheck yes Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> -- cgit v1.2.3 From abd504a5f459873f547ccdf4940c0ac5ae7fe874 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Mon, 8 Jun 2015 14:08:47 -0400 Subject: Facter values changed in 2.x for XenServer --- templates/sshd_config/RedHat_xenenterprise.erb | 1 - templates/sshd_config/XenServer_xenenterprise.erb | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 120000 templates/sshd_config/RedHat_xenenterprise.erb create mode 120000 templates/sshd_config/XenServer_xenenterprise.erb diff --git a/templates/sshd_config/RedHat_xenenterprise.erb b/templates/sshd_config/RedHat_xenenterprise.erb deleted file mode 120000 index 71b767a..0000000 --- a/templates/sshd_config/RedHat_xenenterprise.erb +++ /dev/null @@ -1 +0,0 @@ -CentOS_6.erb \ No newline at end of file diff --git a/templates/sshd_config/XenServer_xenenterprise.erb b/templates/sshd_config/XenServer_xenenterprise.erb new file mode 120000 index 0000000..71b767a --- /dev/null +++ b/templates/sshd_config/XenServer_xenenterprise.erb @@ -0,0 +1 @@ +CentOS_6.erb \ No newline at end of file -- cgit v1.2.3 From 72b4eadc2db6ed72625f3322f466d21c556ef69b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 15:58:51 -0400 Subject: import from autossh package --- files/autossh.init.d | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++ manifests/autossh.pp | 34 ++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 files/autossh.init.d create mode 100644 manifests/autossh.pp diff --git a/files/autossh.init.d b/files/autossh.init.d new file mode 100644 index 0000000..fb3c57f --- /dev/null +++ b/files/autossh.init.d @@ -0,0 +1,98 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: autossh +# Required-Start: $remote_fs $syslog $network +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short-Description: Autossh for isuma +### END INIT INFO + +set -e + +umask 022 + +if test -f /etc/default/isuma-autossh; then + . /etc/default/isuma-autossh +fi + +. /lib/lsb/init-functions + +export PATH=/sbin:/bin:/usr/sbin:/usr/bin + +case "$1" in + start) + log_daemon_msg "Starting Autossh for isuma" "autossh" + if start-stop-daemon --quiet --start --background --pidfile /var/run/autossh-isuma.pid --make-pidfile --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + stop) + log_daemon_msg "Stopping Autossh for isuma" "autossh" + if start-stop-daemon --stop --quiet --pidfile /var/run/autossh-isuma.pid ; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + reload|force-reload) + log_daemon_msg "Reloading Autossh for isuma's configuration" "autossh" + if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/autossh-isuma.pid; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + restart) + log_daemon_msg "Restarting Autossh for isuma" "autossh" + start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/autossh-isuma.pid + if start-stop-daemon --start --quiet -b --make-pidfile --pidfile /var/run/autossh-isuma.pid --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + try-restart) + log_daemon_msg "Restarting Autossh for isuma" "autossh" + set +e + start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/autossh-isuma.pid + RET="$?" + set -e + case $RET in + 0) + # old daemon stopped + if start-stop-daemon --start --quiet --oknodo -b --pidfile /var/run/autossh-isuma.pid --make-pidfile --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + 1) + # daemon not running + log_progress_msg "(not running)" + log_end_msg 0 + ;; + *) + # failed to stop + log_progress_msg "(failed to stop)" + log_end_msg 1 + ;; + esac + ;; + + status) + status_of_proc -p /var/run/autossh-isuma.pid /usr/sbin/autossh autossh && exit 0 || exit $? + ;; + + *) + log_action_msg "Usage: /etc/init.d/isuma-autossh {start|stop|reload|force-reload|restart|try-restart|status}" + exit 1 +esac + +exit 0 diff --git a/manifests/autossh.pp b/manifests/autossh.pp new file mode 100644 index 0000000..80d571b --- /dev/null +++ b/manifests/autossh.pp @@ -0,0 +1,34 @@ +class sshd::autossh($host, + $port = undef, # this should be a remote->local hash + $remote_user = undef, +) { + if $port { + $port_ensure = $port + } + else { + # random port between 10000 and 20000 + $port_ensure = fqdn_rand(10000) + 