Merge remote-tracking branch 'origin/pr/3'

Conflicts: openssh/files/sshd_config openssh/init.sls pillar.example
2014-03-17 16:14:17 -06:00 · 2014-03-17 16:14:17 -06:00 · 351a6b81dc
commit 351a6b81dc
parent 54b99b5615 d22dde7373
3 changed files with 94 additions and 2 deletions
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@ -102,4 +102,42 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-#UsePAM yes
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd no # pam does that
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+{% if grains['os_family'] == 'RedHat' %}
+UsePrivilegeSeparation yes              # RedHat/Centos 6.4 and earlier currently ship 5.3 (sandbox introduced in OpenSSH 5.9)
+{% else %}
+UsePrivilegeSeparation sandbox		# Default for new installations.
+{% endif %}
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+Banner /etc/ssh/banner
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	ForceCommand cvs server
--- a/openssh/init.sls
+++ b/openssh/init.sls
@ -8,4 +8,43 @@ openssh:
    - name: {{ openssh.service }}
    - require:
      - pkg: {{ openssh.server }}
+      {% if salt['pillar.get']('openssh:provide_dsa_keys', False) %}
+      - file: /etc/ssh/ssh_host_dsa_key
+      - file: /etc/ssh/ssh_host_dsa_key.pub
+      {% endif %}
+      {% if salt['pillar.get']('openssh:provide_rsa_keys', False) %}
+      - file: /etc/ssh/ssh_host_rsa_key
+      - file: /etc/ssh/ssh_host_rsa_key.pub
+      {% endif %}

+{% if salt['pillar.get']('openssh:provide_dsa_keys', False) %}
+ssh_host_dsa_key:
+  file.managed:
+    - name: /etc/ssh/ssh_host_dsa_key
+    - contents_pillar: 'openssh:dsa:private_key'
+    - user: root
+    - mode: 600
+
+ssh_host_dsa_key.pub:
+  file.managed:
+    - name: /etc/ssh/ssh_host_dsa_key.pub
+    - contents_pillar: 'openssh:dsa:public_key'
+    - user: root
+    - mode: 600
+{% endif %}
+
+{% if salt['pillar.get']('openssh:provide_rsa_keys', False) %}
+ssh_host_rsa_key:
+  file.managed:
+    - name: /etc/ssh/ssh_host_rsa_key
+    - contents_pillar: 'openssh:rsa:private_key'
+    - user: root
+    - mode: 600
+
+ssh_host_rsa_key.pub:
+  file.managed:
+    - name: /etc/ssh/ssh_host_rsa_key.pub
+    - contents_pillar: 'openssh:rsa:public_key'
+    - user: root
+    - mode: 600
+{% endif %}
--- a/pillar.example
+++ b/pillar.example
@ -40,4 +40,19 @@ openssh:
        present: False
        enc: ssh-rsa
        comment: obsolete key - removed
-
+  dsa:
+    private_key: |
+      -----BEGIN DSA PRIVATE KEY-----
+      NOT_DEFINED
+      -----END DSA PRIVATE KEY-----
+    public_key: |
+      ssh-dss NOT_DEFINED
+  provide_dsa_keys: False
+  provide_rsa_keys: False
+  rsa:
+    private_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      NOT_DEFINED
+      -----END RSA PRIVATE KEY-----
+    public_key: |
+      ssh-rsa NOT_DEFINED