From bbc03d2c1069d42ea96101c54186e034b3a06f9b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Dec 2009 14:01:55 -0200 Subject: PrintMotd using default OpenSSH setting --- manifests/init.pp | 3 +++ templates/sshd_config/Debian_etch.erb | 4 +++- templates/sshd_config/Debian_lenny.erb | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index ead475d..ba48b8c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -211,6 +211,9 @@ class sshd { case $sshd_ensure_version { '': { $sshd_ensure_version = "present" } } + case $sshd_print_motd { + '': { $sshd_print_motd = "yes" } + } include sshd::client diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 746a447..7a38cc4 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -176,7 +176,9 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -PrintMotd no +<%- if sshd_print_motd.to_s == 'no' then -%> + PrintMotd no +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 18f3e4d..5f7afb4 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -182,7 +182,9 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_print_motd.to_s == 'no' then -%> PrintMotd no +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> -- cgit v1.2.3 From 1fd1d896a024a860bef7fa6c3b622df71e4a8017 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Dec 2009 14:23:51 -0200 Subject: Introducing sshd_internal_ip variable --- manifests/base.pp | 18 ++++++++++++------ manifests/client/base.pp | 5 ++++- manifests/init.pp | 3 +++ 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 2ac2385..76203ee 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -14,14 +14,20 @@ class sshd::base { '': { info("no sshrsakey on $fqdn") } default: { @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, + tag => "fqdn", + type => ssh-rsa, + key => $sshrsakey_key, ensure => present, } - @@sshkey{"$ipaddress": - type => ssh-rsa, - key => $sshrsakey, - ensure => present, + # In case the node has an internal network address, + # we don't define a sshkey resource using an IP address + if $sshd_internal_ip == "no" { + @@sshkey{"$ipaddress": + tag => "ipaddress", + type => ssh-rsa, + key => $sshrsakey, + ensure => present, + } } } } diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 33d9f9e..b1dc99d 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -5,5 +5,8 @@ class sshd::client::base { } # Now collect all server keys - Sshkey <<||>> + case $sshd_internal_ip { + no: { Sshkey <<||>> } + yes: { Sshkey <<| tag == "fqdn" |>> } + } } diff --git a/manifests/init.pp b/manifests/init.pp index ba48b8c..4bfeb3b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -214,6 +214,9 @@ class sshd { case $sshd_print_motd { '': { $sshd_print_motd = "yes" } } + case $sshd_internal_ip { + '': { $sshd_internal_ip = "no" } + } include sshd::client -- cgit v1.2.3 From 400476ebc7f77e8e1f47eaf584c63b4d0c6805b9 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Dec 2009 15:33:35 -0200 Subject: Using sshrsakey instead of sshrsakey_key --- manifests/base.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 76203ee..50e0339 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -10,13 +10,13 @@ class sshd::base { } # Now add the key, if we've got one - case $sshrsakey_key { + case $sshrsakey { '': { info("no sshrsakey on $fqdn") } default: { @@sshkey{"$hostname.$domain": tag => "fqdn", type => ssh-rsa, - key => $sshrsakey_key, + key => $sshrsakey, ensure => present, } # In case the node has an internal network address, -- cgit v1.2.3 From 3955383bb6e89a3f9d26d5fd2df24cae37c2fa89 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Dec 2009 16:30:14 -0200 Subject: Using fqdn instead of hostname.domain --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index 50e0339..9aed1ba 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -13,7 +13,7 @@ class sshd::base { case $sshrsakey { '': { info("no sshrsakey on $fqdn") } default: { - @@sshkey{"$hostname.$domain": + @@sshkey{"$fqdn": tag => "fqdn", type => ssh-rsa, key => $sshrsakey, -- cgit v1.2.3 From 27bcf5e48905eff1e48b93f911e483ad1f2e0770 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Dec 2009 16:53:19 -0200 Subject: Always including sshd::client::base --- manifests/client.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index b650244..e3a12cb 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,12 +1,13 @@ # manifests/client.pp class sshd::client { + include sshd::client::base case $operatingsystem { debian: { include sshd::client::debian } default: { case $kernel { linux: { include sshd::client::linux } - default: { include sshd::client::base } + default: { } } } } -- cgit v1.2.3 From 83cc6e3ded79059c7abc3bea0f951df0c649ecb6 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Dec 2009 17:04:12 -0200 Subject: Reverting last change --- manifests/client.