10000 + } + if $remote_user { + $remote_user_ensure = $remote_user + } + else { + $remote_user_ensure = "host-$fqdn" + } + file { + '/etc/init.d/autossh': + mode => '0555', + source => 'puppet:///modules/sshd/autossh.init.d'; + '/etc/default/autossh': + mode => '0444', + content => "DAEMON_OPTS='-o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $user_ensure@$host'\n"; + } + service { 'autossh': + ensure => running, + enable => true, + subscribe => [ + File['/etc/init.d/autossh'], + File['/etc/default/autossh'] + ], + } +} -- cgit v1.2.3 From baf0a425d25294f2d218419cfd8e77be56168a95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 15:59:16 -0400 Subject: remove traces of isuma vendor --- files/autossh.init.d | 26 ++++++++++++++------------ manifests/autossh.pp | 10 +++++++--- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/files/autossh.init.d b/files/autossh.init.d index fb3c57f..254fcdc 100644 --- a/files/autossh.init.d +++ b/files/autossh.init.d @@ -6,13 +6,15 @@ # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: -# Short-Description: Autossh for isuma +# Short-Description: AutoSSH daemon ### END INIT INFO set -e umask 022 +PIDFILE=/var/run/autossh.pid + if test -f /etc/default/isuma-autossh; then . /etc/default/isuma-autossh fi @@ -23,16 +25,16 @@ export PATH=/sbin:/bin:/usr/sbin:/usr/bin case "$1" in start) - log_daemon_msg "Starting Autossh for isuma" "autossh" - if start-stop-daemon --quiet --start --background --pidfile /var/run/autossh-isuma.pid --make-pidfile --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then + log_daemon_msg "Starting AutoSSH daemon" "autossh" + if start-stop-daemon --quiet --start --background --pidfile $PIDFILE --make-pidfile --exec /usr/bin/autossh -- $DAEMON_OPTS; then log_end_msg 0 else log_end_msg 1 fi ;; stop) - log_daemon_msg "Stopping Autossh for isuma" "autossh" - if start-stop-daemon --stop --quiet --pidfile /var/run/autossh-isuma.pid ; then + log_daemon_msg "Stopping AutoSSH daemon" "autossh" + if start-stop-daemon --stop --quiet --pidfile $PIDFILE ; then log_end_msg 0 else log_end_msg 1 @@ -40,8 +42,8 @@ case "$1" in ;; reload|force-reload) - log_daemon_msg "Reloading Autossh for isuma's configuration" "autossh" - if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/autossh-isuma.pid; then + log_daemon_msg "Reloading AutoSSH daemon" "autossh" + if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile $PIDFILE; then log_end_msg 0 else log_end_msg 1 @@ -50,8 +52,8 @@ case "$1" in restart) log_daemon_msg "Restarting Autossh for isuma" "autossh" - start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/autossh-isuma.pid - if start-stop-daemon --start --quiet -b --make-pidfile --pidfile /var/run/autossh-isuma.pid --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then + start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile $PIDFILE + if start-stop-daemon --start --quiet -b --make-pidfile --pidfile $PIDFILE --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then log_end_msg 0 else log_end_msg 1 @@ -61,13 +63,13 @@ case "$1" in try-restart) log_daemon_msg "Restarting Autossh for isuma" "autossh" set +e - start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/autossh-isuma.pid + start-stop-daemon --stop --quiet --retry 30 --pidfile $PIDFILE RET="$?" set -e case $RET in 0) # old daemon stopped - if start-stop-daemon --start --quiet --oknodo -b --pidfile /var/run/autossh-isuma.pid --make-pidfile --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then + if start-stop-daemon --start --quiet --oknodo -b --pidfile $PIDFILE --make-pidfile --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then log_end_msg 0 else log_end_msg 1 @@ -87,7 +89,7 @@ case "$1" in ;; status) - status_of_proc -p /var/run/autossh-isuma.pid /usr/sbin/autossh autossh && exit 0 || exit $? + status_of_proc -p $PIDFILE /usr/sbin/autossh autossh && exit 0 || exit $? ;; *) diff --git a/manifests/autossh.pp b/manifests/autossh.pp index 80d571b..e94d65b 100644 --- a/manifests/autossh.pp +++ b/manifests/autossh.pp @@ -23,12 +23,16 @@ class sshd::autossh($host, mode => '0444', content => "DAEMON_OPTS='-o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $user_ensure@$host'\n"; } + package { 'autossh': + ensure => present, + } service { 'autossh': ensure => running, enable => true, subscribe => [ - File['/etc/init.d/autossh'], - File['/etc/default/autossh'] - ], + File['/etc/init.d/autossh'], + File['/etc/default/autossh'], + Package['autossh'], + ], } } -- cgit v1.2.3 From 7a18ca3c8f12bcf1933ee72b5bcbc4ef0f1a4251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 16:06:24 -0400 Subject: rewrite autossh startup script with dh_make template --- files/autossh.init.d | 217 +++++++++++++++++++++++++++++++++------------------ manifests/autossh.pp | 2 +- 2 files changed, 142 insertions(+), 77 deletions(-) diff --git a/files/autossh.init.d b/files/autossh.init.d index 254fcdc..191e425 100644 --- a/files/autossh.init.d +++ b/files/autossh.init.d @@ -1,100 +1,165 @@ -#! /bin/sh - +#!/bin/sh ### BEGIN INIT INFO -# Provides: autossh -# Required-Start: $remote_fs $syslog $network -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: -# Short-Description: AutoSSH daemon +# Provides: autossh +# Required-Start: $local_fs $network $remote_fs $syslog +# Required-Stop: $local_fs $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start the autossh daemon +# Description: start the autossh daemon ### END INIT INFO -set -e +# Author: Antoine Beaupré + +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="autossh" +NAME=autossh +USER=$NAME +DAEMON=/usr/bin/autossh +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME -umask 022 +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME -PIDFILE=/var/run/autossh.pid +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 -if test -f /etc/default/isuma-autossh; then - . /etc/default/isuma-autossh -fi +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. . /lib/lsb/init-functions -export PATH=/sbin:/bin:/usr/sbin:/usr/bin +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --user $USER --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --user $USER --chuid $USER --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # The above code will not work for interpreted scripts, use the next + # six lines below instead (Ref: #643337, start-stop-daemon(8) ) + #start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ + # --name $NAME --test > /dev/null \ + # || return 1 + #start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON \ + # --name $NAME -- $DAEMON_ARGS \ + # || return 2 + + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --user $USER --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --user $USER --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} case "$1" in start) - log_daemon_msg "Starting AutoSSH daemon" "autossh" - if start-stop-daemon --quiet --start --background --pidfile $PIDFILE --make-pidfile --exec /usr/bin/autossh -- $DAEMON_OPTS; then - log_end_msg 0 - else - log_end_msg 1 - fi + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac ;; stop) - log_daemon_msg "Stopping AutoSSH daemon" "autossh" - if start-stop-daemon --stop --quiet --pidfile $PIDFILE ; then - log_end_msg 0 - else - log_end_msg 1 - fi - ;; - - reload|force-reload) - log_daemon_msg "Reloading AutoSSH daemon" "autossh" - if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile $PIDFILE; then - log_end_msg 0 - else - log_end_msg 1 - fi + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac ;; - - restart) - log_daemon_msg "Restarting Autossh for isuma" "autossh" - start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile $PIDFILE - if start-stop-daemon --start --quiet -b --make-pidfile --pidfile $PIDFILE --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then - log_end_msg 0 - else - log_end_msg 1 - fi + status) + status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $? ;; - - try-restart) - log_daemon_msg "Restarting Autossh for isuma" "autossh" - set +e - start-stop-daemon --stop --quiet --retry 30 --pidfile $PIDFILE - RET="$?" - set -e - case $RET in - 0) - # old daemon stopped - if start-stop-daemon --start --quiet --oknodo -b --pidfile $PIDFILE --make-pidfile --exec /usr/bin/autossh -- $AUTOSSH_ISUMA_OPTS; then - log_end_msg 0 - else - log_end_msg 1 - fi + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac ;; - 1) - # daemon not running - log_progress_msg "(not running)" - log_end_msg 0 - ;; - *) - # failed to stop - log_progress_msg "(failed to stop)" + *) + # Failed to stop log_end_msg 1 ;; esac ;; - - status) - status_of_proc -p $PIDFILE /usr/sbin/autossh autossh && exit 0 || exit $? - ;; - *) - log_action_msg "Usage: /etc/init.d/isuma-autossh {start|stop|reload|force-reload|restart|try-restart|status}" - exit 1 + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; esac -exit 0 +: diff --git a/manifests/autossh.pp b/manifests/autossh.pp index e94d65b..590f28b 100644 --- a/manifests/autossh.pp +++ b/manifests/autossh.pp @@ -21,7 +21,7 @@ class sshd::autossh($host, source => 'puppet:///modules/sshd/autossh.init.d'; '/etc/default/autossh': mode => '0444', - content => "DAEMON_OPTS='-o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $user_ensure@$host'\n"; + content => "DAEMON_ARGS='-o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; } package { 'autossh': ensure => present, -- cgit v1.2.3 From da1be21ebb354304b2844c6ffe3251d3df1a8597 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 16:12:35 -0400 Subject: try to avoid conflicting with the isuma-local-servers package --- files/autossh.init.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/autossh.init.d b/files/autossh.init.d index 191e425..fdb2c16 100644 --- a/files/autossh.init.d +++ b/files/autossh.init.d @@ -1,6 +1,6 @@ #!/bin/sh ### BEGIN INIT INFO -# Provides: autossh +# Provides: AutoSSH # Required-Start: $local_fs $network $remote_fs $syslog # Required-Stop: $local_fs $network $remote_fs $syslog # Default-Start: 2 3 4 5 -- cgit v1.2.3 From cb9bceb04e35314c461a7cd1f9dff3561c5cd135 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 16:07:18 -0400 Subject: allow customizing user --- manifests/autossh.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/manifests/autossh.pp b/manifests/autossh.pp index 590f28b..fadc575 100644 --- a/manifests/autossh.pp +++ b/manifests/autossh.pp @@ -1,6 +1,7 @@ class sshd::autossh($host, - $port = undef, # this should be a remote->local hash - $remote_user = undef, + $port = undef, # this should be a remote->local hash + $remote_user = undef, + $user = 'root', ) { if $port { $port_ensure = $port @@ -21,7 +22,7 @@ class sshd::autossh($host, source => 'puppet:///modules/sshd/autossh.init.d'; '/etc/default/autossh': mode => '0444', - content => "DAEMON_ARGS='-o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; + content => "USER=$user\nDAEMON_ARGS='-o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; } package { 'autossh': ensure => present, -- cgit v1.2.3 From f794a976ca60d2dece62f778e56d1f7c0427dcc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 16:21:49 -0400 Subject: properly implement daemon --- files/autossh.init.d | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/autossh.init.d b/files/autossh.init.d index fdb2c16..95670d3 100644 --- a/files/autossh.init.d +++ b/files/autossh.init.d @@ -46,9 +46,9 @@ do_start() # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started - start-stop-daemon --start --quiet --user $USER --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + start-stop-daemon --start --quiet --background --user $USER --pidfile $PIDFILE --makepidfile --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon --start --quiet --user $USER --chuid $USER --pidfile $PIDFILE --exec $DAEMON -- \ + start-stop-daemon --start --quiet --background --user $USER --chuid $USER --pidfile $PIDFILE --makepidfile --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 # The above code will not work for interpreted scripts, use the next -- cgit v1.2.3 From 50685a8bc739d28ab1df830c707d1091a94c08bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 16:22:08 -0400 Subject: implement autossh reload not sure what this was for, but it was in the original implementation --- files/autossh.init.d | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/files/autossh.init.d b/files/autossh.init.d index 95670d3..bb1119e 100644 --- a/files/autossh.init.d +++ b/files/autossh.init.d @@ -124,16 +124,12 @@ case "$1" in status) status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $? ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) # # If the "reload" option is implemented then remove the # 'force-reload' alias -- cgit v1.2.3 From 7b99c89edf698d295dc21aba97800166c7961cf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 16:43:17 -0400 Subject: make autossh fork properly --- files/autossh.init.d | 9 ++++++--- manifests/autossh.pp | 9 +++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/files/autossh.init.d b/files/autossh.init.d index bb1119e..92bd5f4 100644 --- a/files/autossh.init.d +++ b/files/autossh.init.d @@ -19,13 +19,16 @@ DESC="autossh" NAME=autossh USER=$NAME DAEMON=/usr/bin/autossh -DAEMON_ARGS="" +DAEMON_ARGS="-f" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME +AUTOSSH_PIDFILE=$PIDFILE +export AUTOSSH_PIDFILE + # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 @@ -46,9 +49,9 @@ do_start() # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --user $USER --pidfile $PIDFILE --makepidfile --exec $DAEMON --test > /dev/null \ + start-stop-daemon --start --quiet --user $USER --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon --start --quiet --background --user $USER --chuid $USER --pidfile $PIDFILE --makepidfile --exec $DAEMON -- \ + start-stop-daemon --start --quiet --user $USER --chuid $USER --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 # The above code will not work for interpreted scripts, use the next diff --git a/manifests/autossh.pp b/manifests/autossh.pp index fadc575..1ded7eb 100644 --- a/manifests/autossh.pp +++ b/manifests/autossh.pp @@ -1,7 +1,8 @@ class sshd::autossh($host, - $port = undef, # this should be a remote->local hash - $remote_user = undef, - $user = 'root', + $port = undef, # this should be a remote->local hash + $remote_user = undef, + $user = 'root', + $pidfile = '/var/run/autossh.pid', ) { if $port { $port_ensure = $port @@ -22,7 +23,7 @@ class sshd::autossh($host, source => 'puppet:///modules/sshd/autossh.init.d'; '/etc/default/autossh': mode => '0444', - content => "USER=$user\nDAEMON_ARGS='-o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; + content => "USER=$user\nPIDFILE=$pidfile\nDAEMON_ARGS='-f -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; } package { 'autossh': ensure => present, -- cgit v1.2.3 From 6ea0beb114cdb836cfe9b3ef67504f3641c518ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 18 Jun 2015 17:01:01 -0400 Subject: disable autossh control port this is important to make it easier to guess the ssh port from the central server. we rely on ServerAliveInterval instead to reconnect when we lose the server. this was unintentionally removed in november 2012 in the isuma-autossh package, saying it was "not supported everywhere" and due to some confusion about the defaults (defaults are to *enable* the port). see commit ec0ebdd9533a29ee4f62f9fbb84ee9e80219ef84 in there. --- manifests/autossh.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/autossh.pp b/manifests/autossh.pp index 1ded7eb..5650584 100644 --- a/manifests/autossh.pp +++ b/manifests/autossh.pp @@ -23,7 +23,7 @@ class sshd::autossh($host, source => 'puppet:///modules/sshd/autossh.init.d'; '/etc/default/autossh': mode => '0444', - content => "USER=$user\nPIDFILE=$pidfile\nDAEMON_ARGS='-f -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; + content => "USER=$user\nPIDFILE=$pidfile\nDAEMON_ARGS='-M0 -f -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; } package { 'autossh': ensure => present, -- cgit v1.2.3 From 8acb349e8b116092599acc2e9083d5d6acb4086f Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 11 Sep 2015 16:01:02 -0700 Subject: choose better MAC for squeeze and wheezy both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more. --- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/Debian_wheezy.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 5845a3d..1483480 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -117,7 +117,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('::sshd::hardened') == 'yes' -%> Ciphers aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512 <% end -%> <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index f9a476b..bf52df7 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -121,7 +121,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512 <% end -%> <% end -%> -- cgit v1.2.3