Commit Graph

33 Commits

Author SHA1 Message Date
Michael Mol
6229a6d122 Stabily sort matches
OpenSSH's Match declarations are applied first-match-wins. However, we
can't safely define two Matches that might overlap unless we first sort
the keys, as Python (and Jinja) dicts don't guarantee the order of
dict keys,

We also won't scramble the match sequence every time the user adds,
removes or renames a match, and so we give the user clearer, more
concise diffs as when they apply changes.

Finally, we leave a comment on the Match line identifying where the
Match rule came from, to assist in troubleshooting.
2017-06-12 12:08:26 -04:00
Michael Mol
710175799b Support compound matches
Support complex compound matches in Match criteria. For example, be able
to match against multiple Users for a given Match, or be able to match
against address ranges. Or Groups. Or any combination thereof.

Support for matching users can take one of several different appearances
in pillar data:

sshd_config:
  matches:
    match_1:
      type:
        User: one_user
      options:
        ChrootDirectory: /ex/%u
    match_2:
      type:
        User:
          - jim
          - bob
          - sally
      options:
        ChrootDirectory: /ex/%u
    match_3:
      type:
        User:
          jim: ~
          bob: ~
          sally: ~
      options:
        ChrootDirectory: /ex/%u

Note the syntax of match_3. By using empty dicts for each user, we can
leverage Salt's pillar mergine. If we use simple lists, we cannot do
this; Salt can't merge simple lists, because it doesn't know what order
they ought to be in.
2017-06-12 11:43:46 -04:00
Adam Mendlik
1284109335 PrintLastLog missing in FreeBSD 11.0
The fix introduced in 678cc9066c
suppresses the PrintLastLog directive for FreeBSD 10.3.
SSH on FreeBSD 11.0 also does not support PrintLastLog, so this
change suppresses it for any version >= 10.3.
2017-06-04 10:33:14 -06:00
Alexander Weidinger
678cc9066c PrintLastLog missing in FreeBSD 10.3 2017-02-23 01:19:21 +01:00
Pandu E Poluan
30648d115e Add macro to handle string or list
Added a macro to handle multivalue options entered in either string
format or list format (with auto joiner).
2017-01-24 01:17:51 +07:00
Eric Cook
686fc2c4ee do not set UsePAM on OpenBSD
Upstream opensshd does not support PAM
2017-01-14 18:38:37 -05:00
Simon Pirschel
2a1b8fbc66 fix issue sshd won't start if AddressFamily is specified, because it must be defined before ListenAddress 2016-11-01 13:24:30 +01:00
Johannes Löthberg
02b52fa7cf Add AuthorizedKeysCommand support
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
2016-10-01 20:53:44 +02:00
Niels Abspoel
641851632f add more authentication options 2016-05-26 21:57:02 +02:00
Matthieu DERASSE
3542a1f534 Implement Session idle time out 2016-05-25 00:06:45 +02:00
Simon Lloyd
daed52de19 Add sshd_config to map.jinja and check if dig command is available before installing 'dig' package. 2016-04-19 02:53:14 +02:00
Bogdan Radulescu
13cf374efe Added configuration options for ssh_config
Made a small change to reflect the default sshd_config
2015-10-01 15:21:16 +00:00
Bogdan Radulescu
fd4381b769 The default value for ServerKeyBits is 1024 both upstream and in distros 2015-07-30 12:27:05 +00:00
Ingo Bente
83bb5ac5a0 adds support to harden sshd_config (KeyExchange, Ciphers, MACs) 2015-06-30 14:33:57 +02:00
Niels Abspoel
33ee945557 Added AllowUsers,AllowGroups,DenyUsers,DenyGroups
This will add more options to set to secure openssh
- AllowUsers
- AllowGroups
- DenyUsers
- DenyGroups
2015-01-16 22:56:59 +01:00
Bohdan Kmit
b843d8168b add ed25519 host key type; add AuthenticationMethods option 2015-01-16 17:21:10 +00:00
Skyler Berg
a83409182f Fix jinja spacing mistake for unknown options
When specifying multiple unknown ssh options, they would all appear on
the same line.
2014-11-18 14:58:57 -08:00
Tim Jones
09ca7de060 Allow newline after ListenAddress 2014-10-26 20:27:11 +01:00
Robert Fairburn
8616d3d130 fix comment 2014-09-19 12:01:57 -05:00
Robert Fairburn
b24101264f make sure to match options as the options dict! 2014-09-19 11:26:10 -05:00
Robert Fairburn
1a2de43ed7 defaults do not need a prefix 2014-09-19 11:21:31 -05:00
Robert Fairburn
85c97b450a fix a typo in keywords being sent improperly 2014-09-19 11:19:37 -05:00
Robert Fairburn
abf6e09fbb Fix a typo in the match jinja 2014-09-19 11:16:58 -05:00
Robert Fairburn
ba72c1e8b7 remove prefix when not needed 2014-09-19 10:55:19 -05:00
Robert Fairburn
c100fc88a3 allow for "Match" inside of an sshd_config 2014-09-19 10:47:35 -05:00
Wes Turner
970777b9bb Add a UseDNS option to sshd_config 2014-07-22 00:35:11 -05:00
Oleg Tsarev
48ebd1b07b Changed sshd_config generation to more readable scheme.
Synced file with default from Ubuntu 12.04 latest
2014-05-05 19:28:13 +04:00
matthew-parlette
cdfab3953d Define a line for each option.
This provides a default option (according to the package-provided config file) for each option in the config.
2014-04-26 18:22:17 -04:00
matthew-parlette
2f28a008c2 Cleared out static parts of config since it was causing issues 2014-04-25 16:33:07 -04:00
Seth House
351a6b81dc Merge remote-tracking branch 'origin/pr/3'
Conflicts:
	openssh/files/sshd_config
	openssh/init.sls
	pillar.example
2014-03-17 16:14:17 -06:00
Kenny Do
b0c7009cb2 updated sshd_config file to be populated by pillar 2014-01-09 05:03:44 -08:00
Mark Eggert
2e229681c7 Adding a small variable to the OpenSSH sshd_config file so that the service will work correctly on Centos 6.4 and earlier 2014-01-03 00:11:17 -06:00
Thomas S Hatch
1224ee95f0 Add openssh files 2013-06-13 11:16:18 -06:00