Merge pull request #7 from kennydo/config_from_map

Generate sshd_config from pillar
2014-01-09 10:25:27 -08:00 · 2014-01-09 10:25:27 -08:00 · f2d5c4b114
commit f2d5c4b114
parent af3e86a73d 6cf8321a99
4 changed files with 96 additions and 82 deletions
--- a/README.rst
+++ b/README.rst
@ -22,7 +22,9 @@ Installs the ``openssh`` package and service.
 ------------------
 Installs the configuration file included in this formula
-(under "openssh/files").
+(under "openssh/files"). This configuration file is populated
 by values from pillar. ``pillar.example`` results in the generation
 of the default ``sshd_config`` file on Debian Wheezy.
 ``openssh.banner``
 ------------------
--- a/openssh/config.sls
+++ b/openssh/config.sls
@ -7,6 +7,10 @@ sshd_config:
  file.managed:
    - name: {{ openssh.sshd_config }}
    - source: {{ openssh.sshd_config_src }}
    - template: jinja
    - user: root
    - group: root
    - mode: 644
    - watch_in:
-      - service: {{ openssh.service }}
+      - service: openssh
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@ -1,86 +1,98 @@
-#	$OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
+{% set sshd_config = pillar.get('sshd_config', {}) %}
-# This is the sshd server system-wide configuration file.  See
+# This file is managed by salt. Manual changes risk being overwritten.
-# sshd_config(5) for more information.
+# The contents of the original sshd_config are kept on the bottom for
 # quick reference.
 # See the sshd_config(5) manpage for details
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+{% for keyword, argument in sshd_config.iteritems() %}
-
+    {%- if argument is sameas true %}
-# The strategy used for options in the default sshd_config shipped with
+{{ keyword }} yes
-# OpenSSH is to specify options with their default value where
+    {%- elif argument is sameas false %}
-# possible, but leave them commented.  Uncommented options override the
+{{ keyword }} no
-# default value.
+    {%- elif argument is string or argument is number %}
 {{ keyword }} {{ argument }}
    {%- else %}
        {%- for item in argument %}
 {{ keyword }} {{ item }}
        {%- endfor %}
    {%- endif %}
 {%- endfor %}
 # What ports, IPs and protocols we listen for
 #Port 22
-#AddressFamily any
+# Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress 0.0.0.0
 #ListenAddress ::
-
+#ListenAddress 0.0.0.0
 # The default requires explicit activation of protocol 1
 #Protocol 2
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #Privilege Separation is turned on for security
 #UsePrivilegeSeparation yes
 # Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
+#KeyRegenerationInterval 3600
-#ServerKeyBits 1024
+#ServerKeyBits 768
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 # Authentication:
-
+#LoginGraceTime 120
 #LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 #RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# Don't read the user's ~/.rhosts and ~/.shosts files
-# but this is overridden so installations will only check .ssh/authorized_keys
+#IgnoreRhosts yes
-AuthorizedKeysFile	.ssh/authorized_keys
+# For this to work you will also need host keys in /etc/ssh_known_hosts
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 #HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts yes
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
-# Change to no to disable s/key passwords
+# Change to yes to enable challenge-response passwords (beware issues with
-ChallengeResponseAuthentication no
+# some PAM modules and threads)
 #ChallengeResponseAuthentication no
 # Change to no to disable tunnelled clear text passwords
 #PasswordAuthentication yes
 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #X11Forwarding yes
 #X11DisplayOffset 10
 #PrintMotd no
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 #MaxStartups 10:30:60
 #Banner /etc/issue.net
 # Allow client to pass locale environment variables
 #AcceptEnv LANG LC_*
 #Subsystem sftp /usr/lib/openssh/sftp-server
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
@ -90,38 +102,4 @@ ChallengeResponseAuthentication no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
+#UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 PrintMotd no # pam does that
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation sandbox		# Default for new installations.
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 Banner /etc/ssh/banner
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/ssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
--- a/pillar.example
+++ b/pillar.example
@ -0,0 +1,30 @@
 sshd_config:
  Port: 22
  Protocol: 2
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_ecdsa_key
  UsePrivilegeSeparation: yes
  KeyRegenerationInterval: 3600
  ServerKeyBits: 768
  SyslogFacility: AUTH
  LogLevel: INFO
  LoginGraceTime: 120
  PermitRootLogin: yes
  StrictModes: yes
  RSAAuthentication: yes
  PubkeyAuthentication: yes
  IgnoreRhosts: yes
  RhostsRSAAuthentication: no
  HostbasedAuthentication: no
  PermitEmptyPasswords: no
  ChallengeResponseAuthentication: no
  X11Forwarding: yes
  X11DisplayOffset: 10
  PrintMotd: no
  PrintLastLog: yes
  TCPKeepAlive: yes
  AcceptEnv: "LANG LC_*"
  Subsystem: "sftp /usr/lib/openssh/sftp-server"
  UsePAM: yes