From abb8566742f1a78d7b588adf3f31f5759aa2cadd Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Sun, 30 Jan 2011 21:28:36 -0500 Subject: Add sshd_config template for Debian sid Debian's unstable branch currently has no template for sshd_config, and thus cannot use the sshd class. Add a template for Debian sid. Signed-off-by: Gabriel Filion --- templates/sshd_config/Debian_sid.erb | 186 +++++++++++++++++++++++++++++++++++ 1 file changed, 186 insertions(+) create mode 100644 templates/sshd_config/Debian_sid.erb (limited to 'templates/sshd_config/Debian_sid.erb') diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb new file mode 100644 index 0000000..13895b7 --- /dev/null +++ b/templates/sshd_config/Debian_sid.erb @@ -0,0 +1,186 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# Change to no to disable tunnelled clear text passwords +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +#HostbasedUsesNameFromPacketOnly yes + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + -- cgit v1.2.3 From c99ff17b1fc6769cc1323a7857a1234dc408dc9b Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 21 Feb 2011 18:29:25 +0100 Subject: Resync Debian sid template with the Squeeze's one. Currently, the only difference is LoginGraceTime, that defaults to 600 in sid. --- templates/sshd_config/Debian_sid.erb | 50 ++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 16 deletions(-) (limited to 'templates/sshd_config/Debian_sid.erb') diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 13895b7..acb79e3 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -1,19 +1,19 @@ +# This file is managed by Puppet, all local modifications will be overwritten +# # Package generated configuration file -# See the sshd_config(5) manpage for details +# See the sshd(8) manpage for details <%- unless sshd_head_additional_options.to_s.empty? then %> <%= sshd_head_additional_options %> <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -85,7 +85,6 @@ HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no <% end -%> - # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes @@ -104,7 +103,7 @@ ChallengeResponseAuthentication yes ChallengeResponseAuthentication no <%- end -%> -# Change to no to disable tunnelled clear text passwords +# To disable tunneled clear text passwords, change to no here! <%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> @@ -112,14 +111,33 @@ PasswordAuthentication no <%- end -%> # Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes +<%- if sshd_kerberos_authentication.to_s == 'yes' then -%> +KerberosAuthentication yes +<%- else -%> +KerberosAuthentication no +<%- end -%> +<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%> +KerberosOrLocalPasswd yes +<%- else -%> +KerberosOrLocalPasswd no +<%- end -%> +<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%> +KerberosTicketCleanup yes +<%- else -%> +KerberosTicketCleanup no +<%- end -%> # GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPIAuthentication yes +<%- else -%> +GSSAPIAuthentication no +<%- end -%> +<%- if sshd_gssapi_authentication.to_s == 'yes' then -%> +GSSAPICleanupCredentials yes +<%- else -%> +GSSAPICleanupCredentials yes +<%- end -%> <%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes @@ -130,6 +148,7 @@ X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes + #UseLogin no #MaxStartups 10:30:60 @@ -159,7 +178,7 @@ UsePAM yes UsePAM no <%- end -%> -#HostbasedUsesNameFromPacketOnly yes +HostbasedUsesNameFromPacketOnly yes <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes @@ -183,4 +202,3 @@ AllowGroups <%= sshd_allowed_groups %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - -- cgit v1.2.3 From ac240412cccef97e213526d21e2b69a2566258d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 21 Feb 2011 12:45:49 -0500 Subject: remove HostbasedUsesNameFromPacketOnly yes from Debian sshd_config templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used --- templates/sshd_config/Debian_sid.erb | 2 -- 1 file changed, 2 deletions(-) (limited to 'templates/sshd_config/Debian_sid.erb') diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index acb79e3..6dc9333 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -178,8 +178,6 @@ UsePAM yes UsePAM no <%- end -%> -HostbasedUsesNameFromPacketOnly yes - <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> -- cgit v1.2.3 From 34863e959fcd05dd325a658561f14580d49b6764 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 6 Mar 2011 09:10:44 +0100 Subject: New opt-in support to only use strong SSL ciphers and MACs. The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git. --- templates/sshd_config/Debian_sid.erb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'templates/sshd_config/Debian_sid.erb') diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 6dc9333..0213342 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3