Merge branch 'master' into file-mode
This commit is contained in:
amendlik
GitHub
commit
6d6c7a0ead
@ -3,6 +3,7 @@
|
||||
include:
|
||||
- openssh
|
||||
|
||||
{% if salt['pillar.get']('sshd_config', False) %}
|
||||
sshd_config:
|
||||
file.managed:
|
||||
- name: {{ openssh.sshd_config }}
|
||||
@ -13,7 +14,9 @@ sshd_config:
|
||||
- mode: {{ openssh.sshd_config_mode }}
|
||||
- watch_in:
|
||||
- service: openssh
|
||||
{% endif %}
|
||||
|
||||
{% if salt['pillar.get']('ssh_config', False) %}
|
||||
ssh_config:
|
||||
file.managed:
|
||||
- name: {{ openssh.ssh_config }}
|
||||
@ -22,6 +25,7 @@ ssh_config:
|
||||
- user: {{ openssh.ssh_config_user }}
|
||||
- group: {{ openssh.ssh_config_group }}
|
||||
- mode: {{ openssh.ssh_config_mode }}
|
||||
{% endif %}
|
||||
|
||||
{% for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
|
||||
{% if salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %}
|
||||
|
||||
@ -16,11 +16,6 @@ openssh:
|
||||
dig_pkg: dnsutils
|
||||
ssh_moduli: /etc/ssh/moduli
|
||||
root_group: root
|
||||
|
||||
sshd_config: {}
|
||||
ssh_config:
|
||||
Hosts:
|
||||
'*':
|
||||
SendEnv: LANG LC_*
|
||||
HashKnownHosts: yes
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPIDelegateCredentials: no
|
||||
ssh_config: {}
|
||||
|
||||
@ -13,7 +13,7 @@ sshd_config:
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation: 'yes'
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 768
|
||||
ServerKeyBits: 1024
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
ClientAliveInterval: 0
|
||||
@ -35,9 +35,9 @@ sshd_config:
|
||||
ChallengeResponseAuthentication: 'no'
|
||||
AuthenticationMethods: 'publickey,keyboard-interactive'
|
||||
AuthorizedKeysFile: '%h/.ssh/authorized_keys'
|
||||
X11Forwarding: 'yes'
|
||||
X11Forwarding: 'no'
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: 'no'
|
||||
PrintMotd: 'yes'
|
||||
PrintLastLog: 'yes'
|
||||
TCPKeepAlive: 'yes'
|
||||
AcceptEnv: "LANG LC_*"
|
||||
@ -58,15 +58,37 @@ sshd_config:
|
||||
AllowTcpForwarding: no
|
||||
ForceCommand: internal-sftp
|
||||
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
|
||||
# For these three keywords, the options may be specified as a list...
|
||||
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
|
||||
# The configuration given in the example below is based on:
|
||||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
|
||||
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
|
||||
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
|
||||
KexAlgorithms:
|
||||
- diffie-hellman-group14-sha1
|
||||
- diffie-hellman-group1-sha1
|
||||
# ... or a single string.
|
||||
Ciphers: 'aes128-ctr,aes256-ctr'
|
||||
MACs: 'hmac-sha1'
|
||||
# Similar situation for ssh_config
|
||||
- 'curve25519-sha256@libssh.org'
|
||||
- 'diffie-hellman-group-exchange-sha256'
|
||||
Ciphers:
|
||||
- 'chacha20-poly1305@openssh.com'
|
||||
- 'aes256-gcm@openssh.com'
|
||||
- 'aes128-gcm@openssh.com'
|
||||
- 'aes256-ctr'
|
||||
- 'aes192-ctr'
|
||||
- 'aes128-ctr'
|
||||
MACs:
|
||||
- 'hmac-sha2-512-etm@openssh.com'
|
||||
- 'hmac-sha2-256-etm@openssh.com'
|
||||
- 'hmac-ripemd160-etm@openssh.com'
|
||||
- 'umac-128-etm@openssh.com'
|
||||
- 'hmac-sha2-512'
|
||||
- 'hmac-sha2-256'
|
||||
- 'hmac-ripemd160'
|
||||
- 'umac-128@openssh.com'
|
||||
|
||||
# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
|
||||
# pillar will overwrite the defaults of your distribution's SSH client. This
|
||||
# will also force the default configuration for all the SSH clients on the
|
||||
# machine. This can break SSH connections with servers using older versions of
|
||||
# openssh. Please make sure you understand the implication of different settings
|
||||
ssh_config:
|
||||
StrictHostKeyChecking: no
|
||||
ForwardAgent: no
|
||||
@ -89,6 +111,38 @@ ssh_config:
|
||||
TunnelDevice: 'any:any'
|
||||
PermitLocalCommand: 'no'
|
||||
VisualHostKey: 'no'
|
||||
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
|
||||
# WARNING! Please make sure you understand the implications of the below
|
||||
# settings. The examples provided below might break your connection to older /
|
||||
# legacy openssh servers.
|
||||
# The configuration given in the example below is based on:
|
||||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
|
||||
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
|
||||
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
|
||||
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
|
||||
KexAlgorithms:
|
||||
- 'curve25519-sha256@libssh.org'
|
||||
- 'diffie-hellman-group-exchange-sha256'
|
||||
- 'diffie-hellman-group-exchange-sha1'
|
||||
- 'diffie-hellman-group14-sha1'
|
||||
Ciphers:
|
||||
- 'chacha20-poly1305@openssh.com'
|
||||
- 'aes256-gcm@openssh.com'
|
||||
- 'aes128-gcm@openssh.com'
|
||||
- 'aes256-ctr'
|
||||
- 'aes192-ctr'
|
||||
- 'aes128-ctr'
|
||||
MACs:
|
||||
- 'hmac-sha2-512-etm@openssh.com'
|
||||
- 'hmac-sha2-256-etm@openssh.com'
|
||||
- 'hmac-ripemd160-etm@openssh.com'
|
||||
- 'umac-128-etm@openssh.com'
|
||||
- 'hmac-sha2-512'
|
||||
- 'hmac-sha2-256'
|
||||
- 'hmac-ripemd160'
|
||||
- 'umac-128@openssh.com'
|
||||
|
||||
|
||||
openssh:
|
||||
# Controls if SSHD should be enabled/started
|
||||
|
||||
Loading…
Reference in New Issue
Block a user