ExternalMirrors
/
openssh-formula
miroir de https://github.com/saltstack-formulas/openssh-formula
Suivre 1
Ajouter aux favoris 0
Bifurcation 1
Code Tickets 0 Versions 27 Wiki Activité
Saltstack Official OpenSSH Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
283 Révisions
3 Branches
Aborescence: 193ff7e97e
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '193ff7e97e'
${ noResults }
openssh-formula/openssh/files/default/sshd_config

233 lines
8.2KB
Brut Annotations Historique 

  1. {% from "openssh/map.jinja" import sshd_config with context %}

  2. {#- present in sshd_config and known in actual file options -#}

  3. {%- set processed_options = [] -%}

  4. 

  5. {#- generic renderer used for sshd matches, known options, -#}

  6. {#- and unknown options -#}

  7. {%- macro render_option(keyword, config_dict=sshd_config) -%}

  8. {%-   set value = config_dict.get(keyword) -%}

  9. {%-   if value is sameas true -%}

  10.         {{ keyword }} yes

  11. {%    elif value is sameas false -%}

  12.         {{ keyword }} no

  13. {%    elif value is string or value is number -%}

  14.         {{ keyword }} {{ value }}

  15. {%    else -%}

  16. {%-     for single_value in value -%}

  17. {{ keyword }} {{ single_value }}

  18. {%      endfor -%}

  19. {%-   endif -%}

  20. {%- endmacro -%}

  21. 

  22. {#- macros for render option if present -#}

  23. {%- macro option(keyword, present) -%}

  24. {%-   if keyword in sshd_config -%}

  25. {%-     do processed_options.append(keyword) -%}

  26.         {{ render_option(keyword) }}

  27. {%-   endif -%}

  28. {%- endmacro -%}

  29. 

  30. {#- macro for collapsing a list into a string -#}

  31. {%- macro option_collapselist(keyword, sep, config_dict=None) -%}

  32. {%-   if config_dict is sameas None -%}

  33. {%-     do processed_options.append(keyword) -%}

  34. {%-     set config_dict = sshd_config -%}

  35. {%-   endif -%}

  36.       {{ keyword }} {{ config_dict.get(keyword) | join(sep) }}

  37. {% endmacro -%}

  38. 

  39. {#- macro for handling an option that can be specified as a list or a string -#}

  40. {%- macro option_string_or_list(keyword, sep=',') -%}

  41. {%-   if sshd_config.get(keyword, '') is string -%}

  42.         {{ option(keyword) }}

  43. {%-   else -%}

  44.         {{ option_collapselist(keyword, sep) }}

  45. {%-   endif -%}

  46. {%- endmacro -%}

  47. 

  48. {#- macro for conditionally joining a string, list or dict(keys) to just a string -#}

  49. {%- macro join_to_string(src, keyword, sep=',') -%}

  50. {%-   set srcval = src.get(keyword, '') -%}

  51. {%-   if srcval is string -%}

  52.         {{ srcval }}

  53. {%-   elif srcval is mapping  -%}

  54.         {{ srcval.keys() | sort | join(sep) }}

  55. {%-   else -%}

  56.         {{ srcval | join(sep) }}

  57. {%-   endif -%}

  58. {%- endmacro -%}

  59. 

  60. {%- if sshd_config.get('ConfigBanner', False) -%}

  61. {%-   do processed_options.append('ConfigBanner') -%}

  62.       {{ sshd_config['ConfigBanner'] }}

  63. {%- else -%}

  64. # This file is managed by salt. Manual changes risk being overwritten.

  65. {%- endif %}

  66. {%- set global_src_url = salt ['pillar.get']('__formulas:print_template_url', None) %}

  67. {%- set local_src_url = salt ['pillar.get']('openssh-formula:print_template_url', None) %}

  68. {%- if (global_src_url and local_src_url is none) or local_src_url %}

  69. #

  70. # Template used to generate this file:

  71. # {{ source }}

  72. #

  73. {%- endif %}

  74. # The contents of the original sshd_config are kept on the bottom for

  75. # quick reference.

