diff --git a/openssh/files/ssh_config b/openssh/files/ssh_config index 4bd2146..4773791 100644 --- a/openssh/files/ssh_config +++ b/openssh/files/ssh_config @@ -2,6 +2,7 @@ {%- set ssh_config = salt['pillar.get']('ssh_config', default=default_settings.ssh_config, merge=True) -%} {#- present in ssh_config and known in actual file options -#} {%- set processed_options = [] -%} +{%- set string_or_list_options = ['KexAlgorithms', 'Ciphers', 'MACs'] -%} {%- macro render_raw_option(keyword, value) -%} {%- if value is sameas true -%} @@ -47,8 +48,31 @@ {{ option_impl(keyword, default, True) }} {%- endmacro -%} +{#- macro for collapsing a list into a string -#} +{%- macro option_collapselist(keyword, sep) -%} +{%- do processed_options.append(keyword) -%} +{{keyword}} {{ssh_config.get(keyword)|join(sep)}} +{%- endmacro -%} + +{#- macro for handling an option that can be specified as a list or a string -#} +{%- macro option_string_or_list(keyword, default, default_commented, sep=',') -%} +{%- if ssh_config.get(keyword, '') is string -%} + {%- if default_commented -%} +{{ option(keyword, default) }} + {%- else -%} +{{ option_default_uncommented(keyword, default) }} + {%- endif -%} +{%- else -%} +{{ option_collapselist(keyword, sep) }} +{%- endif -%} +{%- endmacro -%} + +{%- if ssh_config.get('ConfigBanner', False) -%} +{{ ssh_config['ConfigBanner'] }} +{%- else -%} # Do not edit this file manually! # It will be overwritten by salt! +{%- endif %} {%- if 'Hosts' in ssh_config %} {%- do processed_options.append('Hosts') %} @@ -64,8 +88,13 @@ Host {{ host }} {%- for keyword in ssh_config.keys() %} {#- Matches have to be at the bottom and should be handled differently -#} {%- if not keyword in processed_options and keyword != 'matches' -%} + {%- if not keyword in string_or_list_options -%} {#- send a blank default as it doesn't matter #} {{ render_option(keyword, '') }} + {%- else -%} +{#- same as above #} +{{ option_string_or_list(keyword, '', True) }} + {%- endif -%} {%- endif -%} {%- endfor %} @@ -78,3 +107,6 @@ Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }} {%- endfor %} {%- endfor %} {%- endif %} + +{#- vim: set ft=jinja : #} + diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index bcd8ad4..6a759e2 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -42,7 +42,30 @@ {{ option_impl(keyword, default, True) }} {%- endmacro -%} +{#- macro for collapsing a list into a string -#} +{%- macro option_collapselist(keyword, sep) -%} +{%- do processed_options.append(keyword) -%} +{{keyword}} {{sshd_config.get(keyword)|join(sep)}} +{%- endmacro -%} + +{#- macro for handling an option that can be specified as a list or a string -#} +{%- macro option_string_or_list(keyword, default, default_commented, sep=',') -%} +{%- if sshd_config.get(keyword, '') is string -%} + {%- if default_commented -%} +{{ option(keyword, default) }} + {%- else -%} +{{ option_default_uncommented(keyword, default) }} + {%- endif -%} +{%- else -%} +{{ option_collapselist(keyword, sep) }} +{%- endif -%} +{%- endmacro -%} + +{%- if sshd_config.get('ConfigBanner', False) -%} +{{ sshd_config['ConfigBanner'] }} +{%- else -%} # This file is managed by salt. Manual changes risk being overwritten. +{%- endif %} # The contents of the original sshd_config are kept on the bottom for # quick reference. # See the sshd_config(5) manpage for details @@ -170,13 +193,13 @@ {{ option('AllowGroups', '') }} # Specifies the available KEX (Key Exchange) algorithms. -{{ option('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1') }} +{{ option_string_or_list('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1', True) }} # Specifies the ciphers allowed for protocol version 2. -{{ option('Ciphers', 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se') }} +{{ option_string_or_list('Ciphers', 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se', True) }} # Specifies the available MAC (message authentication code) algorithms. -{{ option('MACs', 'hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96') }} +{{ option_string_or_list('MACs', 'hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96', True) }} {# Handling unknown in salt template options #} {%- for keyword in sshd_config.keys() %} @@ -196,3 +219,5 @@ Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }} {%- endfor %} {%- endfor %} {%- endif %} + +{#- vim: set ft=jinja : #} diff --git a/pillar.example b/pillar.example index 9a5b035..923438a 100644 --- a/pillar.example +++ b/pillar.example @@ -1,4 +1,9 @@ sshd_config: + # This keyword is totally optional + ConfigBanner: | + # Alternative banner for the config file + # (Indented) hash signs lose their special meaning here + # and the lines will be written as-is. Port: 22 Protocol: 2 HostKey: @@ -53,9 +58,14 @@ sshd_config: AllowTcpForwarding: no ForceCommand: internal-sftp # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. - KexAlgorithms: 'diffie-hellman-group14-sha1,diffie-hellman-group1-sha1' + # For these three keywords, the options may be specified as a list... + KexAlgorithms: + - diffie-hellman-group14-sha1 + - diffie-hellman-group1-sha1 + # ... or a single string. Ciphers: 'aes128-ctr,aes256-ctr' MACs: 'hmac-sha1' + # Similar situation for ssh_config ssh_config: StrictHostKeyChecking: no