Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

pillar.example 12KB

10 yıl önce
7 yıl önce
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305
  1. sshd_config:
  2. # This keyword is totally optional
  3. ConfigBanner: |
  4. # Alternative banner for the config file
  5. # (Indented) hash signs lose their special meaning here
  6. # and the lines will be written as-is.
  7. Port: 22
  8. Protocol: 2
  9. HostKey:
  10. - /etc/ssh/ssh_host_rsa_key
  11. - /etc/ssh/ssh_host_dsa_key
  12. - /etc/ssh/ssh_host_ecdsa_key
  13. - /etc/ssh/ssh_host_ed25519_key
  14. UsePrivilegeSeparation: 'yes'
  15. KeyRegenerationInterval: 3600
  16. ServerKeyBits: 1024
  17. SyslogFacility: AUTH
  18. LogLevel: INFO
  19. ClientAliveInterval: 0
  20. ClientAliveCountMax: 3
  21. LoginGraceTime: 120
  22. PermitRootLogin: 'yes'
  23. PasswordAuthentication: 'no'
  24. StrictModes: 'yes'
  25. MaxAuthTries: 6
  26. MaxSessions: 10
  27. RSAAuthentication: 'yes'
  28. PubkeyAuthentication: 'yes'
  29. AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
  30. AuthorizedKeysCommandUser: 'nobody'
  31. IgnoreRhosts: 'yes'
  32. RhostsRSAAuthentication: 'no'
  33. HostbasedAuthentication: 'no'
  34. PermitEmptyPasswords: 'no'
  35. ChallengeResponseAuthentication: 'no'
  36. AuthenticationMethods: 'publickey,keyboard-interactive'
  37. AuthorizedKeysFile: '%h/.ssh/authorized_keys'
  38. X11Forwarding: 'no'
  39. X11DisplayOffset: 10
  40. PrintMotd: 'yes'
  41. PrintLastLog: 'yes'
  42. TCPKeepAlive: 'yes'
  43. AcceptEnv: "LANG LC_*"
  44. Subsystem: "sftp /usr/lib/openssh/sftp-server"
  45. UsePAM: 'yes'
  46. UseDNS: 'yes'
  47. AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
  48. DenyUsers: 'yoda chewbaca@112.10.21.1'
  49. AllowGroups: 'wheel staff imperial'
  50. DenyGroups: 'rebel'
  51. matches:
  52. sftp_chroot:
  53. type:
  54. Group: sftpusers
  55. options:
  56. ChrootDirectory: /sftp-chroot/%u
  57. X11Forwarding: no
  58. AllowTcpForwarding: no
  59. ForceCommand: internal-sftp
  60. # Supports complex compound matches in Match criteria. For example, be able
  61. # to match against multiple Users for a given Match, or be able to match
  62. # against address ranges. Or Groups. Or any combination thereof.
  63. #
  64. # Support for matching users can take one of several different appearances
  65. # in pillar data:
  66. match_1:
  67. type:
  68. User: one_user
  69. options:
  70. ChrootDirectory: /ex/%u
  71. match_2:
  72. type:
  73. User:
  74. - jim
  75. - bob
  76. - sally
  77. options:
  78. ChrootDirectory: /ex/%u
  79. # Note the syntax of match_3. By using empty dicts for each user, we can
  80. # leverage Salt's pillar mergine. If we use simple lists, we cannot do
  81. # this; Salt can't merge simple lists, because it doesn't know what order
  82. # they ought to be in.
