-
Notifications
You must be signed in to change notification settings - Fork 295
/
Copy pathsshd_config
231 lines (196 loc) · 8.14 KB
/
sshd_config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
{#- present in sshd_config and known in actual file options -#}
{%- set processed_options = [] -%}
{#- generic renderer used for sshd matches, known options, -#}
{#- and unknown options -#}
{%- macro render_option(keyword, config_dict=sshd_config) -%}
{%- set value = config_dict.get(keyword) -%}
{%- if value is sameas true -%}
{{ keyword }} yes
{% elif value is sameas false -%}
{{ keyword }} no
{% elif value is string or value is number -%}
{{ keyword }} {{ value }}
{% else -%}
{%- for single_value in value -%}
{{ keyword }} {{ single_value }}
{% endfor -%}
{%- endif -%}
{%- endmacro -%}
{#- macros for render option if present -#}
{%- macro option(keyword, present) -%}
{%- if keyword in sshd_config -%}
{%- do processed_options.append(keyword) -%}
{{ render_option(keyword) }}
{%- endif -%}
{%- endmacro -%}
{#- macro for collapsing a list into a string -#}
{%- macro option_collapselist(keyword, sep, config_dict=None) -%}
{%- if config_dict is sameas None -%}
{%- do processed_options.append(keyword) -%}
{%- set config_dict = sshd_config -%}
{%- endif -%}
{{ keyword }} {{ config_dict.get(keyword) | join(sep) }}
{% endmacro -%}
{#- macro for handling an option that can be specified as a list or a string -#}
{%- macro option_string_or_list(keyword, sep=',') -%}
{%- if sshd_config.get(keyword, '') is string -%}
{{ option(keyword) }}
{%- else -%}
{{ option_collapselist(keyword, sep) }}
{%- endif -%}
{%- endmacro -%}
{#- macro for conditionally joining a string, list or dict(keys) to just a string -#}
{%- macro join_to_string(src, keyword, sep=',') -%}
{%- set srcval = src.get(keyword, '') -%}
{%- if srcval is string -%}
{{ srcval }}
{%- elif srcval is mapping -%}
{{ srcval.keys() | sort | join(sep) }}
{%- else -%}
{{ srcval | join(sep) }}
{%- endif -%}
{%- endmacro -%}
{%- if sshd_config.get('ConfigBanner', False) -%}
{%- do processed_options.append('ConfigBanner') -%}
{{ sshd_config['ConfigBanner'] }}
{%- else -%}
# This file is managed by salt. Manual changes risk being overwritten.
{%- endif %}
{%- set global_src_url = salt ['pillar.get']('__formulas:print_template_url', None) %}
{%- set local_src_url = salt ['pillar.get']('openssh-formula:print_template_url', None) %}
{%- if (global_src_url and local_src_url is none) or local_src_url %}
#
# Template used to generate this file:
# {{ source }}
#
{%- endif %}
# The contents of the original sshd_config are kept on the bottom for
# quick reference.
# See the sshd_config(5) manpage for details
{# Specifies which address family should be used by sshd(8). -#}
{#- Valid arguments are any, inet (use IPv4 only), or inet6 (use IPv6 only) -#}
{{- option('AddressFamily') -}}
{#- What ports, IPs and protocols we listen for -#}
{{- option('Port') -}}
{#- Use these options to restrict which interfaces/protocols sshd will bind to -#}
{{- option('ListenAddress') -}}
{{- option('Protocol') -}}
{#- HostKeys for protocol version 2 -#}
{{- option('HostKey') -}}
{#- Privilege Separation is turned on for security -#}
{{- option('UsePrivilegeSeparation') -}}
{#- Logging -#}
{{- option('SyslogFacility') -}}
{{- option('LogLevel') -}}
{#- Session idle time out -#}
{{- option('ClientAliveInterval') -}}
{{- option('ClientAliveCountMax') -}}
{#- Authentication: -#}
{{- option('LoginGraceTime') -}}
{{- option('PermitRootLogin') -}}
{{- option('StrictModes') -}}
{{- option('MaxAuthTries') -}}
{{- option('MaxSessions') -}}
{{- option('PubkeyAuthentication') -}}
{{- option('AuthorizedKeysFile') -}}
{{- option('AuthorizedKeysCommand') -}}
{{- option('AuthorizedKeysCommandUser') -}}
{#- Don't read the user's ~/.rhosts and ~/.shosts files -#}
{{- option('IgnoreRhosts') -}}
{#- similar for protocol version 2 -#}
{{- option('HostbasedAuthentication') -}}
{#- Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#}
{{- option('IgnoreUserKnownHosts') -}}
{#- To enable empty passwords, change to yes (NOT RECOMMENDED) -#}
{{- option('PermitEmptyPasswords') -}}
