2014-02-09 23:42:52 +01:00
|
|
|
sshd_config:
|
|
|
|
|
Port: 22
|
|
|
|
|
Protocol: 2
|
|
|
|
|
HostKey:
|
|
|
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
|
|
|
- /etc/ssh/ssh_host_dsa_key
|
|
|
|
|
- /etc/ssh/ssh_host_ecdsa_key
|
2015-01-16 18:21:10 +01:00
|
|
|
- /etc/ssh/ssh_host_ed25519_key
|
2014-04-27 20:52:58 +02:00
|
|
|
UsePrivilegeSeparation: 'yes'
|
2014-02-09 23:42:52 +01:00
|
|
|
KeyRegenerationInterval: 3600
|
|
|
|
|
ServerKeyBits: 768
|
|
|
|
|
SyslogFacility: AUTH
|
|
|
|
|
LogLevel: INFO
|
|
|
|
|
LoginGraceTime: 120
|
2014-04-27 20:52:58 +02:00
|
|
|
PermitRootLogin: 'yes'
|
|
|
|
|
PasswordAuthentication: 'no'
|
|
|
|
|
StrictModes: 'yes'
|
|
|
|
|
RSAAuthentication: 'yes'
|
|
|
|
|
PubkeyAuthentication: 'yes'
|
|
|
|
|
IgnoreRhosts: 'yes'
|
|
|
|
|
RhostsRSAAuthentication: 'no'
|
|
|
|
|
HostbasedAuthentication: 'no'
|
|
|
|
|
PermitEmptyPasswords: 'no'
|
|
|
|
|
ChallengeResponseAuthentication: 'no'
|
2015-05-28 07:36:11 +02:00
|
|
|
AuthenticationMethods: 'publickey,keyboard-interactive'
|
2014-04-27 20:52:58 +02:00
|
|
|
X11Forwarding: 'yes'
|
2014-02-09 23:42:52 +01:00
|
|
|
X11DisplayOffset: 10
|
2014-04-27 20:52:58 +02:00
|
|
|
PrintMotd: 'no'
|
|
|
|
|
PrintLastLog: 'yes'
|
|
|
|
|
TCPKeepAlive: 'yes'
|
2014-02-09 23:42:52 +01:00
|
|
|
AcceptEnv: "LANG LC_*"
|
|
|
|
|
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
2014-04-27 20:52:58 +02:00
|
|
|
UsePAM: 'yes'
|
2014-07-22 07:37:41 +02:00
|
|
|
UseDNS: 'yes'
|
2015-01-16 22:56:59 +01:00
|
|
|
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
|
2015-01-17 20:04:03 +01:00
|
|
|
DenyUsers: 'yoda chewbaca@112.10.21.1'
|
|
|
|
|
AllowGroups: 'wheel staff imperial'
|
|
|
|
|
DenyGroups: 'rebel'
|
2014-09-19 18:42:17 +02:00
|
|
|
matches:
|
|
|
|
|
sftp_chroot:
|
|
|
|
|
type:
|
|
|
|
|
Group: sftpusers
|
|
|
|
|
options:
|
|
|
|
|
ChrootDirectory: /sftp-chroot/%u
|
|
|
|
|
X11Forwarding: no
|
|
|
|
|
AllowTcpForwarding: no
|
|
|
|
|
ForceCommand: internal-sftp
|
2015-06-30 14:33:57 +02:00
|
|
|
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
|
|
|
|
|
KexAlgorithms: 'diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'
|
|
|
|
|
Ciphers: 'aes128-ctr,aes256-ctr'
|
|
|
|
|
MACs: 'hmac-sha1'
|
2014-02-09 23:38:30 +01:00
|
|
|
|
2014-02-09 23:42:52 +01:00
|
|
|
openssh:
|
2014-02-09 23:38:30 +01:00
|
|
|
auth:
|
2015-01-28 23:00:47 +01:00
|
|
|
joe-valid-ssh-key-desktop:
|
|
|
|
|
- user: joe
|
2014-02-09 23:38:30 +01:00
|
|
|
present: True
|
|
|
|
|
enc: ssh-rsa
|
2015-01-28 23:00:47 +01:00
|
|
|
comment: main key - desktop
|
|
|
|
|
joe-valid-ssh-key-notebook:
|
|
|
|
|
- user: joe
|
|
|
|
|
present: True
|
|
|
|
|
enc: ssh-rsa
|
|
|
|
|
comment: main key - notebook
|
|
|
|
|
joe-non-valid-ssh-key:
|
|
|
|
|
- user: joe
|
2014-02-09 23:38:30 +01:00
|
|
|
present: False
|
|
|
|
|
enc: ssh-rsa
|
|
|
|
|