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index e3a12cb..ad05d43 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,13 +1,12 @@ # manifests/client.pp class sshd::client { - include sshd::client::base case $operatingsystem { debian: { include sshd::client::debian } default: { case $kernel { linux: { include sshd::client::linux } - default: { } + default: { include sshd::client::base } } } } -- cgit v1.2.3 From 1a26489a12943d3e14942f82a4290b9a75e7f65c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 30 Jan 2010 21:32:12 -0200 Subject: Renaming $sshd_internal_ip to $sshd_shared_ip --- manifests/base.pp | 4 ++-- manifests/client/base.pp | 2 +- manifests/init.pp | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 9aed1ba..848e547 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -19,9 +19,9 @@ class sshd::base { key => $sshrsakey, ensure => present, } - # In case the node has an internal network address, + # In case the node has uses a shared network address, # we don't define a sshkey resource using an IP address - if $sshd_internal_ip == "no" { + if $sshd_shared_ip == "no" { @@sshkey{"$ipaddress": tag => "ipaddress", type => ssh-rsa, diff --git a/manifests/client/base.pp b/manifests/client/base.pp index b1dc99d..7329f55 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -5,7 +5,7 @@ class sshd::client::base { } # Now collect all server keys - case $sshd_internal_ip { + case $sshd_shared_ip { no: { Sshkey <<||>> } yes: { Sshkey <<| tag == "fqdn" |>> } } diff --git a/manifests/init.pp b/manifests/init.pp index f20c0d2..72f4f4e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -214,8 +214,8 @@ class sshd { case $sshd_print_motd { '': { $sshd_print_motd = "yes" } } - case $sshd_internal_ip { - '': { $sshd_internal_ip = "no" } + case $sshd_shared_ip { + '': { $sshd_shared_ip = "no" } } include sshd::client -- cgit v1.2.3 From 0e9f8844a0a59b23cb67201ba9cd3d1fcbbb91a0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 18 May 2010 20:30:50 -0300 Subject: Adding Ubuntu_lucid.erb --- templates/sshd_config/Ubuntu_lucid.erb | 192 +++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 templates/sshd_config/Ubuntu_lucid.erb diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb new file mode 100644 index 0000000..5f7afb4 --- /dev/null +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -0,0 +1,192 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- if sshd_print_motd.to_s == 'no' then -%> +PrintMotd no +<%- end -%> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + -- cgit v1.2.3 From 2c9e690d90e8fda3ad9b9ed7dc755c198127df7d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 3 Jun 2010 23:29:10 -0300 Subject: Using sshd::client::debian for ubuntu --- manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index ad05d43..0d1d198 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -2,7 +2,7 @@ class sshd::client { case $operatingsystem { - debian: { include sshd::client::debian } + debian,ubuntu: { include sshd::client::debian } default: { case $kernel { linux: { include sshd::client::linux } -- cgit v1.2.3 From 30a4593a05a09b669a9cd8fff4318779a532b123 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 16 Dec 2010 20:20:53 -0200 Subject: Introducing perfect forward secrecy for SSH --- manifests/init.pp | 3 +++ templates/sshd_config/Debian_lenny.erb | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index c0a8cd5..ede4fdc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -217,6 +217,9 @@ class sshd { case $sshd_shared_ip { '': { $sshd_shared_ip = "no" } } + case $sshd_perfect_forward_secrecy { + '': { $sshd_perfect_forward_secrecy = "no" } + } include sshd::client diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 5f7afb4..3e4d1f7 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -190,3 +190,7 @@ PrintMotd no <%= sshd_tail_additional_options %> <%- end %> +<%- if sshd_perfect_forward_secrecy.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end %> -- cgit v1.2.3 From 7224e085a3c362de66364748ea3117e16f03fbcb Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 16:41:18 -0500 Subject: Fix inclusion for default os When the os of a client is not one of those that use a specialized class, (e.g. FreeBSD) the inclusion is currently broken: it tries to include sshd::default which does not exist. Change this to include sshd::base instead. Signed-off-by: Gabriel Filion --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 90b7c64..f37a051 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -251,7 +251,7 @@ class sshd { '': { $sshd_ensure_version = "present" } } - include sshd::client + include sshd::client case $operatingsystem { gentoo: { include sshd::gentoo } @@ -259,7 +259,7 @@ class sshd { centos: { include sshd::centos } openbsd: { include sshd::openbsd } debian,ubuntu: { include sshd::debian } - default: { include sshd::default } + default: { include sshd::base } } if $use_nagios { -- cgit v1.2.3 From 35768ed1e839ffa4c23d7a9ce06e8b34cec0228f Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 17:13:39 -0500 Subject: Add an sshd_config template for FreeBSD Since there is no "catch-all" default configuration file for sshd, we need to add for each OS. Add a template for FreeBSD so that sshd can be configured on this OS. Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 220 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 templates/sshd_config/FreeBSD.erb diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb new file mode 100644 index 0000000..1d3de07 --- /dev/null +++ b/templates/sshd_config/FreeBSD.erb @@ -0,0 +1,220 @@ +# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $ +# $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09:06 kensmith Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#VersionAddendum FreeBSD-20100308 + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +#AddressFamily any +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> + +# The default requires explicit activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: + +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +#MaxAuthTries 6 +#MaxSessions 10 + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable PAM authentication +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +#GatewayPorts no +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> + +X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/libexec/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> + +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + -- cgit v1.2.3 From 5bb61c2761210cff97b95c315fcc93c9c87e1c71 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 20:45:59 -0500 Subject: Fix ssh_authorized_key When one uses the $name to define the user that should receive an SSH key, setting $user to a negative value, ssh_authorized_key currently creates the authorized_keys file under /home/.ssh/authorized_keys Fix this by changing ${user} to ${real_user} in the key's path. Signed-off-by: Gabriel Filion --- manifests/ssh_authorized_key.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index bf188d8..575b654 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -22,7 +22,7 @@ define sshd::ssh_authorized_key( undef,'': { case $real_user { 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } + default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" } } } default: { -- cgit v1.2.3 From 5dd814871a25ee2ba3ecb4e4a880c368212631b9 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Thu, 20 Jan 2011 02:25:32 -0500 Subject: ssh_authorized_key: use $name for user by default Currently ssh_authorized_key has some logic about $user being false or '', but it sets its value to default to 'root'. So, in order to use the name as the user's name, one has to clear the user parameter, which is totally redundant. Since it is sometimes useful to publish multiple keys for a user, the $user parameter is useful. To make using ssh_authorized_key for one-key normal users simpler, make $user default to being empty (which will use $name as the user name). 'root' can always be specified either via the name or by the $user paramter. Signed-off-by: Gabriel Filion --- manifests/ssh_authorized_key.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 575b654..40649b0 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -3,7 +3,7 @@ define sshd::ssh_authorized_key( $ensure = 'present', $type = 'ssh-dss', $key = 'absent', - $user = 'root', + $user = '', $target = undef, $options = 'absent' ){ -- cgit v1.2.3 From ac30247bf9d7ea57c01cc5ad743e2788f6e8ea0d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 13 Feb 2011 18:42:36 -0200 Subject: Perfect forward secrecy config at squeeze template --- templates/sshd_config/Debian_squeeze.erb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 56b1cab..d371ed1 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -202,3 +202,7 @@ AllowGroups <%= sshd_allowed_groups %> <%= sshd_tail_additional_options %> <%- end %> +<%- if sshd_perfect_forward_secrecy.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end %> -- cgit v1.2.3 From 85880085ff2e1f49b5888865a63f60f307185ab8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 19 Feb 2011 18:48:59 -0200 Subject: Updating lucid template with new ssh port scheme --- templates/sshd_config/Ubuntu_lucid.erb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 5f7afb4..d5c9c31 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -6,14 +6,12 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -- cgit v1.2.3 From 95bf6e032bda5c2799d44b5fb6aa6c46c109d0d8 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Mon, 21 Feb 2011 15:18:14 -0500 Subject: FreeBSD: Use variables for the Kerberos options Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 1d3de07..4e4329a 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -130,14 +130,33 @@ ChallengeResponseAuthentication no <%- end -%> # Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> # GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -- cgit v1.2.3 From 9ac4697eb546304ebc20d85aeeb93a73ca0fed5c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 23 Feb 2011 14:25:18 -0300 Subject: Changing parameter name sshd_perfect_forward_secrecy to sshd_use_strong_ciphers as sshd already does PFS --- manifests/init.pp | 4 ++-- templates/sshd_config/Debian_lenny.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index b4e4788..bfefaab 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -95,8 +95,8 @@ class sshd { case $sshd_shared_ip { '': { $sshd_shared_ip = "no" } } - case $sshd_perfect_forward_secrecy { - '': { $sshd_perfect_forward_secrecy = "no" } + case $sshd_use_strong_ciphers { + '': { $sshd_use_strong_ciphers = "no" } } include sshd::client diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index ea04fe6..e85eab3 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -189,7 +189,7 @@ PrintMotd no <%= sshd_tail_additional_options %> <%- end %> -<%- if sshd_perfect_forward_secrecy.to_s == 'yes' then -%> +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> Ciphers aes256-ctr MACs hmac-sha1 <%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 09f4351..38f8657 