From 96bbe0adb8323ecb8e95e6be8900e6dd1b57b419 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 20 Oct 2008 22:46:50 +0000 Subject: new options, cleaned up real_ hack git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2527 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- templates/sshd_config/CentOS.erb | 56 +++++++++++++++++++++------------- templates/sshd_config/Debian_etch.erb | 55 ++++++++++++++++++++------------- templates/sshd_config/Debian_lenny.erb | 56 +++++++++++++++++++++------------- templates/sshd_config/Gentoo.erb | 56 +++++++++++++++++++++------------- templates/sshd_config/OpenBSD.erb | 51 +++++++++++++++++++------------ 5 files changed, 169 insertions(+), 105 deletions(-) (limited to 'templates/sshd_config') diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 6a16d77..27880cb 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,14 +10,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -42,13 +42,13 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no @@ -56,33 +56,33 @@ StrictModes no #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -93,28 +93,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -141,7 +141,7 @@ GSSAPICleanupCredentials yes # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -<%- if real_sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then %> UsePAM yes <%- else %> UsePAM no @@ -152,7 +152,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no @@ -160,7 +160,7 @@ AllowTcpForwarding no #GatewayPorts no #X11Forwarding no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -186,7 +186,21 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/libexec/openssh/sftp-server -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> +<%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> <%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> + diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 09be201..28aa52c 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -2,14 +2,14 @@ # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> +<%- unless sshd_port.to_s.empty? then -%> +Port <%= sshd_port -%> <%- else -%> Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -33,52 +33,52 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> <%- else -%> PermitRootLogin without-password <%- end -%> -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes <%- else -%> StrictModes no <%- end -%> -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes <%- else -%> RSAAuthentication no <%- end -%> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes <%- else -%> PubkeyAuthentication no <%- end -%> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end -%> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes <%- else -%> RhostsRSAAuthentication no <% end -%> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes <%- else -%> IgnoreRhosts no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no @@ -88,21 +88,21 @@ HostbasedAuthentication no #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes <%- else -%> ChallengeResponseAuthentication no <%- end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> PasswordAuthentication no @@ -117,7 +117,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes <%- else -%> X11Forwarding no @@ -130,7 +130,11 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +<%- if sshd_sftp_subsystem.to_s.empty? then %> #Subsystem sftp /usr/lib/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -141,7 +145,7 @@ KeepAlive yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes <%- else -%> UsePAM no @@ -149,7 +153,7 @@ UsePAM no HostbasedUsesNameFromPacketOnly yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> AllowTcpForwarding no @@ -157,7 +161,16 @@ AllowTcpForwarding no ChallengeResponseAuthentication no -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> <%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> + diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index bb39736..8d68808 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -2,14 +2,14 @@ # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for -<%- unless real_sshd_port.to_s.empty? then -%> -Port <%= real_sshd_port -%> +<%- unless sshd_port.to_s.empty? then -%> +Port <%= sshd_port -%> <%- else -%> Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> Protocol 2 @@ -33,52 +33,52 @@ LogLevel INFO # Authentication: LoginGraceTime 600 -<%- unless real_sshd_permit_root_login.to_s.empty? then -%> -PermitRootLogin <%= real_sshd_permit_root_login -%> +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> <%- else -%> PermitRootLogin without-password <%- end -%> -<%- if real_sshd_strict_modes.to_s == 'yes' then -%> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes <%- else -%> StrictModes no <%- end -%> -<%- if real_sshd_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes <%- else -%> RSAAuthentication no <%- end -%> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then -%> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes <%- else -%> PubkeyAuthentication no <%- end -%> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then -%> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end -%> # For this to work you will also need host keys in /etc/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes <%- else -%> RhostsRSAAuthentication no <% end -%> # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then -%> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes <%- else -%> IgnoreRhosts no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then -%> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes <%- else -%> HostbasedAuthentication no @@ -88,21 +88,21 @@ HostbasedAuthentication no #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then -%> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then -%> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes <%- else -%> ChallengeResponseAuthentication no <%- end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then -%> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes <%- else -%> PasswordAuthentication no @@ -117,7 +117,7 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -<%- if real_sshd_x11_forwarding.to_s == 'yes' then -%> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes <%- else -%> X11Forwarding no @@ -130,7 +130,11 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +<%- if sshd_sftp_subsystem.to_s.empty? then %> #Subsystem sftp /usr/lib/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -141,7 +145,7 @@ KeepAlive yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then -%> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes <%- else -%> UsePAM no @@ -149,13 +153,13 @@ UsePAM no HostbasedUsesNameFromPacketOnly yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then -%> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> AllowTcpForwarding no <%- end -%> -<%- if real_sshd_agent_forwarding.to_s == 'yes' then -%> +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> AllowAgentForwarding yes <%- else -%> AllowAgentForwarding no @@ -163,7 +167,15 @@ AllowAgentForwarding no ChallengeResponseAuthentication no -<%- unless real_sshd_allowed_users.to_s.empty? then -%> -AllowUsers <%= real_sshd_allowed_users -%> +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> <%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1b9b98e..77ed378 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,14 +10,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #AddressFamily any @@ -47,46 +47,46 @@ Protocol 2 #LoginGraceTime 2m PermitRootLogin without-password -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no <%- end %> -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -97,28 +97,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -145,20 +145,20 @@ ChallengeResponseAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -<%- if real_sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then %> UsePAM yes <%- else %> UsePAM no <%- end %> -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no <%- end %> #GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -183,7 +183,11 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/lib/misc/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> # Example of overriding settings on a per-user basis #Match User anoncvs @@ -191,6 +195,16 @@ Subsystem sftp /usr/lib/misc/sftp-server # AllowTcpForwarding no # ForceCommand cvs server -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> +<%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> <%- end %> + + diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 32f6780..a6e0763 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,14 +8,14 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless real_sshd_port.to_s.empty? then %> -Port <%= real_sshd_port %> +<%- unless sshd_port.to_s.empty? then %> +Port <%= sshd_port %> <%- else %> Port 22 <%- end %> # Use these options to restrict which interfaces/protocols sshd will bind to -<% for address in real_sshd_listen_address -%> +<% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> #Protocol 2,1 @@ -39,13 +39,13 @@ ListenAddress <%= address %> # Authentication: #LoginGraceTime 2m -<%- unless real_sshd_permit_root_login.to_s.empty? then %> -PermitRootLogin <%= real_sshd_permit_root_login %> +<%- unless sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= sshd_permit_root_login %> <%- else %> PermitRootLogin without-password <%- end %> -<%- if real_sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then %> StrictModes yes <%- else %> StrictModes no @@ -53,33 +53,33 @@ StrictModes no #MaxAuthTries 6 -<%- if real_sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then %> RSAAuthentication yes <%- else %> RSAAuthentication no <%- end %> -<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then %> PubkeyAuthentication yes <%- else %> PubkeyAuthentication no <%- end %> -<%- unless real_sshd_authorized_keys_file.to_s.empty? then %> -AuthorizedKeysFile <%= real_sshd_authorized_keys_file %> +<%- unless sshd_authorized_keys_file.to_s.empty? then %> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> <%- else %> AuthorizedKeysFile %h/.ssh/authorized_keys <%- end %> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> RhostsRSAAuthentication yes <%- else %> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then %> HostbasedAuthentication yes <%- else %> HostbasedAuthentication no @@ -90,28 +90,28 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if real_sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then %> IgnoreRhosts yes <%- else %> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if real_sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then %> PasswordAuthentication yes <%- else %> PasswordAuthentication no <%- end %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if real_sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> ChallengeResponseAuthentication yes <%- else %> ChallengeResponseAuthentication no @@ -127,14 +127,14 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -<%- if real_sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then %> AllowTcpForwarding yes <%- else %> AllowTcpForwarding no <%- end %> #GatewayPorts no -<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then %> X11Forwarding yes <%- else %> X11Forwarding no @@ -159,10 +159,17 @@ X11Forwarding no #Banner /some/path # override default of no subsystems +<%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/libexec/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> -<%- unless real_sshd_allowed_users.to_s.empty? then %> -AllowUsers <%= real_sshd_allowed_users %> +<%- unless sshd_allowed_users.to_s.empty? then %> +AllowUsers <%= sshd_allowed_users %> +<%- end %> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> <%- end %> # Example of overriding settings on a per-user basis @@ -170,3 +177,7 @@ AllowUsers <%= real_sshd_allowed_users %> # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +<%- unless sshd_additional_options.to_s.empty? then %> +<%= sshd_additional_options %> +<%- end %> -- cgit v1.2.3