  76. # See the sshd_config(5) manpage for details

  77. 

  78. {#  Specifies which address family should be used by sshd(8). -#}

  79. {#- Valid arguments are any, inet (use IPv4 only), or inet6 (use IPv6 only) -#}

  80. {{- option('AddressFamily') -}}

  81. 

  82. {#- What ports, IPs and protocols we listen for -#}

  83. {{- option('Port') -}}

  84. {#- Use these options to restrict which interfaces/protocols sshd will bind to -#}

  85. {{- option('ListenAddress') -}}

  86. {{- option('Protocol') -}}

  87. {#- HostKeys for protocol version 2 -#}

  88. {{- option('HostKey') -}}

  89. 

  90. {#- Privilege Separation is turned on for security -#}

  91. {{- option('UsePrivilegeSeparation') -}}

  92. 

  93. {#- Logging -#}

  94. {{- option('SyslogFacility') -}}

  95. {{- option('LogLevel') -}}

  96. 

  97. {#- Session idle time out -#}

  98. {{- option('ClientAliveInterval') -}}

  99. {{- option('ClientAliveCountMax') -}}

  100. 

  101. {#- Authentication: -#}

  102. {{- option('LoginGraceTime') -}}

  103. {{- option('PermitRootLogin') -}}

  104. {{- option('StrictModes') -}}

  105. {{- option('MaxAuthTries') -}}

  106. {{- option('MaxSessions') -}}

  107. 

  108. {{- option('PubkeyAuthentication') -}}

  109. {{- option('AuthorizedKeysFile') -}}

  110. {{- option('AuthorizedKeysCommand') -}}

  111. {{- option('AuthorizedKeysCommandUser') -}}

  112. 

  113. {#- Don't read the user's ~/.rhosts and ~/.shosts files -#}

  114. {{- option('IgnoreRhosts') -}}

  115. {#- similar for protocol version 2 -#}

  116. {{- option('HostbasedAuthentication') -}}

  117. {#- Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#}

  118. {{- option('IgnoreUserKnownHosts') -}}

  119. 

  120. {#- To enable empty passwords, change to yes (NOT RECOMMENDED) -#}

  121. {{- option('PermitEmptyPasswords') -}}

  122. 

  123. {#- Change to yes to enable challenge-response passwords (beware issues with -#}

  124. {#- some PAM modules and threads) -#}

  125. {{- option('ChallengeResponseAuthentication') -}}

  126. {{- option('AuthenticationMethods') -}}

  127. 

  128. {#- Change to no to disable tunnelled clear text passwords -#}

  129. {{- option('PasswordAuthentication') -}}

  130. 

  131. {#- Kerberos options -#}

  132. {{- option('KerberosAuthentication') -}}

  133. {{- option('KerberosGetAFSToken') -}}

  134. {{- option('KerberosOrLocalPasswd') -}}

  135. {{- option('KerberosTicketCleanup') -}}

  136. 

  137. {#- GSSAPI options -#}

  138. {{- option('GSSAPIAuthentication') -}}

  139. {{- option('GSSAPICleanupCredentials') -}}

  140. 

  141. {{- option('X11Forwarding') -}}

  142. {{- option('AllowTcpForwarding') -}}

  143. {{- option('X11DisplayOffset') -}}

  144. {{- option('PrintMotd') -}}

  145. {#- Bug in FreeBSD 10.3 (?) See https://lists.freebsd.org/pipermail/freebsd-stable/2016-April/084501.html -#}

  146. {% if not (salt['grains.get']('os') == 'FreeBSD' and salt['grains.get']('osrelease')|float >= 10.3) -%}

  147. {{- option('PrintLastLog') -}}

  148. {% endif -%}

  149. {{- option('TCPKeepAlive') -}}

  150. {{- option('UseLogin') -}}

  151. 

  152. {{- option('MaxStartups') -}}

  153. {{- option('Banner') -}}

  154. 

  155. {#- Allow client to pass locale environment variables -#}

  156. {{- option('AcceptEnv') -}}

  157. 

