Copyright (c) 2013 Salt Stack Formulas | |||||
Copyright (c) 2013-2014 Salt Stack Formulas | |||||
Licensed under the Apache License, Version 2.0 (the "License"); | Licensed under the Apache License, Version 2.0 (the "License"); | ||||
you may not use this file except in compliance with the License. | you may not use this file except in compliance with the License. |
Installs the ``openssh`` server package and service. | Installs the ``openssh`` server package and service. | ||||
``openssh.config`` | |||||
``openssh.auth`` | |||||
----------- | |||||
Manages SSH certificates for users. | |||||
``openssh.banner`` | |||||
------------------ | ------------------ | ||||
Installs the ssh daemon configuration file included in this formula | |||||
(under "openssh/files"). This configuration file is populated | |||||
by values from pillar. ``pillar.example`` results in the generation | |||||
of the default ``sshd_config`` file on Debian Wheezy. | |||||
Installs a banner that users see when SSH-ing in. | |||||
``openssh.client`` | ``openssh.client`` | ||||
------------------ | ------------------ | ||||
Installs the openssh client package. | Installs the openssh client package. | ||||
``openssh.banner`` | |||||
``openssh.config`` | |||||
------------------ | ------------------ | ||||
Installs a banner that users see when SSH-ing in. | |||||
Installs the ssh daemon configuration file included in this formula | |||||
(under "openssh/files"). This configuration file is populated | |||||
by values from pillar. ``pillar.example`` results in the generation | |||||
of the default ``sshd_config`` file on Debian Wheezy. | |||||
include: | |||||
- openssh | |||||
{% from "openssh/map.jinja" import openssh with context %} | |||||
{% set openssh_pillar = pillar.get('openssh', {}) %} | |||||
{% set auth = openssh_pillar.get('auth', {}) %} | |||||
{% for user,keys in auth.items() -%} | |||||
{% for key in keys -%} | |||||
{% if 'present' in key and key['present'] %} | |||||
{{ key['name'] }}: | |||||
ssh_auth.present: | |||||
- user: {{ user }} | |||||
{% if 'source' in key %} | |||||
- source: {{ key['source'] }} | |||||
{% else %} | |||||
{% if 'enc' in key %} | |||||
- enc: {{ key['enc'] }} | |||||
{% endif %} | |||||
{% if 'comment' in key %} | |||||
- comment: {{ key['comment'] }} | |||||
{% endif %} | |||||
{% if 'options' in key %} | |||||
- options: {{ key['options'] }} | |||||
{% endif %} | |||||
{% endif %} | |||||
- require: | |||||
- service: {{ openssh.service }} | |||||
{% else %} | |||||
{{ key['name'] }}: | |||||
ssh_auth.absent: | |||||
- user: {{ user }} | |||||
{% if 'enc' in key %} | |||||
- enc: {{ key['enc'] }} | |||||
{% endif %} | |||||
{% if 'comment' in key %} | |||||
- comment: {{ key['comment'] }} | |||||
{% endif %} | |||||
{% if 'options' in key %} | |||||
- options: {{ key['options'] }} | |||||
{% endif %} | |||||
{% endif %} | |||||
{% endfor %} | |||||
{% endfor %} |
{% set sshd_config = pillar.get('sshd_config', {}) %} | |||||
{% set openssh_pillar = pillar.get('openssh', {}) %} | |||||
{% set sshd_config = openssh_pillar.get('sshd_config', {}) %} | |||||
# This file is managed by salt. Manual changes risk being overwritten. | # This file is managed by salt. Manual changes risk being overwritten. | ||||
# The contents of the original sshd_config are kept on the bottom for | # The contents of the original sshd_config are kept on the bottom for |
sshd_config: | |||||
Port: 22 | |||||
Protocol: 2 | |||||
HostKey: | |||||
- /etc/ssh/ssh_host_rsa_key | |||||
- /etc/ssh/ssh_host_dsa_key | |||||
- /etc/ssh/ssh_host_ecdsa_key | |||||
UsePrivilegeSeparation: yes | |||||
KeyRegenerationInterval: 3600 | |||||
ServerKeyBits: 768 | |||||
SyslogFacility: AUTH | |||||
LogLevel: INFO | |||||
LoginGraceTime: 120 | |||||
PermitRootLogin: yes | |||||
StrictModes: yes | |||||
RSAAuthentication: yes | |||||
PubkeyAuthentication: yes | |||||
IgnoreRhosts: yes | |||||
RhostsRSAAuthentication: no | |||||
HostbasedAuthentication: no | |||||
PermitEmptyPasswords: no | |||||
ChallengeResponseAuthentication: no | |||||
X11Forwarding: yes | |||||
X11DisplayOffset: 10 | |||||
PrintMotd: no | |||||
PrintLastLog: yes | |||||
TCPKeepAlive: yes | |||||
AcceptEnv: "LANG LC_*" | |||||
Subsystem: "sftp /usr/lib/openssh/sftp-server" | |||||
UsePAM: yes | |||||
openssh: | |||||
sshd_config: | |||||
Port: 22 | |||||
Protocol: 2 | |||||
HostKey: | |||||
- /etc/ssh/ssh_host_rsa_key | |||||
- /etc/ssh/ssh_host_dsa_key | |||||
- /etc/ssh/ssh_host_ecdsa_key | |||||
UsePrivilegeSeparation: yes | |||||
KeyRegenerationInterval: 3600 | |||||
ServerKeyBits: 768 | |||||
SyslogFacility: AUTH | |||||
LogLevel: INFO | |||||
LoginGraceTime: 120 | |||||
PermitRootLogin: yes | |||||
StrictModes: yes | |||||
RSAAuthentication: yes | |||||
PubkeyAuthentication: yes | |||||
IgnoreRhosts: yes | |||||
RhostsRSAAuthentication: no | |||||
HostbasedAuthentication: no | |||||
PermitEmptyPasswords: no | |||||
ChallengeResponseAuthentication: no | |||||
X11Forwarding: yes | |||||
X11DisplayOffset: 10 | |||||
PrintMotd: no | |||||
PrintLastLog: yes | |||||
TCPKeepAlive: yes | |||||
AcceptEnv: "LANG LC_*" | |||||
Subsystem: "sftp /usr/lib/openssh/sftp-server" | |||||
UsePAM: yes | |||||
auth: | |||||
joe: | |||||
- name: JOE_VALID_SSH_PUBLIC_KEY | |||||
present: True | |||||
enc: ssh-rsa | |||||
comment: main key | |||||
- name: JOE_NON_VALID_SSH_PUBLIC_KEY | |||||
present: False | |||||
enc: ssh-rsa | |||||
comment: obsolete key - removed | |||||