From 72e24df3b6abbd28dccc8d3fb9a240a62220cdfe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 14 Dec 2010 13:22:43 -0500 Subject: add Debian Squeeze sshd template. Enabled kerberos and gssapi options, using the defaults when not specified --- manifests/init.pp | 49 +++++++- templates/sshd_config/Debian_squeeze.erb | 209 +++++++++++++++++++++++++++++++ 2 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 templates/sshd_config/Debian_squeeze.erb diff --git a/manifests/init.pp b/manifests/init.pp index 4f82542..002b927 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -76,7 +76,36 @@ # sshd_password_authentication: If you want to enable password authentication or not # Valid values: yes or no # Default: no -# +# +# sshd_kerberos_authentication: If you want the password that is provided by the user to be +# validated through the Kerberos KDC. To use this option the +# server needs a Kerberos servtab which allows the verification of +# the KDC's identity. +# Valid values: yes or no +# Default: no +# +# sshd_kerberos_getafstoken: If AFS is active and user has a Kerberos 5 TGT, attempt to +# acquire an AFS token before accessing the user's home directory. +# Valid values: yes or no +# Default: no +# +# sshd_kerberos_orlocalpasswd: If password authentication through Kerberos fails, then the password +# will be validated via any additional local mechanism. +# Valid values: yes or no +# Default: yes +# +# sshd_kerberos_ticketcleanup: Destroy the user's ticket cache file on logout? +# Valid values: yes or no +# Default: yes +# +# sshd_gssapi_authentication: Authenticate users based on GSSAPI? +# Valid values: yes or no +# Default: no +# +# sshd_gssapi_cleanupcredentials: Destroy user's credential cache on logout? +# Valid values: yes or no +# Default: yes +# # sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not # When disabled, s/key passowords are disabled # Valid values: yes or no @@ -160,6 +189,24 @@ class sshd { case $sshd_password_authentication { '': { $sshd_password_authentication = 'no' } } + case $sshd_kerberos_authentication { + '': { $sshd_kerberos_authentication = 'no' } + } + case $sshd_kerberos_getafstoken { + '': { $sshd_kerberos_getafstoken = 'no' } + } + case $sshd_kerberos_orlocalpasswd { + '': { $sshd_kerberos_orlocalpasswd = 'yes' } + } + case $sshd_kerberos_ticketcleanup { + '': { $sshd_kerberos_ticketcleanup = 'yes' } + } + case $sshd_gssapi_authentication { + '': { $sshd_gssapi_authentication = 'no' } + } + case $sshd_gssapi_cleanupcredentials { + '': { $sshd_gssapi_cleanupcredentials = 'yes' } + } case $sshd_tcp_forwarding { '': { $sshd_tcp_forwarding = 'no' } } diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb new file mode 100644 index 0000000..9f91c16 --- /dev/null +++ b/templates/sshd_config/Debian_squeeze.erb @@ -0,0 +1,209 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# +# Package generated configuration file +# See the sshd(8) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# Kerberos options +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_getafstoken.to_s == 'yes' then -%> +KerberosGetAFSToken yes +<%- else -%> +KerberosGetAFSToken no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> + +# GSSAPI options +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes + +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + -- cgit v1.2.3 From 167cf532711ac88e9d93fe77b9d904206d98ac1a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 14 Dec 2010 13:41:05 -0500 Subject: "ChallengeResponseAuthentication no" was being hardcoded later in the Debian Lenny sshd_config template, even though we offer it as a variable. With this commit, the variable will actually work, rather than be overriden --- templates/sshd_config/Debian_lenny.erb | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 18f3e4d..3c3d562 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -173,8 +173,6 @@ AllowAgentForwarding yes AllowAgentForwarding no <%- end -%> -ChallengeResponseAuthentication no - <%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users -%> <%- end -%> -- cgit v1.2.3 From 0ec0562257a0a0bde04c149f323c47632071005c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 15 Dec 2010 20:38:07 -0500 Subject: remote KerberosGetAFSToken, its actually not a functional configuration option, even though it is listed in the man page, and commented out in the default config file. I filed a bug with debian (#607238) --- manifests/init.pp | 8 -------- templates/sshd_config/Debian_squeeze.erb | 5 ----- 2 files changed, 13 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 002b927..90b7c64 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -84,11 +84,6 @@ # Valid values: yes or no # Default: no # -# sshd_kerberos_getafstoken: If AFS is active and user has a Kerberos 5 TGT, attempt to -# acquire an AFS token before accessing the user's home directory. -# Valid values: yes or no -# Default: no -# # sshd_kerberos_orlocalpasswd: If password authentication through Kerberos fails, then the password # will be validated via any additional local mechanism. # Valid values: yes or no @@ -192,9 +187,6 @@ class sshd { case $sshd_kerberos_authentication { '': { $sshd_kerberos_authentication = 'no' } } - case $sshd_kerberos_getafstoken { - '': { $sshd_kerberos_getafstoken = 'no' } - } case $sshd_kerberos_orlocalpasswd { '': { $sshd_kerberos_orlocalpasswd = 'yes' } } diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 9f91c16..cfdd291 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -117,11 +117,6 @@ KerberosAuthentication yes <%- else -%> KerberosAuthentication no <%- end -%> -<%- if sshd_kerberos_getafstoken.to_s == 'yes' then -%> -KerberosGetAFSToken yes -<%- else -%> -KerberosGetAFSToken no -<%- end -%> <%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> KerberosOrLocalPasswd yes <%- else -%> -- cgit v1.2.3 From 2188f46db75d74d00ac4a2cb3cdaa34f98d1148d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 20 Dec 2010 14:18:30 -0500 Subject: fix debian squeeze sshd_config template to add a missing newline --- templates/sshd_config/Debian_squeeze.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index cfdd291..56b1cab 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -16,7 +16,7 @@ Port <%= sshd_port -%> <% end -%> <%- else -%> Port 22 -<%- end -%> +<%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> -- cgit v1.2.3