  158. {{- option('Subsystem') -}}

  159. 

  160. {% if not salt['grains.get']('os') == 'OpenBSD' -%}

  161. {#- Set this to 'yes' to enable PAM authentication, account processing, -#}

  162. {#- and session processing. If this is enabled, PAM authentication will -#}

  163. {#- be allowed through the ChallengeResponseAuthentication and -#}

  164. {#- PasswordAuthentication.  Depending on your PAM configuration, -#}

  165. {#- PAM authentication via ChallengeResponseAuthentication may bypass -#}

  166. {#- the setting of "PermitRootLogin without-password". -#}

  167. {#- If you just want the PAM account and session checks to run without -#}

  168. {#- PAM authentication, then enable this but set PasswordAuthentication -#}

  169. {#- and ChallengeResponseAuthentication to 'no'. -#}

  170. {{- option('UsePAM') -}}

  171. {%- endif %}

  172. 

  173. {#- DNS resolve and map remote IP addresses -#}

  174. {{- option('UseDNS') -}}

  175. 

  176. {#- Restricting Users and Hosts -#}

  177. {#- example: -#}

  178. {#-  AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke -#}

  179. {#-  AllowGroups wheel staff -#}

  180. 

  181. {#- Keep in mind that using AllowUsers or AllowGroups means that anyone -#}

  182. {#- not Matching one of the supplied patterns will be denied access by default. -#}

  183. {#- Also, in order for sshd to allow access based on full or partial hostnames it -#}

  184. {#- needs to to a DNS lookup -#}

  185. 

  186. {# DenyUsers -#}

  187. {{- option_string_or_list('DenyUsers', sep=' ') }}

  188. {# AllowUsers -#}

  189. {{- option_string_or_list('AllowUsers', sep=' ') }}

  190. {# DenyGroups -#}

  191. {{- option_string_or_list('DenyGroups', sep=' ') }}

  192. {# AllowGroups -#}

  193. {{- option_string_or_list('AllowGroups', sep=' ') }}{{ "\n" -}}

  194. 

  195. 

  196. {#- Specifies the available KEX (Key Exchange) algorithms. -#}

  197. {{- option_string_or_list('KexAlgorithms') -}}

  198. 

  199. {#- Specifies the ciphers allowed for protocol version 2. -#}

  200. {{- option_string_or_list('Ciphers') -}}

  201. 

  202. {#- Specifies the available MAC (message authentication code) algorithms. -#}

  203. {{- option_string_or_list('MACs') -}}

  204. 

  205. {#- Handling unknown in salt template options -#}

  206. {%- for keyword in sshd_config.keys() %}

  207. {#-   Matches have to be at the bottom and should be handled differently -#}

  208. {%-   if not keyword in processed_options and keyword != 'matches' -%}

  209. {{- render_option(keyword) -}}

  210. {%    endif -%}

  211. {%- endfor %}

  212. 

  213. {#- Handle matches last as they need to go at the bottom -#}

  214. {%- if 'matches' in sshd_config %}

  215.   {%- for name, match in sshd_config['matches']|dictsort(true) %}

  216. Match

  217.     {#- Set up the match criteria -#}

  218.     {%- for criteria in match['type'].keys()|sort() -%}

  219.       {{ ' ' -}}{{criteria }} {{ join_to_string(match['type'], criteria) }}

  220.     {%- endfor %} #{{- name }}

  221. {#  Set up the applied options -#}

  222.     {%- for keyword in match['options'].keys()|sort() -%}

  223.       {%- if keyword in ['AllowUsers', 'DenyUsers', 'AllowGroups', 'DenyGroups'] -%}

  224.             {{ option_collapselist(keyword, ' ', config_dict=match['options']) | indent(4, true) }}

  225. {%        else -%}

  226.             {{ render_option(keyword, config_dict=match['options']) | indent(4, true) }}

  227. {%        endif -%}

  228. {%-     endfor %}

  229.   {%- endfor %}

  230. {%- endif %}

  231. 

  232. {#- vim: set ft=jinja : -#}