From 96bbe0adb8323ecb8e95e6be8900e6dd1b57b419 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 20 Oct 2008 22:46:50 +0000 Subject: new options, cleaned up real_ hack git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2527 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- templates/sshd_config/Debian_lenny.erb | 56 +++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 22 deletions(-) (limited to 'templates/sshd_config/Debian_lenny.erb') diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index bb39736..8d68808 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -2,14 +2,14 @@ # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> +<%- unless sshd_port.to_s.empty? then -%> +Port <%= sshd_port -%> <%- else -%> Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -33,52 +33,52 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> <%- else -%> PermitRootLogin without-password <%- end -%> -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes <%- else -%> StrictModes no <%- end -%> -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes <%- else -%> RSAAuthentication no <%- end -%> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes <%- else -%> PubkeyAuthentication no <%- end -%> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end -%> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes <%- else -%> RhostsRSAAuthentication no <% end -%> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes <%- else -%> IgnoreRhosts no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no @@ -88,21 +88,21 @@ HostbasedAuthentication no #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes <%- else -%> ChallengeResponseAuthentication no <%- end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> PasswordAuthentication no @@ -117,7 +117,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes <%- else -%> X11Forwarding no @@ -130,7 +130,11 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +<%- if sshd_sftp_subsystem.to_s.empty? then %> #Subsystem sftp /usr/lib/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -141,7 +145,7 @@ KeepAlive yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes <%- else -%> UsePAM no @@ -149,13 +153,13 @@ UsePAM no HostbasedUsesNameFromPacketOnly yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> AllowTcpForwarding no <%- end -%> -<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> AllowAgentForwarding yes <%- else -%> AllowAgentForwarding no @@ -163,7 +167,15 @@ AllowAgentForwarding no ChallengeResponseAuthentication no -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> <%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> -- cgit v1.2.3