diff --git a/README.rst b/README.rst index ff9d3c7..8b52e14 100644 --- a/README.rst +++ b/README.rst @@ -22,7 +22,9 @@ Installs the ``openssh`` package and service. ------------------ Installs the configuration file included in this formula -(under "openssh/files"). +(under "openssh/files"). This configuration file is populated +by values from pillar. ``pillar.example`` results in the generation +of the default ``sshd_config`` file on Debian Wheezy. ``openssh.banner`` ------------------ diff --git a/openssh/config.sls b/openssh/config.sls index cbf7376..1a9e7a8 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -7,6 +7,10 @@ sshd_config: file.managed: - name: {{ openssh.sshd_config }} - source: {{ openssh.sshd_config_src }} + - template: jinja + - user: root + - group: root + - mode: 644 - watch_in: - - service: {{ openssh.service }} + - service: openssh diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index b59c59c..43e2566 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -1,88 +1,100 @@ -# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ +{% set sshd_config = pillar.get('sshd_config', {}) %} -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. +# This file is managed by salt. Manual changes risk being overwritten. +# The contents of the original sshd_config are kept on the bottom for +# quick reference. +# See the sshd_config(5) manpage for details -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. +{% for keyword, argument in sshd_config.iteritems() %} + {%- if argument is sameas true %} +{{ keyword }} yes + {%- elif argument is sameas false %} +{{ keyword }} no + {%- elif argument is string or argument is number %} +{{ keyword }} {{ argument }} + {%- else %} + {%- for item in argument %} +{{ keyword }} {{ item }} + {%- endfor %} + {%- endif %} +{%- endfor %} +# What ports, IPs and protocols we listen for #Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 +# Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: - -# The default requires explicit activation of protocol 1 +#ListenAddress 0.0.0.0 #Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#Privilege Separation is turned on for security +#UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 +#KeyRegenerationInterval 3600 +#ServerKeyBits 768 # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: - -#LoginGraceTime 2m +#LoginGraceTime 120 #PermitRootLogin yes #StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +# To enable empty passwords, change to yes (NOT RECOMMENDED) #PermitEmptyPasswords no -# Change to no to disable s/key passwords -ChallengeResponseAuthentication no +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +#ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +#PasswordAuthentication yes # Kerberos options #KerberosAuthentication no +#KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes -#KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +#X11Forwarding yes +#X11DisplayOffset 10 +#PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +#AcceptEnv LANG LC_* + +#Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -90,38 +102,4 @@ ChallengeResponseAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd no # pam does that -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -Banner /etc/ssh/banner - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server +#UsePAM yes diff --git a/pillar.example b/pillar.example index e69de29..53db7c0 100644 --- a/pillar.example +++ b/pillar.example @@ -0,0 +1,30 @@ +sshd_config: + Port: 22 + Protocol: 2 + HostKey: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_dsa_key + - /etc/ssh/ssh_host_ecdsa_key + UsePrivilegeSeparation: yes + KeyRegenerationInterval: 3600 + ServerKeyBits: 768 + SyslogFacility: AUTH + LogLevel: INFO + LoginGraceTime: 120 + PermitRootLogin: yes + StrictModes: yes + RSAAuthentication: yes + PubkeyAuthentication: yes + IgnoreRhosts: yes + RhostsRSAAuthentication: no + HostbasedAuthentication: no + PermitEmptyPasswords: no + ChallengeResponseAuthentication: no + X11Forwarding: yes + X11DisplayOffset: 10 + PrintMotd: no + PrintLastLog: yes + TCPKeepAlive: yes + AcceptEnv: "LANG LC_*" + Subsystem: "sftp /usr/lib/openssh/sftp-server" + UsePAM: yes