From 75117dd0427c6ad8f173da72ffdf1d66b7692994 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 17 Sep 2014 20:43:45 +0000 Subject: Resynchronize Debian sid template with the configuration file currently shipped by the package. --- templates/sshd_config/Debian_sid.erb | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 70bb4bf..d717856 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -1,7 +1,7 @@ # This file is managed by Puppet, all local modifications will be overwritten # # Package generated configuration file -# See the sshd(8) manpage for details +# See the sshd_config(5) manpage for details <% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> <%= s %> @@ -24,27 +24,26 @@ Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -ServerKeyBits 768 +ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: -LoginGraceTime 600 +LoginGraceTime 120 PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - StrictModes <%= scope.lookupvar('sshd::strict_modes') %> RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> # Don't read the user's ~/.rhosts and ~/.shosts files @@ -63,11 +62,12 @@ PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> # some PAM modules and threads) ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> -# To disable tunneled clear text passwords, change to no here! +# Change to no to disable tunnelled clear text passwords PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> # Kerberos options KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +#KerberosGetAFSToken no KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> @@ -80,7 +80,6 @@ X11DisplayOffset 10 PrintMotd <%= scope.lookupvar('sshd::print_motd') %> PrintLastLog yes TCPKeepAlive yes - #UseLogin no #MaxStartups 10:30:60 -- cgit v1.2.3 From 254d2361f55f9058af047f2d6eb81bb53980c29f Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 17 Sep 2014 20:44:12 +0000 Subject: Copy the Debian sid template to a new one for Jessie. Another option could be to symlink it, but the freeze is coming soon, so most likely they'll start to diverge at some point. --- templates/sshd_config/Debian_jessie.erb | 122 ++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 templates/sshd_config/Debian_jessie.erb diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb new file mode 100644 index 0000000..d717856 --- /dev/null +++ b/templates/sshd_config/Debian_jessie.erb @@ -0,0 +1,122 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# +# Package generated configuration file +# See the sshd_config(5) manpage for details + +<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<%= s %> +<% end -%> + +# What ports, IPs and protocols we listen for +<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% if port == 'off' -%> +#Port -- disabled by puppet +<% else -%> +Port <%= port %> +<% end -%> +<% end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +StrictModes <%= scope.lookupvar('sshd::strict_modes') %> + +RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +# similar for protocol version 2 +HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> + +# Kerberos options +KerberosAuthentication <%= scope.lookupvar('sshd::kerberos_authentication') %> +#KerberosGetAFSToken no +KerberosOrLocalPasswd <%= scope.lookupvar('sshd::kerberos_orlocalpasswd') %> +KerberosTicketCleanup <%= scope.lookupvar('sshd::kerberos_ticketcleanup') %> + +# GSSAPI options +GSSAPIAuthentication <%= scope.lookupvar('sshd::gssapi_authentication') %> +GSSAPICleanupCredentials <%= scope.lookupvar('sshd::gssapi_cleanupcredentials') %> + +X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11DisplayOffset 10 +PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/lib/openssh/sftp-server' : s %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM <%= scope.lookupvar('sshd::use_pam') %> + +AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> + +AllowAgentForwarding <%= scope.lookupvar('sshd::agent_forwarding') %> + +<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +AllowUsers <%= s %> +<% end -%> +<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +AllowGroups <%= s %> +<%- end -%> + +<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<% end -%> + +<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<%= s %> +<% end -%> -- cgit v1.2.3