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -203,7 +203,7 @@ AllowGroups <%= sshd_allowed_groups %> <%= sshd_tail_additional_options %> <%- end %> -<%- if sshd_perfect_forward_secrecy.to_s == 'yes' then -%> +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> Ciphers aes256-ctr MACs hmac-sha1 <%- end %> -- cgit v1.2.3 From 75105d66d89671943a1eb1f37573b4e63dd33919 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 23 Feb 2011 14:40:02 -0300 Subject: Adding sshd_use_strong_ciphers to all sshd_config templates --- templates/sshd_config/CentOS.erb | 5 +++++ templates/sshd_config/Debian_etch.erb | 4 ++++ templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/Gentoo.erb | 5 ++++- templates/sshd_config/OpenBSD.erb | 5 +++++ templates/sshd_config/Ubuntu_lucid.erb | 4 ++++ 6 files changed, 23 insertions(+), 2 deletions(-) diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 544effe..f2ad175 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -207,3 +207,8 @@ AllowGroups <%= sshd_allowed_groups %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> + +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +Ciphers aes128-ctr +MACs hmac-sha1 +<%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index d0d7175..562b1ef 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -182,3 +182,7 @@ AllowGroups <%= sshd_allowed_groups %> <%= sshd_tail_additional_options %> <%- end %> +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +Ciphers aes128-ctr +MACs hmac-sha1 +<%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 38f8657..53175dd 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -204,6 +204,6 @@ AllowGroups <%= sshd_allowed_groups %> <%- end %> <%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes256-ctr +Ciphers aes128-ctr MACs hmac-sha1 <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 768d3f5..85ff9d9 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -213,4 +213,7 @@ AllowGroups <%= sshd_allowed_groups %> <%= sshd_tail_additional_options %> <%- end %> - +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +Ciphers aes128-ctr +MACs hmac-sha1 +<%- end %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 51662d3..63c4ff1 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -187,3 +187,8 @@ AllowGroups <%= sshd_allowed_groups %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> + +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +Ciphers aes128-ctr +MACs hmac-sha1 +<%- end %> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index d5c9c31..904a409 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -188,3 +188,7 @@ PrintMotd no <%= sshd_tail_additional_options %> <%- end %> +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +Ciphers aes128-ctr +MACs hmac-sha1 +<%- end %> -- cgit v1.2.3 From 4d73d3784e074b719ef43efe152cb7d38ce24c7e Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 23 Feb 2011 14:46:20 -0300 Subject: Changing strong cipher to aes128-crt --- templates/sshd_config/Debian_lenny.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index e85eab3..022d2d9 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -190,6 +190,6 @@ PrintMotd no <%- end %> <%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes256-ctr +Ciphers aes128-ctr MACs hmac-sha1 <%- end %> -- cgit v1.2.3 From 34863e959fcd05dd325a658561f14580d49b6764 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 6 Mar 2011 09:10:44 +0100 Subject: New opt-in support to only use strong SSL ciphers and MACs. The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git. --- README | 4 ++++ manifests/init.pp | 3 +++ templates/sshd_config/CentOS.erb | 5 +++++ templates/sshd_config/Debian_etch.erb | 5 +++++ templates/sshd_config/Debian_lenny.erb | 5 +++++ templates/sshd_config/Debian_sid.erb | 5 +++++ templates/sshd_config/Debian_squeeze.erb | 5 +++++ templates/sshd_config/Gentoo.erb | 4 ++++ templates/sshd_config/OpenBSD.erb | 5 +++++ 9 files changed, 41 insertions(+) diff --git a/README b/README index fa4214d..9cf253f 100644 --- a/README +++ b/README @@ -170,6 +170,10 @@ The following is a list of the currently available variables: (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile %h/.ssh/authorized_keys + $sshd_hardened_ssl + Use only strong SSL ciphers and MAC. + Values: no or yes; Default: no. + $sshd_sftp_subsystem Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default diff --git a/manifests/init.pp b/manifests/init.pp index 991fbba..cc5f10e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,6 +77,9 @@ class sshd { case $sshd_authorized_keys_file { '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } } + case $sshd_hardened_ssl { + '': { $sshd_hardened_ssl = 'no' } + } case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 544effe..859759a 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end -%> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index c90a5fe..23559fc 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -172,6 +172,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 14e32bf..65befdc 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -181,6 +181,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 6dc9333..0213342 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index cf50ddb..dfebcc3 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 