Commit Graph

47 Commits

Author SHA1 Message Date
Brian Holland
6400516c5e Add ConfigBanner to processed_options when handled.
This prevents a verbatim version being added to end of file that will
cause the parsing to fail.
2017-08-15 23:08:23 -04:00
Alexander Weidinger
a5f4a56956 UsePrivilegeSeparation 'sandbox'
This is was introduced in 5.9, and is default in 6.1.
https://www.openssh.com/txt/release-5.9
https://www.openssh.com/txt/release-6.1
2017-08-01 00:02:03 +02:00
Andres Montalban
467c5e56fc Remove extra whitespace 2017-07-27 19:06:27 -03:00
Alexander Weidinger
e44d8860f4 Sort Match options 2017-07-04 22:30:49 +02:00
Alexander Weidinger
f810b27211 Merge branch 'prioritized-compound-match-2' of git://github.com/mikemol/openssh-formula 2017-07-04 21:58:05 +02:00
Florian Ermisch
add969822c add optional `{{source}} to sshd_config 2017-07-04 21:38:21 +02:00
Florian Ermisch
8594cd90ba add optional `{{source}} to ssh_config 2017-07-04 21:38:21 +02:00
Michael Mol
6229a6d122 Stabily sort matches
OpenSSH's Match declarations are applied first-match-wins. However, we
can't safely define two Matches that might overlap unless we first sort
the keys, as Python (and Jinja) dicts don't guarantee the order of
dict keys,

We also won't scramble the match sequence every time the user adds,
removes or renames a match, and so we give the user clearer, more
concise diffs as when they apply changes.

Finally, we leave a comment on the Match line identifying where the
Match rule came from, to assist in troubleshooting.
2017-06-12 12:08:26 -04:00
Michael Mol
710175799b Support compound matches
Support complex compound matches in Match criteria. For example, be able
to match against multiple Users for a given Match, or be able to match
against address ranges. Or Groups. Or any combination thereof.

Support for matching users can take one of several different appearances
in pillar data:

sshd_config:
  matches:
    match_1:
      type:
        User: one_user
      options:
        ChrootDirectory: /ex/%u
    match_2:
      type:
        User:
          - jim
          - bob
          - sally
      options:
        ChrootDirectory: /ex/%u
    match_3:
      type:
        User:
          jim: ~
          bob: ~
          sally: ~
      options:
        ChrootDirectory: /ex/%u

Note the syntax of match_3. By using empty dicts for each user, we can
leverage Salt's pillar mergine. If we use simple lists, we cannot do
this; Salt can't merge simple lists, because it doesn't know what order
they ought to be in.
2017-06-12 11:43:46 -04:00
Michael Mol
345e07c85e Support Match prioritization
OpenSSH's Match declarations are applied first-match-wins. However, we
can't safely define two Matches that might overlap unless we first sort
the keys, as Python (and Jinja) dicts don't guarantee the order of
dict keys,

We also won't scramble the match sequence every time the user adds,
removes or renames a match, and so we give the user clearer, more
concise diffs as when they apply changes.

Finally, we leave a comment on the Match line identifying where the
Match rule came from, to assist in troubleshooting.
2017-06-09 15:51:13 -04:00
Adam Mendlik
1284109335 PrintLastLog missing in FreeBSD 11.0
The fix introduced in 678cc9066c
suppresses the PrintLastLog directive for FreeBSD 10.3.
SSH on FreeBSD 11.0 also does not support PrintLastLog, so this
change suppresses it for any version >= 10.3.
2017-06-04 10:33:14 -06:00
Alexander Weidinger
70461403cb known_hosts: sort IP addresses
in order to prevent unnecessary changes due to
random ordering of dig results.
2017-02-23 03:59:40 +01:00
Alexander Weidinger
678cc9066c PrintLastLog missing in FreeBSD 10.3 2017-02-23 01:19:21 +01:00
Pandu E Poluan
773d9ae092 Apply string-or-list processing to ssh_config
Now ssh_config also accepts string-or-list options, for serveral
keywords.
2017-01-24 01:34:24 +07:00
Pandu E Poluan
30648d115e Add macro to handle string or list
Added a macro to handle multivalue options entered in either string
format or list format (with auto joiner).
2017-01-24 01:17:51 +07:00
Eric Cook
686fc2c4ee do not set UsePAM on OpenBSD
Upstream opensshd does not support PAM
2017-01-14 18:38:37 -05:00
Simon Pirschel
2a1b8fbc66 fix issue sshd won't start if AddressFamily is specified, because it must be defined before ListenAddress 2016-11-01 13:24:30 +01:00
Johannes Löthberg
02b52fa7cf Add AuthorizedKeysCommand support
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
2016-10-01 20:53:44 +02:00
Niels Abspoel
641851632f add more authentication options 2016-05-26 21:57:02 +02:00
Matthieu DERASSE
3542a1f534 Implement Session idle time out 2016-05-25 00:06:45 +02:00
Simon Lloyd
daed52de19 Add sshd_config to map.jinja and check if dig command is available before installing 'dig' package. 2016-04-19 02:53:14 +02:00
Nigel Sim
1e515b0f5d make the host option rendering support lists by refactoring the main option rendering code
put the ssh_config Host:* options in the defaults file so they can be overridden
2016-01-14 02:57:45 +00:00
ketzacoatl
143451eb19 Add support for Host definitions in ssh_config
This gives us the ability to define system-wide definitions for specific Hosts, and their options.