comment: obsolete key - removed
|
2014-12-15 07:00:45 +01:00
|
|
|
|
|
|
|
|
generate_dsa_keys: False
|
2015-06-07 20:37:33 +02:00
|
|
|
absent_dsa_keys: False
|
2014-12-15 07:00:45 +01:00
|
|
|
provide_dsa_keys: False
|
2014-01-03 05:34:48 +01:00
|
|
|
dsa:
|
|
|
|
|
private_key: |
|
|
|
|
|
-----BEGIN DSA PRIVATE KEY-----
|
|
|
|
|
NOT_DEFINED
|
|
|
|
|
-----END DSA PRIVATE KEY-----
|
|
|
|
|
public_key: |
|
|
|
|
|
ssh-dss NOT_DEFINED
|
2014-12-15 07:00:45 +01:00
|
|
|
|
|
|
|
|
generate_ecdsa_keys: False
|
2015-06-07 20:37:33 +02:00
|
|
|
absent_ecdsa_keys: False
|
2014-12-15 07:00:45 +01:00
|
|
|
provide_ecdsa_keys: False
|
2014-08-24 13:18:37 +02:00
|
|
|
ecdsa:
|
|
|
|
|
private_key: |
|
|
|
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
|
|
|
NOT_DEFINED
|
|
|
|
|
-----END EC PRIVATE KEY-----
|
|
|
|
|
public_key: |
|
|
|
|
|
ecdsa-sha2-nistp256 NOT_DEFINED
|
2014-12-15 07:00:45 +01:00
|
|
|
|
2014-08-24 17:44:33 +02:00
|
|
|
generate_rsa_keys: False
|
2015-06-07 20:37:33 +02:00
|
|
|
absent_rsa_keys: False
|
2014-12-15 07:00:45 +01:00
|
|
|
provide_rsa_keys: False
|
2014-01-03 05:34:48 +01:00
|
|
|
rsa:
|
|
|
|
|
private_key: |
|
|
|
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
|
|
|
NOT_DEFINED
|
|
|
|
|
-----END RSA PRIVATE KEY-----
|
|
|
|
|
public_key: |
|
|
|
|
|
ssh-rsa NOT_DEFINED
|
2014-12-15 07:00:17 +01:00
|
|
|
|
|
|
|
|
generate_ed25519_keys: False
|
2015-06-07 20:37:33 +02:00
|
|
|
absent_ed25519_keys: False
|
2014-12-15 07:00:17 +01:00
|
|
|
provide_ed25519_keys: False
|
|
|
|
|
ed25519:
|
|
|
|
|
private_key: |
|
|
|
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
|
|
|
NOT_DEFINED
|
|
|
|
|
-----END OPENSSH PRIVATE KEY-----
|
|
|
|
|
public_key: |
|
|
|
|
|
ssh-ed25519 NOT_DEFINED
|
2015-03-26 17:50:32 +01:00
|
|
|
|
|
|
|
|
known_hosts:
|
|
|
|
|
# The next 2 settings restrict the set of minions that will be added in
|
|
|
|
|
# the generated ssh_known_hosts files (the default is to match all minions)
|
|
|
|
|
target: '*'
|
|
|
|
|
expr_form: 'glob'
|
|
|
|
|
# Name of mining functions used to gather public keys and hostnames
|
|
|
|
|
# (the default values are shown here)
|
|
|
|
|
mine_keys_function: public_ssh_host_keys
|
|
|
|
|
mine_hostname_function: public_ssh_hostname
|
|
|
|
|
# List of DNS entries also pointing to our managed machines and that we want
|
|
|
|
|
# to inject in our generated ssh_known_hosts file
|
|
|
|
|
aliases:
|
|
|
|
|
- cname-to-minion.example.org
|
|
|
|
|
- alias.example.org
|
|
|
|
|
|
|
|
|
|
# Required for openssh.known_hosts
|
|
|
|
|
mine_functions:
|
|
|
|
|
public_ssh_host_keys:
|
|
|
|
|
mine_function: cmd.run
|
|
|
|
|
cmd: cat /etc/ssh/ssh_host_*_key.pub
|
2015-05-28 23:00:27 +02:00
|
|
|
python_shell: True
|
2015-03-26 17:50:32 +01:00
|
|
|
public_ssh_hostname:
|
|
|
|
|
mine_function: grains.get
|
|
|
|
|
key: id
|
