From 9ce186f5c31c4339d9a92aa73f6c895cc676a633 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:37:26 +0000 Subject: merged with riseup git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2263 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/init.pp | 130 ++++++++++++++++++-- templates/sshd_config/CentOS.erb | 192 ++++++++++++++++++++++++++++++ templates/sshd_config/CentOS_normal.erb | 136 --------------------- templates/sshd_config/Debian_etch.erb | 163 +++++++++++++++++++++++++ templates/sshd_config/Debian_lenny.erb | 169 ++++++++++++++++++++++++++ templates/sshd_config/Debian_normal.erb | 102 ---------------- templates/sshd_config/Gentoo.erb | 196 +++++++++++++++++++++++++++++++ templates/sshd_config/Gentoo_normal.erb | 139 ---------------------- templates/sshd_config/OpenBSD.erb | 172 +++++++++++++++++++++++++++ templates/sshd_config/OpenBSD_normal.erb | 115 ------------------ 10 files changed, 1015 insertions(+), 499 deletions(-) create mode 100644 templates/sshd_config/CentOS.erb delete mode 100644 templates/sshd_config/CentOS_normal.erb create mode 100644 templates/sshd_config/Debian_etch.erb create mode 100644 templates/sshd_config/Debian_lenny.erb delete mode 100644 templates/sshd_config/Debian_normal.erb create mode 100644 templates/sshd_config/Gentoo.erb delete mode 100644 templates/sshd_config/Gentoo_normal.erb create mode 100644 templates/sshd_config/OpenBSD.erb delete mode 100644 templates/sshd_config/OpenBSD_normal.erb diff --git a/manifests/init.pp b/manifests/init.pp index 95682fd..2a4c449 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,7 @@ # # ssh module # +# Copyright 2008, micah@riseup.net # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH # Marcel Härry haerry+puppet(at)puzzle.ch @@ -16,10 +17,23 @@ # # sshd-config: # -# The configuration of the sshd is rather strict and -# might not fit all needs. However there are a bunch -# of variables, which you might consider to configure. -# Checkout the following: +# The configuration of the sshd is rather strict and might not fit all +# needs. However there are a bunch of variables, which you might +# consider configuring. +# +# To set any of the following, simply set them as variables in your manifests +# before the class is included, for example: +# +# $sshd_listen_address = ['10.0.0.1 192.168.0.1'] +# $sshd_use_pam = yes +# include sshd::debian +# +# The following is a list of the currently available variables: +# +# sshd_listen_address: specify the addresses sshd should listen on +# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both +# addresses, or leave it unset to listen on all +# Default: empty -> results in listening on 0.0.0.0 # # sshd_allowed_users: list of usernames separated by spaces. # set this for example to "foobar root" @@ -38,11 +52,54 @@ # sshd_password_authentication: If you want to enable password authentication or not # Valid values: yes or no # Default: no +# +# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not +# When disabled, s/key passowords are disabled +# Valid values: yes or no +# Default: no # +# sshd_tcp_forwarding: If you want to enable TcpForwarding +# Valid Values: yes or no +# Default: no +# # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no # Default: no # +# sshd_agent_forwarding: If you want to allow ssh-agent forwarding +# Valid Values: yes or no +# Default: no +# +# sshd_pubkey_authentication: If you want to enable public key authentication +# Valid Values: yes or no +# Default: yes +# +# sshd_rsa_authentication: If you want to enable RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication +# Valid Values: yes or no +# Default: no +# +# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) +# Valid Values: yes or no +# Default: yes +# +# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords +# Valid Values: yes or no +# Default: no +# +# sshd_port: If you want to specify a different port than the default 22 +# Default: 22 +# +# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) +# Default: AuthorizedKeysFile %h/.ssh/authorized_keys +# class sshd { include sshd::client @@ -60,7 +117,11 @@ class sshd { class sshd::base { - # prepare variables to use in templates + # prepare variables to use in templates + $real_sshd_listen_address = $sshd_listen_address ? { + '' => [ '0.0.0.0', '::' ], + default => $sshd_listen_address + } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', default => $sshd_allowed_users @@ -77,17 +138,68 @@ class sshd::base { '' => 'no', default => $sshd_password_authentication } + $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? { + '' => 'no', + default => $sshd_tcp_forwarding + } $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { '' => 'no', default => $sshd_x11_forwarding } - + $real_sshd_agent_forwarding = $sshd_agent_forwarding ? { + '' => 'no', + default => $sshd_agent_forwarding + } + $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? { + '' => 'no', + default => $sshd_challenge_response_authentication + } + $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { + '' => 'yes', + default => $sshd_pubkey_authentication + } + $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { + '' => 'no', + default => $sshd_rsa_authentication + } + $real_sshd_strict_modes = $sshd_strict_modes ? { + '' => 'yes', + default => $sshd_strict_modes + } + $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? { + '' => 'yes', + default => $sshd_ignore_rhosts + } + $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? { + '' => 'no', + default => $sshd_rhosts_rsa_authentication + } + $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? { + '' => 