768d3f5..f9f5b23 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -208,6 +208,10 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 51662d3..7a20cd9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3 From 005baf59c5a73583507c7e73d7b56f9029ac978a Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 20 Jun 2011 20:21:16 +0200 Subject: Add sshd_config template for Debian Wheezy. Currently, this is a symlink to the Debian sid's one, which I've recently resync'd. Once Wheezy is frozen, we'll want to fork its own template. --- templates/sshd_config/Debian_wheezy.erb | 1 + 1 file changed, 1 insertion(+) create mode 120000 templates/sshd_config/Debian_wheezy.erb diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb new file mode 120000 index 0000000..3faae05 --- /dev/null +++ b/templates/sshd_config/Debian_wheezy.erb @@ -0,0 +1 @@ +Debian_sid.erb \ No newline at end of file -- cgit v1.2.3 From 57d8883d485baa09a0841d629fe66406611ca261 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 13 Jul 2011 18:41:59 -0300 Subject: Removing sshd_use_strong_ciphers parameter as sshd_hardened_ssl does the job --- templates/sshd_config/CentOS.erb | 5 ----- templates/sshd_config/Debian_etch.erb | 5 ----- templates/sshd_config/Debian_lenny.erb | 5 ----- templates/sshd_config/Debian_squeeze.erb | 5 ----- templates/sshd_config/Gentoo.erb | 5 ----- templates/sshd_config/OpenBSD.erb | 5 ----- templates/sshd_config/Ubuntu_lucid.erb | 2 +- 7 files changed, 1 insertion(+), 31 deletions(-) diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 2b4f2fe..859759a 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -212,8 +212,3 @@ MACs hmac-sha1 <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes128-ctr -MACs hmac-sha1 -<%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 93fefc2..dbef8b8 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -182,8 +182,3 @@ MACs hmac-sha1 <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes128-ctr -MACs hmac-sha1 -<%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 0c551e5..c168114 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -191,8 +191,3 @@ MACs hmac-sha1 <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes128-ctr -MACs hmac-sha1 -<%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 1f92112..dfebcc3 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -205,8 +205,3 @@ MACs hmac-sha1 <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes128-ctr -MACs hmac-sha1 -<%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 40a70e7..38674ce 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -216,8 +216,3 @@ MACs hmac-sha1 <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes128-ctr -MACs hmac-sha1 -<%- end %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index be76df2..7a20cd9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -192,8 +192,3 @@ MACs hmac-sha1 <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> -Ciphers aes128-ctr -MACs hmac-sha1 -<%- end %> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 904a409..1c44c7b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -188,7 +188,7 @@ PrintMotd no <%= sshd_tail_additional_options %> <%- end %> -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes128-ctr MACs hmac-sha1 <%- end %> -- cgit v1.2.3 From b221570654920306e59948dde08378a95fa4612d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Jul 2011 13:15:27 -0300 Subject: Updating FreeBSD template for new sshd_ports variable --- templates/sshd_config/FreeBSD.erb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 4e4329a..6714003 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -20,14 +20,13 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +# What ports, IPs and protocols we listen for +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> #AddressFamily any -- cgit v1.2.3 From a5312442b6426951d4f6fa0c89128f4be5d93a5d Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sat, 16 Jul 2011 23:45:24 -0400 Subject: Enable $ssh_hardened_ssl for FreeBSD It is the only sshd_config template that didn't have this option, so copy it from the other templates. Signed-off-by: Gabriel Filion --- templates/sshd_config/FreeBSD.erb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 6714003..38738bc 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -232,6 +232,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3 From 6615426a49e6adb0a58ade0b55165888dab65637 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sat, 16 Jul 2011 23:49:11 -0400 Subject: Clean out $ssh_use_strong_ciphers A tentative option from rhatto using the variable named $ssh_use_strong_ciphers still has two lines in init.pp Since the same functionality is provided by the variable $ssh_hardened_ssl that was merged in the shared repository, rhatto removed his feature. But there are still two lines left, so simply remove them. Signed-off-by: Gabriel Filion --- manifests/init.pp | 3 --- 1 file changed, 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index af25e9e..66b7262 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -98,9 +98,6 @@ class sshd { case $sshd_shared_ip { '': { $sshd_shared_ip = "no" } } - case $sshd_use_strong_ciphers { - '': { $sshd_use_strong_ciphers = "no" } - } include sshd::client -- cgit v1.2.3 From 69c8085470989e8c41456f0379ac030a9ffb0215 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sun, 17 Jul 2011 00:21:44 -0400 Subject: Provide a default value for $sshd_shared_ip in sshd::client Since it's possible to "include sshd::client" without using "include sshd" (e.g. installing/managing ssh client but not the server) provide a default value for $sshd_shared_ip also in the sshd::client class. Signed-off-by: Gabriel Filion --- manifests/client.