Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

преди 10 години
преди 10 години
преди 10 години
преди 10 години
преди 10 години
преди 10 години
преди 10 години
преди 10 години
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184
  1. {%- set sshd_config = pillar.get('sshd_config', {}) -%}
  2. {#- present in sshd_config and known in actual file options -#}
  3. {%- set processed_options = [] -%}
  4. {#- generic renderer used for sshd matches, known options, -#}
  5. {#- and unknown options -#}
  6. {%- macro render_option(keyword, default, config_dict=sshd_config) -%}
  7. {%- set value = config_dict.get(keyword, default) -%}
  8. {%- if value is sameas true -%}
  9. {{ keyword }} yes
  10. {%- elif value is sameas false -%}
  11. {{ keyword }} no
  12. {%- elif value is string or value is number -%}
  13. {{ keyword }} {{ value }}
  14. {%- else -%}
  15. {%- for single_value in value -%}
  16. {{ keyword }} {{ single_value }}
  17. {% endfor -%}
  18. {%- endif -%}
  19. {%- endmacro -%}
  20. {#- macros for render option according to present -#}
  21. {%- macro option_impl(keyword, default, present) -%}
  22. {%- if present -%}
  23. {%- do processed_options.append(keyword) -%}
  24. {%- set prefix='' -%}
  25. {%- else -%}
  26. {%- set prefix='#' -%}
  27. {%- endif -%}
  28. {#- add prefix to keyword -#}
  29. {%- set keyword = prefix ~ keyword -%}
  30. {{ render_option(keyword, default) }}
  31. {%- endmacro -%}
  32. {#- macros for render option commented by default -#}
  33. {%- macro option(keyword, default, present) -%}
  34. {{ option_impl(keyword, default, keyword in sshd_config) }}
  35. {%- endmacro -%}
  36. {#- macros for render option uncommented by default -#}
  37. {%- macro option_default_uncommented(keyword, default, present) -%}
  38. {{ option_impl(keyword, default, True) }}
  39. {%- endmacro -%}
  40. # This file is managed by salt. Manual changes risk being overwritten.
  41. # The contents of the original sshd_config are kept on the bottom for
  42. # quick reference.
  43. # See the sshd_config(5) manpage for details
  44. # What ports, IPs and protocols we listen for
  45. {{ option('Port', 22) }}
  46. # Use these options to restrict which interfaces/protocols sshd will bind to
  47. {{ option('ListenAddress', ['::', '0.0.0.0']) }}
  48. {{ option_default_uncommented('Protocol', 2) }}
  49. # HostKeys for protocol version 2
  50. {{ option_default_uncommented('HostKey', ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']) -}}
  51. #Privilege Separation is turned on for security
  52. {{ option_default_uncommented('UsePrivilegeSeparation', 'yes') }}
  53. # Lifetime and size of ephemeral version 1 server key
  54. {{ option_default_uncommented('KeyRegenerationInterval', 3600) }}
  55. {{ option_default_uncommented('ServerKeyBits', 1024) }}
  56. # Logging
  57. {{ option_default_uncommented('SyslogFacility', 'AUTH') }}
  58. {{ option_default_uncommented('LogLevel', 'INFO') }}
  59. # Authentication:
  60. {{ option_default_uncommented('LoginGraceTime', 120) }}
  61. {{ option_default_uncommented('PermitRootLogin', 'yes') }}
  62. {{ option_default_uncommented('StrictModes', 'yes') }}
  63. {{ option('DSAAuthentication', 'yes') }}
  64. {{ option_default_uncommented('RSAAuthentication', 'yes') }}
  65. {{ option_default_uncommented('PubkeyAuthentication', 'yes') }}
  66. {{ option('AuthorizedKeysFile', '%h/.ssh/authorized_keys') }}
  67. # Don't read the user's ~/.rhosts and ~/.shosts files
  68. {{ option_default_uncommented('IgnoreRhosts', 'yes') }}
  69. # For this to work you will also need host keys in /etc/ssh_known_hosts
  70. {{ option_default_uncommented('RhostsRSAAuthentication', 'no') }}
  71. # similar for protocol version 2
  72. {{ option_default_uncommented('HostbasedAuthentication', 'no') }}
  73. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  74. {{ option('IgnoreUserKnownHosts', 'yes') }}
  75. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  76. {{ option_default_uncommented('PermitEmptyPasswords', 'no') }}
  77. # Change to yes to enable challenge-response passwords (beware issues with
  78. # some PAM modules and threads)
  79. {{ option_default_uncommented('ChallengeResponseAuthentication', 'no') }}
  80. {{ option('AuthenticationMethods', 'publickey,keyboard-interactive') }}
  81. # Change to no to disable tunnelled clear text passwords
  82. {{ option('PasswordAuthentication', 'yes') }}
  83. # Kerberos options
  84. {{ option('KerberosAuthentication', 'no') }}
  85. {{ option('KerberosGetAFSToken', 'no') }}
  86. {{ option('KerberosOrLocalPasswd', 'yes') }}
  87. {{ option('KerberosTicketCleanup', 'yes') }}
  88. # GSSAPI options
  89. {{ option('GSSAPIAuthentication', 'no') }}
  90. {{ option('GSSAPICleanupCredentials', 'yes') }}
  91. {{ option_default_uncommented('X11Forwarding', 'yes') }}
  92. {{ option('AllowTcpForwarding', 'yes') }}
  93. {{ option_default_uncommented('X11DisplayOffset', '10') }}
  94. {{ option_default_uncommented('PrintMotd', 'no') }}
  95. {{ option_default_uncommented('PrintLastLog', 'yes') }}
  96. {{ option_default_uncommented('TCPKeepAlive', 'yes') }}
  97. {{ option('UseLogin', 'no') }}
  98. {{ option('MaxStartups', '10:30:60') }}
  99. {{ option('Banner', '/etc/issue.net') }}
  100. # Allow client to pass locale environment variables
  101. {{ option_default_uncommented('AcceptEnv', 'LANG LC_*') }}
  102. {{ option_default_uncommented('Subsystem', 'sftp /usr/lib/openssh/sftp-server') }}
  103. # Set this to 'yes' to enable PAM authentication, account processing,
  104. # and session processing. If this is enabled, PAM authentication will
  105. # be allowed through the ChallengeResponseAuthentication and
  106. # PasswordAuthentication. Depending on your PAM configuration,
  107. # PAM authentication via ChallengeResponseAuthentication may bypass
  108. # the setting of "PermitRootLogin without-password".
  109. # If you just want the PAM account and session checks to run without
  110. # PAM authentication, then enable this but set PasswordAuthentication
  111. # and ChallengeResponseAuthentication to 'no'.
  112. {{ option_default_uncommented('UsePAM', 'yes') }}
  113. # DNS resolve and map remote IP addresses
  114. {{ option('UseDNS', 'yes') }}
  115. # Restricting Users and Hosts
  116. # example:
  117. # AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke
  118. # AllowGroups wheel staff
  119. #
  120. # Keep in mind that using AllowUsers or AllowGroups means that anyone
  121. # not Matching one of the supplied patterns will be denied access by default.
  122. # Also, in order for sshd to allow access based on full or partial hostnames it
  123. # needs to to a DNS lookup
  124. #
  125. # DenyUsers
  126. {{ option('DenyUsers', '') }}
  127. # AllowUsers
  128. {{ option('AllowUsers', '') }}
  129. # DenyGroups
  130. {{ option('DenyGroups', '') }}
  131. # AllowGroups
  132. {{ option('AllowGroups', '') }}
  133. # Specifies the available KEX (Key Exchange) algorithms.
  134. {{ option('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1') }}
  135. # Specifies the ciphers allowed for protocol version 2.
  136. {{ option('Ciphers', 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se') }}
  137. # Specifies the available MAC (message authentication code) algorithms.
  138. {{ option('MACs', 'hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96') }}
  139. {# Handling unknown in salt template options #}
  140. {%- for keyword in sshd_config.keys() %}
  141. {#- Matches have to be at the bottom and should be handled differently -#}
  142. {%- if not keyword in processed_options and keyword != 'matches' -%}
  143. {#- send a blank default as it doesn't matter #}
  144. {{ render_option(keyword, '') }}
  145. {%- endif -%}
  146. {%- endfor %}
  147. {# Handle matches last as they need to go at the bottom #}
  148. {%- if 'matches' in sshd_config %}
  149. {%- for match in sshd_config['matches'].values() %}
  150. Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }}
  151. {%- for keyword in match['options'].keys() %}
  152. {{ render_option(keyword, '', config_dict=match['options']) }}
  153. {%- endfor %}
  154. {%- endfor %}
  155. {%- endif %}