'no', + default => $sshd_hostbased_authentication + } + $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? { + '' => 'no', + default => $sshd_permit_empty_passwords + } + $real_sshd_port = $sshd_port ? { + '' => 22, + default => $sshd_port + } + $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? { + '' => "%h/.ssh/authorized_keys", + default => $sshd_authorized_keys_file + } + file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, group => 0, mode => 600, - content => template("sshd/sshd_config/${operatingsystem}_normal.erb"), + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, notify => Service[sshd], } # Now add the key, if we've got one @@ -127,6 +239,10 @@ class sshd::gentoo inherits sshd::linux { } class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include assert_lsbdistcodename + Package[openssh]{ name => 'openssh-server', } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb new file mode 100644 index 0000000..6a16d77 --- /dev/null +++ b/templates/sshd_config/CentOS.erb @@ -0,0 +1,192 @@ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any +#Protocol 2,1 +Protocol 2 +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> +UsePAM no +<%- end %> + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +#X11Forwarding no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb deleted file mode 100644 index a14120f..0000000 --- a/templates/sshd_config/CentOS_normal.erb +++ /dev/null @@ -1,136 +0,0 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#Protocol 2,1 -Protocol 2 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> -#StrictModes yes -#MaxAuthTries 6 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -GSSAPIAuthentication yes -#GSSAPICleanupCredentials yes -GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no -#UsePAM no -<%- if real_sshd_use_pam.to_s == 'yes' then %> -UsePAM yes -<%- else %> -UsePAM no -<%- end %> - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb new file mode 100644 index 0000000..09be201 --- /dev/null +++ b/templates/sshd_config/Debian_etch.erb @@ -0,0 +1,163 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb new file mode 100644 index 0000000..bb39736 --- /dev/null +++ b/templates/sshd_config/Debian_lenny.erb @@ -0,0 +1,169 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb deleted file mode 100644 index 70c1a34..0000000 --- a/templates/sshd_config/Debian_normal.erb +++ /dev/null @@ -1,102 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for defails - -# What ports, IPs and protocols we listen for -# Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -#PAMAuthenticationViaKbdInt no -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# rhosts authentication should not be used -#RhostsAuthentication no -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Uncomment to disable s/key passwords -#ChallengeResponseAuthentication no - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> - -# To change Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#AFSTokenPassing no -#KerberosTicketCleanup no - -# Kerberos TGT Passing does only work with the AFS kaserver -#KerberosTgtPassing yes - -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -X11DisplayOffset 10 -KeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes - -#Subsystem sftp /usr/lib/sftp-server - -<%- if real_sshd_use_pam.to_s == 'yes' then %> -UsePAM yes -<%- else %> -UsePAM no -<%- end %> - -HostbasedUsesNameFromPacketOnly yes -AllowTcpForwarding yes - -ChallengeResponseAuthentication no - -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb new file mode 100644 index 0000000..1b9b98e --- /dev/null +++ b/templates/sshd_config/Gentoo.erb @@ -0,0 +1,196 @@ +# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#AddressFamily any + +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin without-password + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> +UsePAM no +<%- end %> + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/lib/misc/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb deleted file mode 100644 index aa98ae8..0000000 --- a/templates/sshd_config/Gentoo_normal.erb +++ /dev/null @@ -1,139 +0,0 @@ -# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin without-password -#StrictModes yes -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> -#MaxAuthTries 6 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then %> -UsePAM yes -<%- else %> -UsePAM no -<%- end %> - -#AllowTcpForwarding yes -#GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/lib/misc/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server - -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb new file mode 100644 index 0000000..32f6780 --- /dev/null +++ b/templates/sshd_config/OpenBSD.erb @@ -0,0 +1,172 @@ +# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +<%- unless real_sshd_port.to_s.empty? then %> +Port <%= real_sshd_port %> +<%- else %> +Port 22 +<%- end %> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +#Protocol 2,1 +#AddressFamily any + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> + +<%- if real_sshd_strict_modes.to_s == 'yes' then %> +StrictModes yes +<%- else %> +StrictModes no +<%- end %> + +#MaxAuthTries 6 + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +RSAAuthentication yes +<%- else %> +RSAAuthentication no +<%- end %> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +PubkeyAuthentication yes +<%- else %> +PubkeyAuthentication no +<%- end %> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end %> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +RhostsRSAAuthentication yes +<%- else %> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +HostbasedAuthentication yes +<%- else %> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +IgnoreRhosts yes +<%- else %> +IgnoreRhosts no +<% end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> +PasswordAuthentication no +<%- end %> + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +ChallengeResponseAuthentication yes +<%- else %> +ChallengeResponseAuthentication no +<%- end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +AllowTcpForwarding yes +<%- else %> +AllowTcpForwarding no +<%- end %> + +#GatewayPorts no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +<%- unless real_sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= real_sshd_allowed_users %> +<%- end %> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb deleted file mode 100644 index 0b84d25..0000000 --- a/templates/sshd_config/OpenBSD_normal.erb +++ /dev/null @@ -1,115 +0,0 @@ -# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#Protocol 2,1 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> -<%- else %> -PermitRootLogin without-password -<%- end %> -#StrictModes yes -#MaxAuthTries 6 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> -PasswordAuthentication yes -<%- else %> -PasswordAuthentication no -<%- end %> -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -#AllowTcpForwarding yes -#GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> -X11Forwarding yes -<%- else %> -X11Forwarding no -<%- end %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server - -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> -<%- end %> - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server -- cgit v1.2.3 From 1bda0022c19b49a3079105e0c8322d32a1280812 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:41:25 +0000 Subject: added link for lsb stuff git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2264 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- templates/sshd_config/CentOS_Final.erb | 1 + 1 file changed, 1 insertion(+) create mode 120000 templates/sshd_config/CentOS_Final.erb diff --git a/templates/sshd_config/CentOS_Final.erb b/templates/sshd_config/CentOS_Final.erb new file mode 120000 index 0000000..03246aa --- /dev/null +++ b/templates/sshd_config/CentOS_Final.erb @@ -0,0 +1 @@ +CentOS.erb \ No newline at end of file -- cgit v1.2.3 From 1afa887a2e99bc97ebae388d74185ec4e11a38ed Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:45:39 +0000 Subject: factored out the package to some subclasses as openbsd doesn't need such a package git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2265 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/client.pp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index f0b05c5..0ad85cf 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -3,15 +3,16 @@ class sshd::client { case $operatingsystem { debian: { include sshd::client::debian } - default: { include sshd::client::base } + default: { + case $kernel { + linux: { include sshd::client::linux } + default: { include sshd::client::base } + } + } } } class sshd::client::base { - package {'openssh-clients': - ensure => installed, - } - # this is needed because the gid might have changed file { '/etc/ssh/ssh_known_hosts': mode => 0644, owner => root, group => 0; @@ -21,6 +22,12 @@ class sshd::client::base { Sshkey <<||>> } +class sshd::client::linux inherits sshd::client::base { + package {'openssh-clients': + ensure => installed, + } +} + class sshd::client::debian inherits sshd::client::base { Package['openssh-clients']{ name => 'openssh-client', -- cgit v1.2.3 From f7335624697bfedb6acada341b7e82a2e2966c2a Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:48:35 +0000 Subject: moved package depency to the linux class, openbsd doesn't have this package git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2266 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 2a4c449..4e10ac9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -210,7 +210,6 @@ class sshd::base { type => ssh-rsa, key => $sshrsakey_key, ensure => present, - require => Package["openssh-clients"], } } } @@ -230,6 +229,9 @@ class sshd::linux inherits sshd::base { File[sshd_config]{ require +> Package[openssh], } + Sshkey["$hostname.$domain"]{ + require => Package["openssh-clients"], + } } class sshd::gentoo inherits sshd::linux { -- cgit v1.2.3 From 456fec72ed2d43794ed0633afba120d54c2075aa Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:50:28 +0000 Subject: remove dependency completly git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2267 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/init.pp | 3 --- 1 file changed, 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 4e10ac9..a7106b4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -229,9 +229,6 @@ class sshd::linux inherits sshd::base { File[sshd_config]{ require +> Package[openssh], } - Sshkey["$hostname.$domain"]{ - require => Package["openssh-clients"], - } } class sshd::gentoo inherits sshd::linux { -- cgit v1.2.3 From fce684ca587dd891b7d912be9448888ee18f39c0 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 30 Sep 2008 20:13:47 +0000 Subject: fix correct inheritance git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2272 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index 0ad85cf..34308b4 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -28,7 +28,7 @@ class sshd::client::linux inherits sshd::client::base { } } -class sshd::client::debian inherits sshd::client::base { +class sshd::client::debian inherits sshd::client::linux { Package['openssh-clients']{ name => 'openssh-client', } -- cgit v1.2.3