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/manifests/client.pp b/manifests/client.pp index 0d1d198..5eed5fc 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,6 +1,11 @@ # manifests/client.pp class sshd::client { + + case $sshd_shared_ip { + '': { $sshd_shared_ip = "no" } + } + case $operatingsystem { debian,ubuntu: { include sshd::client::debian } default: { @@ -10,7 +15,9 @@ class sshd::client { } } } + if $use_shorewall{ include shorewall::rules::out::ssh } + } -- cgit v1.2.3 From 0822b5bfb575fdfe555d26d112d0fde669d55963 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sun, 17 Jul 2011 00:28:54 -0400 Subject: Document the $sshd_print_motd variable in the README Signed-off-by: Gabriel Filion --- README | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README b/README index 9cf253f..647f2e0 100644 --- a/README +++ b/README @@ -174,6 +174,9 @@ The following is a list of the currently available variables: Use only strong SSL ciphers and MAC. Values: no or yes; Default: no. + $sshd_print_motd + Show the Message of the day when a user logs in. + $sshd_sftp_subsystem Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default -- cgit v1.2.3 From 89aeace9b6367f144165334bbfbbdf7bd1da8359 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sun, 17 Jul 2011 00:38:25 -0400 Subject: Document the $sshd_shared_ip variable in the README Signed-off-by: Gabriel Filion --- README | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README b/README index 647f2e0..5d14392 100644 --- a/README +++ b/README @@ -194,6 +194,11 @@ The following is a list of the currently available variables: be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added. + $sshd_shared_ip + Whether the server uses a shared network IP address. If it does, then we + don't want it to export an rsa key for its IP address. + Values: no or yes; Default: no + Defines and functions --------------------- -- cgit v1.2.3 From 0e9e1b6f2c5dca80c946f7944d47f1d28ba76920 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 21 Jul 2011 11:01:33 -0300 Subject: Adding PrintMotd parameter to all templates and setting per-distro default value --- manifests/init.pp | 7 ++++++- templates/sshd_config/CentOS.erb | 2 +- templates/sshd_config/Debian_etch.erb | 4 +--- templates/sshd_config/Debian_lenny.erb | 4 +--- templates/sshd_config/Debian_sid.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/FreeBSD.erb | 2 +- templates/sshd_config/Gentoo.erb | 2 +- templates/sshd_config/OpenBSD.erb | 2 +- templates/sshd_config/Ubuntu_lucid.erb | 4 +--- 10 files changed, 15 insertions(+), 16 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 66b7262..8b3361c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -93,7 +93,12 @@ class sshd { '': { $sshd_ensure_version = "present" } } case $sshd_print_motd { - '': { $sshd_print_motd = "yes" } + '': { + case $operatingsystem { + debian,ubuntu: { $sshd_print_motd = "no" } + default: { $sshd_print_motd = "yes" } + } + } } case $sshd_shared_ip { '': { $sshd_shared_ip = "no" } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 859759a..3d5b5b0 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end -%> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index dbef8b8..1047222 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -170,9 +170,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> - PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes256-ctr diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index c168114..4ffb94c 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -179,9 +179,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> -PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes256-ctr diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 0213342..b211708 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index dfebcc3..fb58e72 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -145,7 +145,7 @@ X11Forwarding yes X11Forwarding no <%- end -%> X11DisplayOffset 10 -PrintMotd no +PrintMotd <%= sshd_print_motd %> PrintLastLog yes TCPKeepAlive yes diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 38738bc..9853f5d 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -193,7 +193,7 @@ X11Forwarding no X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 38674ce..8581804 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -171,7 +171,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 7a20cd9..b6def87 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -147,7 +147,7 @@ X11Forwarding no <%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes -#PrintMotd yes +PrintMotd <%= sshd_print_motd %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 1c44c7b..304558b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -180,9 +180,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> -PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> -- cgit v1.2.3