{#- Change to yes to enable challenge-response passwords (beware issues with -#}
{#- some PAM modules and threads) -#}
{{- option('ChallengeResponseAuthentication') -}}
{{- option('AuthenticationMethods') -}}
{#- Change to no to disable tunnelled clear text passwords -#}
{{- option('PasswordAuthentication') -}}
{#- Kerberos options -#}
{{- option('KerberosAuthentication') -}}
{{- option('KerberosGetAFSToken') -}}
{{- option('KerberosOrLocalPasswd') -}}
{{- option('KerberosTicketCleanup') -}}
{#- GSSAPI options -#}
{{- option('GSSAPIAuthentication') -}}
{{- option('GSSAPICleanupCredentials') -}}
{{- option('X11Forwarding') -}}
{{- option('AllowTcpForwarding') -}}
{{- option('X11DisplayOffset') -}}
{{- option('PrintMotd') -}}
{#- Bug in FreeBSD 10.3 (?) See https://lists.freebsd.org/pipermail/freebsd-stable/2016-April/084501.html -#}
{% if not (salt['grains.get']('os') == 'FreeBSD' and salt['grains.get']('osrelease')|float >= 10.3) -%}
{{- option('PrintLastLog') -}}
{% endif -%}
{{- option('TCPKeepAlive') -}}
{{- option('UseLogin') -}}
{{- option('MaxStartups') -}}
{{- option('Banner') -}}
{#- Allow client to pass locale environment variables -#}
{{- option('AcceptEnv') -}}
{{- option('Subsystem') -}}
{% if not salt['grains.get']('os') == 'OpenBSD' -%}
{#- Set this to 'yes' to enable PAM authentication, account processing, -#}
{#- and session processing. If this is enabled, PAM authentication will -#}
{#- be allowed through the ChallengeResponseAuthentication and -#}
{#- PasswordAuthentication. Depending on your PAM configuration, -#}
{#- PAM authentication via ChallengeResponseAuthentication may bypass -#}
{#- the setting of "PermitRootLogin without-password". -#}
{#- If you just want the PAM account and session checks to run without -#}
{#- PAM authentication, then enable this but set PasswordAuthentication -#}
{#- and ChallengeResponseAuthentication to 'no'. -#}
{{- option('UsePAM') -}}
{%- endif %}
{#- DNS resolve and map remote IP addresses -#}
{{- option('UseDNS') -}}
{#- Restricting Users and Hosts -#}
{#- example: -#}
{#- AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke -#}
{#- AllowGroups wheel staff -#}
{#- Keep in mind that using AllowUsers or AllowGroups means that anyone -#}
{#- not Matching one of the supplied patterns will be denied access by default. -#}
{#- Also, in order for sshd to allow access based on full or partial hostnames it -#}
{#- needs to to a DNS lookup -#}
{# DenyUsers -#}
{{- option_string_or_list('DenyUsers', sep=' ') -}}
{# AllowUsers -#}
{{- option_string_or_list('AllowUsers', sep=' ') -}}
{# DenyGroups -#}
{{- option_string_or_list('DenyGroups', sep=' ') -}}
{# AllowGroups -#}
{{- option_string_or_list('AllowGroups', sep=' ') -}}
{#- Specifies the available KEX (Key Exchange) algorithms. -#}
{{- option_string_or_list('KexAlgorithms') -}}
{#- Specifies the ciphers allowed for protocol version 2. -#}
{{- option_string_or_list('Ciphers') -}}
{#- Specifies the available MAC (message authentication code) algorithms. -#}
{{- option_string_or_list('MACs') -}}
{#- Handling unknown in salt template options -#}
{%- for keyword in sshd_config.keys() %}
{#- Matches have to be at the bottom and should be handled differently -#}
{%- if not keyword in processed_options and keyword != 'matches' -%}
{{- render_option(keyword) -}}
{% endif -%}
{%- endfor %}
{#- Handle matches last as they need to go at the bottom -#}
{%- if 'matches' in sshd_config %}
{%- for name, match in sshd_config['matches']|dictsort(true) %}
Match
{#- Set up the match criteria -#}
{%- for criteria in match['type'].keys()|sort() -%}
{{ ' ' -}}{{criteria }} {{ join_to_string(match['type'], criteria) }}
{%- endfor %} #{{- name }}
{# Set up the applied options -#}
{%- for keyword in match['options'].keys()|sort() -%}
{%- if keyword in ['AllowUsers', 'DenyUsers', 'AllowGroups', 'DenyGroups'] -%}
{{ option_collapselist(keyword, ' ', config_dict=match['options']) | indent(4, true) }}
{% else -%}
{{ render_option(keyword, config_dict=match['options']) | indent(4, true) }}
{% endif -%}
{%- endfor %}
{%- endfor %}
{%- endif %}
{#- vim: set ft=jinja : -#}