10 年之前 · 2f28a008c2
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -18,126 +18,3 @@
        {%- endfor %}
    {%- endif %}
 {%- endfor %}

 # What ports, IPs and protocols we listen for
 #Port 22
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 #Protocol 2
 # HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #Privilege Separation is turned on for security
 #UsePrivilegeSeparation yes

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 3600
 #ServerKeyBits 768

 # Logging
 #SyslogFacility AUTH
 #LogLevel INFO

 # Authentication:
 #LoginGraceTime 120
 #PermitRootLogin yes
 #StrictModes yes

 #RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	%h/.ssh/authorized_keys

 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 #HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes

 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 #PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 #ChallengeResponseAuthentication no

 # Change to no to disable tunnelled clear text passwords
 #PasswordAuthentication yes

 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes

 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

 #X11Forwarding yes
 #X11DisplayOffset 10
 #PrintMotd no
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no

 #MaxStartups 10:30:60
 #Banner /etc/issue.net

 # Allow client to pass locale environment variables
 #AcceptEnv LANG LC_*

 #Subsystem sftp /usr/lib/openssh/sftp-server

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes

 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 PrintMotd no # pam does that
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 {% if grains['os_family'] == 'RedHat' %}
 UsePrivilegeSeparation yes              # RedHat/Centos 6.4 and earlier currently ship 5.3 (sandbox introduced in OpenSSH 5.9)
 {% else %}
 UsePrivilegeSeparation sandbox		# Default for new installations.
 {% endif %}
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none

 # no default banner path
 Banner /etc/ssh/banner

 # override default of no subsystems
 Subsystem	sftp	/usr/lib/ssh/sftp-server

 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
--- a/pillar.example
+++ b/pillar.example
@@ -12,6 +12,7 @@ sshd_config:
  LogLevel: INFO
  LoginGraceTime: 120
  PermitRootLogin: yes
  PasswordAuthentication: no
  StrictModes: yes
  RSAAuthentication: yes
  PubkeyAuthentication: yes