For example, with this in pillar:

```
# this is the place for host-wide SSH config
ssh_config:
  ...
  Hosts:
    # this simplifies cloning with custom params
    # eg: git clone my-git:foo/bar
    my-git:
      User: git
      HostName: git.example.com
      Port: 2222
```

This would add a section in `/etc/ssh/ssh_config`:

```
Host my-git
    User git
    HostName git.example.com
    Port 2222
```
2016-01-02 18:12:55 -05:00
Bogdan Radulescu
13cf374efe Added configuration options for ssh_config
Made a small change to reflect the default sshd_config
2015-10-01 15:21:16 +00:00
Bogdan Radulescu
fd4381b769 The default value for ServerKeyBits is 1024 both upstream and in distros 2015-07-30 12:27:05 +00:00
Ingo Bente
83bb5ac5a0 adds support to harden sshd_config (KeyExchange, Ciphers, MACs) 2015-06-30 14:33:57 +02:00
Thomas Juberg
6b68c44583 Stop messing up the first line in ssh_known_hosts 2015-06-25 14:28:26 +02:00
Raphaël Hertzog
1b74efd2d0 Add a new openssh.known_hosts state
This state manages /etc/ssh/ssh_known_hosts and fills it with
public SSH host keys of other minions.
2015-03-26 17:50:32 +01:00
Niels Abspoel
33ee945557 Added AllowUsers,AllowGroups,DenyUsers,DenyGroups
This will add more options to set to secure openssh
- AllowUsers
- AllowGroups
- DenyUsers
- DenyGroups
2015-01-16 22:56:59 +01:00
Bohdan Kmit
b843d8168b add ed25519 host key type; add AuthenticationMethods option 2015-01-16 17:21:10 +00:00
Skyler Berg
a83409182f Fix jinja spacing mistake for unknown options
When specifying multiple unknown ssh options, they would all appear on
the same line.
2014-11-18 14:58:57 -08:00
Tim Jones
09ca7de060 Allow newline after ListenAddress 2014-10-26 20:27:11 +01:00
Robert Fairburn
8616d3d130 fix comment 2014-09-19 12:01:57 -05:00
Robert Fairburn
b24101264f make sure to match options as the options dict! 2014-09-19 11:26:10 -05:00
Robert Fairburn
1a2de43ed7 defaults do not need a prefix 2014-09-19 11:21:31 -05:00
Robert Fairburn
85c97b450a fix a typo in keywords being sent improperly 2014-09-19 11:19:37 -05:00
Robert Fairburn
abf6e09fbb Fix a typo in the match jinja 2014-09-19 11:16:58 -05:00
Robert Fairburn
ba72c1e8b7 remove prefix when not needed 2014-09-19 10:55:19 -05:00
Robert Fairburn
c100fc88a3 allow for "Match" inside of an sshd_config 2014-09-19 10:47:35 -05:00
Wes Turner
970777b9bb Add a UseDNS option to sshd_config 2014-07-22 00:35:11 -05:00
Oleg Tsarev
48ebd1b07b Changed sshd_config generation to more readable scheme.
Synced file with default from Ubuntu 12.04 latest
2014-05-05 19:28:13 +04:00
matthew-parlette
cdfab3953d Define a line for each option.
This provides a default option (according to the package-provided config file) for each option in the config.
2014-04-26 18:22:17 -04:00
matthew-parlette
2f28a008c2 Cleared out static parts of config since it was causing issues 2014-04-25 16:33:07 -04:00
Seth House
351a6b81dc Merge remote-tracking branch 'origin/pr/3'
Conflicts:
	openssh/files/sshd_config
	openssh/init.sls
	pillar.example
2014-03-17 16:14:17 -06:00
Kenny Do
b0c7009cb2 updated sshd_config file to be populated by pillar 2014-01-09 05:03:44 -08:00
Mark Eggert
2e229681c7 Adding a small variable to the OpenSSH sshd_config file so that the service will work correctly on Centos 6.4 and earlier 2014-01-03 00:11:17 -06:00
Thomas S Hatch
1224ee95f0 Add openssh files 2013-06-13 11:16:18 -06:00