From d827a52614fc41ca98e2f2fc453da2e2ae4965ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 16:51:32 -0400 Subject: rename the templates to coincide with the downcased lsbdistcodename also add a missing comma in the content selector --- templates/sshd_config/Debian_lenny.erb | 169 +++++++++++++++++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 templates/sshd_config/Debian_lenny.erb (limited to 'templates/sshd_config/Debian_lenny.erb') diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb new file mode 100644 index 0000000..bb39736 --- /dev/null +++ b/templates/sshd_config/Debian_lenny.erb @@ -0,0 +1,169 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +<%- unless real_sshd_port.to_s.empty? then -%> +Port <%= real_sshd_port -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in real_sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +#Subsystem sftp /usr/lib/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless real_sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= real_sshd_allowed_users -%> +<%- end -%> + -- cgit v1.2.3 From 1f25b213e1ff1c953dac53f02d862612a5e09c0f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2008 15:45:11 -0400 Subject: Debian's sshd config typically has PrintMotd no set because its already printed via PAM. Without it set, it is defaulted to 'yes', which results in the MOTD being printed twice, so we return the Debian default configuration in this commit --- templates/sshd_config/Debian_lenny.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'templates/sshd_config/Debian_lenny.erb') diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 8d68808..146e664 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -174,6 +174,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +PrintMotd no <%- unless sshd_additional_options.to_s.empty? then %> <%= sshd_additional_options %> -- cgit v1.2.3 From 78938cde2a23ad8daa0ecb4aff7abe870233048f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 7 Dec 2008 12:15:41 -0500 Subject: Fix location of default sftp-server on Debian, and uncomment the sftp configuration line to get the sshd_config file defaults to be more like the standard shipped defaults from Debian --- templates/sshd_config/Debian_lenny.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/sshd_config/Debian_lenny.erb') diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 146e664..1762da3 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -131,7 +131,7 @@ KeepAlive yes #ReverseMappingCheck yes <%- if sshd_sftp_subsystem.to_s.empty? then %> -#Subsystem sftp /usr/lib/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> Subsystem sftp <%= sshd_sftp_subsystem %> <%- end %> -- cgit v1.2.3 From f44776cbbf1f825e0961c6aedecf67f6652859a6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:52:40 -0400 Subject: replace the sshd_additional_options variable with two, one called sshd_head_additional_options and one called sshd_tail_additional_options. the first puts the value at the beginning of the file, and the second at the end. This is necessary due to some option ordering requiring things to be before others --- templates/sshd_config/Debian_lenny.erb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'templates/sshd_config/Debian_lenny.erb') diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 1762da3..c7f4ab4 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -1,6 +1,10 @@ # Package generated configuration file # See the sshd(8) manpage for details +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> Port <%= sshd_port -%> @@ -176,7 +180,7 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3 From 93e2f4d4c02d01fd430d1b9e1cf6860508a03773 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:55:13 -0400 Subject: Template out the possibility of specifying the key word 'off' to the $sshd_port parameter, which simply puts a comment in front of that option, rather than specifying it. --- templates/sshd_config/Debian_lenny.erb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'templates/sshd_config/Debian_lenny.erb') diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index c7f4ab4..18f3e4d 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -7,7 +7,11 @@ # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> Port <%= sshd_port -%> +<% end -%> <%- else -%> Port 22 <%- end -%> -- cgit v1.2.3