  83. match_3:
  84. type:
  85. User:
  86. jim: ~
  87. bob: ~
  88. sally: ~
  89. options:
  90. ChrootDirectory: /ex/%u
  91. # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
  92. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  93. # The configuration given in the example below is based on:
  94. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  95. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
  96. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  97. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
  98. KexAlgorithms:
  99. - 'curve25519-sha256@libssh.org'
  100. - 'diffie-hellman-group-exchange-sha256'
  101. Ciphers:
  102. - 'chacha20-poly1305@openssh.com'
  103. - 'aes256-gcm@openssh.com'
  104. - 'aes128-gcm@openssh.com'
  105. - 'aes256-ctr'
  106. - 'aes192-ctr'
  107. - 'aes128-ctr'
  108. MACs:
  109. - 'hmac-sha2-512-etm@openssh.com'
  110. - 'hmac-sha2-256-etm@openssh.com'
  111. - 'hmac-ripemd160-etm@openssh.com'
  112. - 'umac-128-etm@openssh.com'
  113. - 'hmac-sha2-512'
  114. - 'hmac-sha2-256'
  115. - 'hmac-ripemd160'
  116. - 'umac-128@openssh.com'
  117. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
  118. # pillar will overwrite the defaults of your distribution's SSH client. This
  119. # will also force the default configuration for all the SSH clients on the
  120. # machine. This can break SSH connections with servers using older versions of
  121. # openssh. Please make sure you understand the implication of different settings
  122. ssh_config:
  123. StrictHostKeyChecking: no
  124. ForwardAgent: no
  125. ForwardX11: no
  126. RhostsRSAAuthentication: no
  127. RSAAuthentication: yes
  128. PasswordAuthentication: yes
  129. HostbasedAuthentication: no
  130. GSSAPIAuthentication: no
  131. GSSAPIDelegateCredentials: no
  132. BatchMode: 'yes'
  133. CheckHostIP: 'yes'
  134. AddressFamily: 'any'
  135. ConnectTimeout: 0
  136. IdentityFile: '~/.ssh/id_rsa'
  137. Port: 22
  138. Protocol: 2
  139. Cipher: '3des'
  140. Tunnel: 'no'
  141. TunnelDevice: 'any:any'
  142. PermitLocalCommand: 'no'
  143. VisualHostKey: 'no'
  144. # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
  145. # WARNING! Please make sure you understand the implications of the below
  146. # settings. The examples provided below might break your connection to older /
  147. # legacy openssh servers.
  148. # The configuration given in the example below is based on:
  149. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  150. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  151. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
  152. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  153. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
  154. KexAlgorithms:
  155. - 'curve25519-sha256@libssh.org'
  156. - 'diffie-hellman-group-exchange-sha256'
  157. - 'diffie-hellman-group-exchange-sha1'
  158. - 'diffie-hellman-group14-sha1'
  159. Ciphers:
  160. - 'chacha20-poly1305@openssh.com'
  161. - 'aes256-gcm@openssh.com'
  162. - 'aes128-gcm@openssh.com'
  163. - 'aes256-ctr'
  164. - 'aes192-ctr'
  165. - 'aes128-ctr'
  166. MACs:
  167. - 'hmac-sha2-512-etm@openssh.com'
  168. - 'hmac-sha2-256-etm@openssh.com'
  169. - 'hmac-ripemd160-etm@openssh.com'
  170. - 'umac-128-etm@openssh.com'
  171. - 'hmac-sha2-512'
  172. - 'hmac-sha2-256'
  173. - 'hmac-ripemd160'
  174. - 'umac-128@openssh.com'
  175. openssh:
