From 6400516c5e33bb5216a238dbb703afef06b4ec0f Mon Sep 17 00:00:00 2001 From: Brian Holland Date: Tue, 15 Aug 2017 23:08:23 -0400 Subject: [PATCH 1/2] Add ConfigBanner to processed_options when handled. This prevents a verbatim version being added to end of file that will cause the parsing to fail. --- openssh/files/sshd_config | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index fafb1c6..b0ca8d4 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -74,9 +74,10 @@ {%- endmacro -%} {%- if sshd_config.get('ConfigBanner', False) -%} -{{ sshd_config['ConfigBanner'] }} + {%- do processed_options.append('ConfigBanner') -%} + {{ sshd_config['ConfigBanner'] }} {%- else -%} -# This file is managed by salt. Manual changes risk being overwritten. + # This file is managed by salt. Manual changes risk being overwritten. {%- endif %} {%- set global_src_url = salt ['pillar.get']('__formulas:print_template_url', None) %} {%- set local_src_url = salt ['pillar.get']('openssh-formula:print_template_url', None) %} From 9cdb9aaba0c500f43b73d0bd3f1764633e3e7c88 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Mon, 21 Aug 2017 23:35:04 +0200 Subject: [PATCH 2/2] improve allow_deny_users_groups --- openssh/files/sshd_config | 9 +++++---- pillar.example | 23 +++++++++++++++++++++++ 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index b0ca8d4..ffa8e57 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -208,13 +208,14 @@ # needs to to a DNS lookup # # DenyUsers -{{ option('DenyUsers', '') }} +{{ option_string_or_list('DenyUsers', '', True , sep=' ')}} # AllowUsers -{{ option('AllowUsers', '') }} +{{ option_string_or_list('AllowUsers', '', True , sep=' ')}} # DenyGroups -{{ option('DenyGroups', '') }} +{{ option_string_or_list('DenyGroups', '', True , sep=' ')}} # AllowGroups -{{ option('AllowGroups', '') }} +{{ option_string_or_list('AllowGroups', '', True , sep=' ')}} + # Specifies the available KEX (Key Exchange) algorithms. {{ option_string_or_list('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1', True) }} diff --git a/pillar.example b/pillar.example index a1c6de7..935fb57 100644 --- a/pillar.example +++ b/pillar.example @@ -44,10 +44,33 @@ sshd_config: Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' + # set as string AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' + # or set as list + AllowUsers: + - vader@10.0.0.1 + - maul@evil.com + - sidious + - luke + # set as string DenyUsers: 'yoda chewbaca@112.10.21.1' + # or set as list + DenyUsers: + - yoda + - chewbaca@112.10.21.1 + # set as string AllowGroups: 'wheel staff imperial' + # or set as list + AllowGroups: + - wheel + - staff + - imperial + # set as string DenyGroups: 'rebel' + # or set as list + DenyGroups: + - rebel + - badcompany matches: sftp_chroot: type: