Saltstack Official OpenSSH Formula
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

387 linhas
14KB

  1. sshd_config:
  2. # This keyword is totally optional
  3. ConfigBanner: |
  4. # Alternative banner for the config file
  5. # (Indented) hash signs lose their special meaning here
  6. # and the lines will be written as-is.
  7. Port: 22
  8. Protocol: 2
  9. HostKey:
  10. - /etc/ssh/ssh_host_rsa_key
  11. - /etc/ssh/ssh_host_dsa_key
  12. - /etc/ssh/ssh_host_ecdsa_key
  13. - /etc/ssh/ssh_host_ed25519_key
  14. UsePrivilegeSeparation: 'sandbox'
  15. SyslogFacility: AUTH
  16. LogLevel: INFO
  17. ClientAliveInterval: 0
  18. ClientAliveCountMax: 3
  19. LoginGraceTime: 120
  20. PermitRootLogin: 'yes'
  21. PasswordAuthentication: 'no'
  22. StrictModes: 'yes'
  23. MaxAuthTries: 6
  24. MaxSessions: 10
  25. PubkeyAuthentication: 'yes'
  26. AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
  27. AuthorizedKeysCommandUser: 'nobody'
  28. IgnoreRhosts: 'yes'
  29. HostbasedAuthentication: 'no'
  30. PermitEmptyPasswords: 'no'
  31. ChallengeResponseAuthentication: 'no'
  32. AuthenticationMethods: 'publickey,keyboard-interactive'
  33. AuthorizedKeysFile: '%h/.ssh/authorized_keys'
  34. X11Forwarding: 'no'
  35. X11DisplayOffset: 10
  36. PrintMotd: 'yes'
  37. PrintLastLog: 'yes'
  38. TCPKeepAlive: 'yes'
  39. AcceptEnv: "LANG LC_*"
  40. Subsystem: "sftp /usr/lib/openssh/sftp-server"
  41. UsePAM: 'yes'
  42. UseDNS: 'yes'
  43. # set as string
  44. AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
  45. # or set as list
  46. AllowUsers:
  47. - vader@10.0.0.1
  48. - maul@evil.com
  49. - sidious
  50. - luke
  51. # set as string
  52. DenyUsers: 'yoda chewbaca@112.10.21.1'
  53. # or set as list
  54. DenyUsers:
  55. - yoda
  56. - chewbaca@112.10.21.1
  57. # set as string
  58. AllowGroups: 'wheel staff imperial'
  59. # or set as list
  60. AllowGroups:
  61. - wheel
  62. - staff
  63. - imperial
  64. # set as string
  65. DenyGroups: 'rebel'
  66. # or set as list
  67. DenyGroups:
  68. - rebel
  69. - badcompany
  70. matches:
  71. sftp_chroot:
  72. type:
  73. Group: sftpusers
  74. options:
  75. ChrootDirectory: /sftp-chroot/%u
  76. X11Forwarding: no
  77. AllowTcpForwarding: no
  78. ForceCommand: internal-sftp
  79. # Supports complex compound matches in Match criteria. For example, be able
  80. # to match against multiple Users for a given Match, or be able to match
  81. # against address ranges. Or Groups. Or any combination thereof.
  82. #
  83. # Support for matching users can take one of several different appearances
  84. # in pillar data:
  85. match_1:
  86. type:
  87. User: one_user
  88. options:
  89. ChrootDirectory: /ex/%u
  90. match_2:
  91. type:
  92. User:
  93. - jim
  94. - bob
  95. - sally
  96. options:
  97. ChrootDirectory: /ex/%u
  98. # Note the syntax of match_3. By using empty dicts for each user, we can
  99. # leverage Salt's pillar mergine. If we use simple lists, we cannot do
  100. # this; Salt can't merge simple lists, because it doesn't know what order
  101. # they ought to be in.
  102. match_3:
  103. type:
  104. User:
  105. jim: ~
  106. bob: ~
  107. sally: ~
  108. options:
  109. ChrootDirectory: /ex/%u
  110. # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
  111. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  112. # The configuration given in the example below is based on:
  113. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  114. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
  115. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  116. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  117. KexAlgorithms:
  118. - 'curve25519-sha256@libssh.org'
  119. - 'diffie-hellman-group-exchange-sha256'
  120. Ciphers:
  121. - 'chacha20-poly1305@openssh.com'
  122. - 'aes256-gcm@openssh.com'
  123. - 'aes128-gcm@openssh.com'
  124. - 'aes256-ctr'
  125. - 'aes192-ctr'
  126. - 'aes128-ctr'
  127. MACs:
  128. - 'hmac-sha2-512-etm@openssh.com'
  129. - 'hmac-sha2-256-etm@openssh.com'
  130. - 'umac-128-etm@openssh.com'
  131. - 'hmac-sha2-512'
  132. - 'hmac-sha2-256'
  133. - 'umac-128@openssh.com'
  134. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
  135. # pillar will overwrite the defaults of your distribution's SSH client. This
  136. # will also force the default configuration for all the SSH clients on the
  137. # machine. This can break SSH connections with servers using older versions of
  138. # openssh. Please make sure you understand the implication of different settings
  139. ssh_config:
  140. Hosts:
  141. '*':
  142. StrictHostKeyChecking: no
  143. ForwardAgent: no
  144. ForwardX11: no
  145. RhostsRSAAuthentication: no
  146. RSAAuthentication: yes
  147. PasswordAuthentication: yes
  148. HostbasedAuthentication: no
  149. GSSAPIAuthentication: no
  150. GSSAPIDelegateCredentials: no
  151. BatchMode: 'yes'
  152. CheckHostIP: 'yes'
  153. AddressFamily: 'any'
  154. ConnectTimeout: 0
  155. IdentityFile: '~/.ssh/id_rsa'
  156. Port: 22
  157. Protocol: 2
  158. Cipher: '3des'
  159. Tunnel: 'no'
  160. TunnelDevice: 'any:any'
  161. PermitLocalCommand: 'no'
  162. VisualHostKey: 'no'
  163. # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
  164. # WARNING! Please make sure you understand the implications of the below
  165. # settings. The examples provided below might break your connection to older /
  166. # legacy openssh servers.
  167. # The configuration given in the example below is based on:
  168. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  169. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  170. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
  171. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  172. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  173. KexAlgorithms:
  174. - 'curve25519-sha256@libssh.org'
  175. - 'diffie-hellman-group-exchange-sha256'
  176. - 'diffie-hellman-group-exchange-sha1'
  177. - 'diffie-hellman-group14-sha1'
  178. Ciphers:
  179. - 'chacha20-poly1305@openssh.com'
  180. - 'aes256-gcm@openssh.com'
  181. - 'aes128-gcm@openssh.com'
  182. - 'aes256-ctr'
  183. - 'aes192-ctr'
  184. - 'aes128-ctr'
  185. MACs:
  186. - 'hmac-sha2-512-etm@openssh.com'
  187. - 'hmac-sha2-256-etm@openssh.com'
  188. - 'umac-128-etm@openssh.com'
  189. - 'hmac-sha2-512'
  190. - 'hmac-sha2-256'
  191. - 'umac-128@openssh.com'
  192. openssh:
  193. # Instead of adding a custom banner file you can set it in pillar
  194. banner_string: |
  195. Welcome to {{ grains['id'] }}!
  196. # Set installed package version
  197. server_version: latest
  198. client_version: latest
  199. # Controls if SSHD should be enabled/started
  200. sshd_enable: true
  201. auth:
  202. joe-valid-ssh-key-desktop:
  203. - user: joe
  204. present: True
  205. enc: ssh-rsa
  206. comment: main key - desktop
  207. source: salt://ssh_keys/joe.desktop.pub
  208. joe-valid-ssh-key-notebook:
  209. - user: joe
  210. present: True
  211. enc: ssh-rsa
  212. comment: main key - notebook
  213. source: salt://ssh_keys/joe.netbook.pub
  214. joe-non-valid-ssh-key:
  215. - user: joe
  216. present: False
  217. enc: ssh-rsa
  218. comment: obsolete key - removed
  219. source: salt://ssh_keys/joe.no-valid.pub
  220. # Maps users to source files
  221. # Designed to play nice with ext_pillar
  222. # salt.states.ssh_auth: If source is set, comment and enc will be ignored
  223. auth_map:
  224. personal_keys: # store name
  225. source: salt://ssh_keys
  226. users:
  227. joe:
  228. joe.desktop: {}
  229. joe.netbook:
  230. options: [] # see salt.states.ssh_auth.present
  231. joe.no-valid:
  232. present: False
  233. generate_dsa_keys: False
  234. absent_dsa_keys: False
  235. provide_dsa_keys: False
  236. dsa:
  237. private_key: |
  238. -----BEGIN DSA PRIVATE KEY-----
  239. NOT_DEFINED
  240. -----END DSA PRIVATE KEY-----
  241. public_key: |
  242. ssh-dss NOT_DEFINED
  243. generate_ecdsa_keys: False
  244. absent_ecdsa_keys: False
  245. provide_ecdsa_keys: False
  246. ecdsa:
  247. private_key: |
  248. -----BEGIN EC PRIVATE KEY-----
  249. NOT_DEFINED
  250. -----END EC PRIVATE KEY-----
  251. public_key: |
  252. ecdsa-sha2-nistp256 NOT_DEFINED
  253. generate_rsa_keys: False
  254. generate_rsa_size: 4096
  255. # Will remove the old key if it is to short and generate a new one.
  256. enforce_rsa_size: False
  257. absent_rsa_keys: False
  258. provide_rsa_keys: False
  259. rsa:
  260. private_key: |
  261. -----BEGIN RSA PRIVATE KEY-----
  262. NOT_DEFINED
  263. -----END RSA PRIVATE KEY-----
  264. public_key: |
  265. ssh-rsa NOT_DEFINED
  266. generate_ed25519_keys: False
  267. absent_ed25519_keys: False
  268. provide_ed25519_keys: False
  269. ed25519:
  270. private_key: |
  271. -----BEGIN OPENSSH PRIVATE KEY-----
  272. NOT_DEFINED
  273. -----END OPENSSH PRIVATE KEY-----
  274. public_key: |
  275. ssh-ed25519 NOT_DEFINED
  276. known_hosts:
  277. # The next 2 settings restrict the set of minions that will be added in
  278. # the generated ssh_known_hosts files (the default is to match all minions)
  279. target: '*'
  280. tgt_type: 'glob'
  281. # Name of mining functions used to gather public keys and hostnames
  282. # (the default values are shown here)
  283. mine_keys_function: public_ssh_host_keys
  284. mine_hostname_function: public_ssh_hostname
  285. # List of DNS entries also pointing to our managed machines and that we want
  286. # to inject in our generated ssh_known_hosts file
  287. aliases:
  288. - cname-to-minion.example.org
  289. - alias.example.org
  290. # Includes short hostnames derived from the FQDN
  291. # (host.example.test -> host)
  292. # (Deactivated by default, because there can be collisions!)
  293. hostnames: False
  294. #hostnames:
  295. # Restrict wich hosts you want to use via their hostname
  296. # (i.e. ssh user@host instead of ssh user@host.example.com)
  297. # target: '*' # Defaults to "*.{{ grains['domain']}}"
  298. # tgt_type: 'glob'
  299. # To activate the defaults you can just set an empty dict.
  300. #hostnames: {}
  301. # Include localhost, 127.0.0.1 and ::1 (default: False)
  302. include_localhost: False
  303. # Host keys fetched via salt-ssh
  304. salt_ssh:
  305. # The salt-ssh user
  306. user: salt-master
  307. # specify public host names of a minion
  308. public_ssh_host_names:
  309. minion.id:
  310. - minion.id
  311. - alias.of.minion.id
  312. # specify public host keys of a minion
  313. public_ssh_host_keys:
  314. minion.id: |
  315. ssh-rsa [...]
  316. ssh-ed25519 [...]
  317. # Here you can list keys for hosts which are not among your minions:
  318. static:
  319. github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
  320. gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
  321. # specify DH parameters (see /etc/ssh/moduli)
  322. moduli: |
  323. # Time Type Tests Tries Size Generator Modulus
  324. 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
  325. 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
  326. 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
  327. 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
  328. # ALTERNATIVELY, specify the location of the moduli file. Examples:
  329. #moduli_source: http://some.server.somewhere/salt/moduli
  330. #moduli_source: salt://files/ssh/moduli
  331. # If moduli is specified, moduli_source will be ignored.
  332. # Also, a proper hash file *must* be included in the same path. E.g.:
  333. # http://some.server.somewhere/salt/moduli.hash
  334. # salt://files/ssh/moduli.hash
  335. # These will be automatically referenced to by the ssh_moduli state.
  336. # Required for openssh.known_hosts
  337. mine_functions:
  338. public_ssh_host_keys:
  339. mine_function: cmd.run
  340. cmd: cat /etc/ssh/ssh_host_*_key.pub
  341. python_shell: True
  342. public_ssh_hostname:
  343. mine_function: grains.get
  344. key: id
  345. tofs:
  346. # The files_switch key serves as a selector for alternative
  347. # directories under the formula files directory. See TOFS pattern
  348. # doc for more info.
  349. # Note: Any value not evaluated by `config.get` will be used literally.
  350. # This can be used to set custom paths, as many levels deep as required.
  351. # files_switch:
  352. # - any/path/can/be/used/here
  353. # - id
  354. # - role
  355. # - osfinger
  356. # - os
  357. # - os_family
  358. # All aspects of path/file resolution are customisable using the options below.
  359. # This is unnecessary in most cases; there are sensible defaults.
  360. # path_prefix: template_alt
  361. # dirs:
  362. # files: files_alt
  363. # default: default_alt
  364. source_files:
  365. manage ssh_known_hosts file:
  366. - alt_ssh_known_hosts
  367. sshd_config:
  368. - alt_sshd_config
  369. ssh_config:
  370. - alt_ssh_config
  371. sshd_banner:
  372. - fire_banner