  176. # Instead of adding a custom banner file you can set it in pillar
  177. banner_string: |
  178. Welcome to {{ grains['id'] }}!
  179. # Controls if SSHD should be enabled/started
  180. sshd_enable: true
  181. auth:
  182. joe-valid-ssh-key-desktop:
  183. - user: joe
  184. present: True
  185. enc: ssh-rsa
  186. comment: main key - desktop
  187. source: salt://ssh_keys/joe.desktop.pub
  188. joe-valid-ssh-key-notebook:
  189. - user: joe
  190. present: True
  191. enc: ssh-rsa
  192. comment: main key - notebook
  193. source: salt://ssh_keys/joe.netbook.pub
  194. joe-non-valid-ssh-key:
  195. - user: joe
  196. present: False
  197. enc: ssh-rsa
  198. comment: obsolete key - removed
  199. source: salt://ssh_keys/joe.no-valid.pub
  200. # Maps users to source files
  201. # Designed to play nice with ext_pillar
  202. # salt.states.ssh_auth: If source is set, comment and enc will be ignored
  203. auth_map:
  204. personal_keys: # store name
  205. source: salt://ssh_keys
  206. users:
  207. joe:
  208. joe.desktop: {}
  209. joe.netbook:
  210. options: [] # see salt.states.ssh_auth.present
  211. joe.no-valid:
  212. present: False
  213. generate_dsa_keys: False
  214. absent_dsa_keys: False
  215. provide_dsa_keys: False
  216. dsa:
  217. private_key: |
  218. -----BEGIN DSA PRIVATE KEY-----
  219. NOT_DEFINED
  220. -----END DSA PRIVATE KEY-----
  221. public_key: |
  222. ssh-dss NOT_DEFINED
  223. generate_ecdsa_keys: False
  224. absent_ecdsa_keys: False
  225. provide_ecdsa_keys: False
  226. ecdsa:
  227. private_key: |
  228. -----BEGIN EC PRIVATE KEY-----
  229. NOT_DEFINED
  230. -----END EC PRIVATE KEY-----
  231. public_key: |
  232. ecdsa-sha2-nistp256 NOT_DEFINED
  233. generate_rsa_keys: False
  234. generate_rsa_size: 4096
  235. # Will remove the old key if it is to short and generate a new one.
  236. enforce_rsa_size: False
  237. absent_rsa_keys: False
  238. provide_rsa_keys: False
  239. rsa:
  240. private_key: |
  241. -----BEGIN RSA PRIVATE KEY-----
  242. NOT_DEFINED
  243. -----END RSA PRIVATE KEY-----
  244. public_key: |
  245. ssh-rsa NOT_DEFINED
  246. generate_ed25519_keys: False
  247. absent_ed25519_keys: False
  248. provide_ed25519_keys: False
  249. ed25519:
  250. private_key: |
  251. -----BEGIN OPENSSH PRIVATE KEY-----
  252. NOT_DEFINED
  253. -----END OPENSSH PRIVATE KEY-----
  254. public_key: |
  255. ssh-ed25519 NOT_DEFINED
  256. known_hosts:
  257. # The next 2 settings restrict the set of minions that will be added in
  258. # the generated ssh_known_hosts files (the default is to match all minions)
  259. target: '*'
  260. expr_form: 'glob'
  261. # Name of mining functions used to gather public keys and hostnames
  262. # (the default values are shown here)
  263. mine_keys_function: public_ssh_host_keys
  264. mine_hostname_function: public_ssh_hostname
  265. # List of DNS entries also pointing to our managed machines and that we want
  266. # to inject in our generated ssh_known_hosts file
  267. aliases:
  268. - cname-to-minion.example.org
  269. - alias.example.org
  270. # specify DH parameters (see /etc/ssh/moduli)
  271. moduli: |
  272. # Time Type Tests Tries Size Generator Modulus
  273. 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
  274. 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
  275. 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
  276. 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
  277. # ALTERNATIVELY, specify the location of the moduli file. Examples:
  278. #moduli_source: http://some.server.somewhere/salt/moduli
  279. #moduli_source: salt://files/ssh/moduli
  280. # If moduli is specified, moduli_source will be ignored.
  281. # Also, a proper hash file *must* be included in the same path. E.g.:
  282. # http://some.server.somewhere/salt/moduli.hash
  283. # salt://files/ssh/moduli.hash
  284. # These will be automatically referenced to by the ssh_moduli state.
  285. # Required for openssh.known_hosts
  286. mine_functions:
  287. public_ssh_host_keys:
  288. mine_function: cmd.run
  289. cmd: cat /etc/ssh/ssh_host_*_key.pub
  290. python_shell: True
  291. public_ssh_hostname:
  292. mine_function: grains.get
  293. key: id