ExternalMirrors
/
openssh-formula
miroir de https://github.com/saltstack-formulas/openssh-formula
Suivre 1
Ajouter aux favoris 0
Bifurcation 1
Code Tickets 0 Versions 27 Wiki Activité
Saltstack Official OpenSSH Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
407 Révisions
3 Branches
Aborescence: 340cc0abe7
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '340cc0abe7'
${ noResults }
openssh-formula/pillar.example

402 lines
15KB
Brut Annotations Historique 

  1. # -*- coding: utf-8 -*-

  2. # vim: ft=yaml

  3. ---

  4. sshd_config:

  5.   # This keyword is totally optional

  6.   ConfigBanner: |

  7.     # Alternative banner for the config file

  8.     # (Indented) hash signs lose their special meaning here

  9.     # and the lines will be written as-is.

  10.   Port: 22

  11.   Protocol: 2

  12.   HostKey:

  13.     - /etc/ssh/ssh_host_rsa_key

  14.     - /etc/ssh/ssh_host_dsa_key

  15.     - /etc/ssh/ssh_host_ecdsa_key

  16.     - /etc/ssh/ssh_host_ed25519_key

  17.   SyslogFacility: AUTH

  18.   LogLevel: INFO

  19.   ClientAliveInterval: 0

  20.   ClientAliveCountMax: 3

  21.   LoginGraceTime: 120

  22.   PermitRootLogin: 'yes'

  23.   PasswordAuthentication: 'no'

  24.   StrictModes: 'yes'

  25.   MaxAuthTries: 6

  26.   MaxSessions: 10

  27.   PubkeyAuthentication: 'yes'

  28.   AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'

  29.   AuthorizedKeysCommandUser: 'nobody'

  30.   IgnoreRhosts: 'yes'

  31.   HostbasedAuthentication: 'no'

  32.   PermitEmptyPasswords: 'no'

  33.   ChallengeResponseAuthentication: 'no'

  34.   AuthenticationMethods: 'publickey'

  35.   AuthorizedKeysFile: '%h/.ssh/authorized_keys'

  36.   X11Forwarding: 'no'

  37.   X11DisplayOffset: 10

  38.   PrintMotd: 'yes'

  39.   PrintLastLog: 'yes'

  40.   TCPKeepAlive: 'yes'

  41.   AcceptEnv: "LANG LC_*"

  42.   Subsystem: "sftp /usr/lib/openssh/sftp-server"

  43.   UsePAM: 'yes'

  44.   UseDNS: 'yes'

  45.   # set as string

  46.   # AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'

  47.   # or set as list

  48.   AllowUsers:

  49.     - vader@10.0.0.1

  50.     - maul@evil.com

  51.     - sidious

  52.     - luke

  53.   # set as string

  54.   # DenyUsers: 'yoda chewbaca@112.10.21.1'

  55.   # or set as list

  56.   DenyUsers:

  57.     - yoda

  58.     - chewbaca@112.10.21.1

  59.   # set as string

  60.   # AllowGroups: 'wheel staff imperial'

  61.   # or set as list

  62.   AllowGroups:

  63.     - wheel

  64.     - staff

  65.     - imperial

  66.   # set as string

  67.   # DenyGroups: 'rebel'

  68.   # or set as list

  69.   DenyGroups:

  70.     - rebel

  71.     - badcompany

  72.   matches:

  73.     sftp_chroot:

  74.       type:

  75.         Group: sftpusers

  76.       options:

  77.         ChrootDirectory: /sftp-chroot/%u

  78.         X11Forwarding: 'no'

  79.         AllowTcpForwarding: 'no'

  80.         ForceCommand: internal-sftp

  81.     # Supports complex compound matches in Match criteria. For example, be able

  82.     # to match against multiple Users for a given Match, or be able to match

  83.     # against address ranges. Or Groups. Or any combination thereof.

  84.     #

  85.     # Support for matching users can take one of several different appearances

  86.     # in pillar data:

  87.     match_1:

  88.       type:

  89.         User: one_user

  90.       options:

  91.         ChrootDirectory: /ex/%u

  92.     match_2:

  93.       type:

  94.         User:

  95.           - jim

  96.           - bob

  97.           - sally

  98.       options:

  99.         ChrootDirectory: /ex/%u

  100.     # Note the syntax of match_3. By using empty dicts for each user, we can

  101.     # leverage Salt's pillar mergine. If we use simple lists, we cannot do

  102.     # this; Salt can't merge simple lists, because it doesn't know what order

  103.     # they ought to be in.

  104.     match_3:

  105.       type:

  106.         User:

  107.           jim: ~

  108.           bob: ~

  109.           sally: ~

  110.       options:

  111.         ChrootDirectory: /ex/%u

  112. 

  113.   # yamllint disable rule:line-length

  114.   # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.

  115.   # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  116.   # The configuration given in the example below is based on:

  117.   # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  118.   # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'

  119.   # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  120.   # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'

  121.   # yamllint enable rule:line-length

  122.   KexAlgorithms:

  123.     - 'curve25519-sha256@libssh.org'

  124.     - 'diffie-hellman-group-exchange-sha256'

  125.   Ciphers:

  126.     - 'chacha20-poly1305@openssh.com'

  127.     - 'aes256-gcm@openssh.com'

  128.     - 'aes128-gcm@openssh.com'

  129.     - 'aes256-ctr'

  130.     - 'aes192-ctr'

  131.     - 'aes128-ctr'

  132.   MACs:

  133.     - 'hmac-sha2-512-etm@openssh.com'

  134.     - 'hmac-sha2-256-etm@openssh.com'

  135.     - 'umac-128-etm@openssh.com'

  136.     - 'hmac-sha2-512'

  137.     - 'hmac-sha2-256'

  138.     - 'umac-128@openssh.com'

  139. 

  140. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config

  141. # pillar will overwrite the defaults of your distribution's SSH client. This

  142. # will also force the default configuration for all the SSH clients on the

  143. # machine. This can break SSH connections with servers using older versions of

  144. # openssh. Please make sure you understand the implication of different settings

  145. ssh_config:

  146.   Hosts:

  147.     '*':

  148.       StrictHostKeyChecking: 'no'

  149.       ForwardAgent: 'no'

  150.       ForwardX11: 'no'

  151.       RhostsRSAAuthentication: 'no'

  152.       RSAAuthentication: 'yes'

  153.       PasswordAuthentication: 'yes'

  154.       HostbasedAuthentication: 'no'

  155.       GSSAPIAuthentication: 'no'

  156.       GSSAPIDelegateCredentials: 'no'

  157.       BatchMode: 'yes'

  158.       CheckHostIP: 'yes'

  159.       AddressFamily: 'any'

  160.       ConnectTimeout: 0

  161.       IdentityFile: '~/.ssh/id_rsa'

  162.       Port: 22

  163.       Protocol: 2

  164.       Cipher: '3des'

  165.       Tunnel: 'no'

  166.       TunnelDevice: 'any:any'

  167.       PermitLocalCommand: 'no'

  168.       VisualHostKey: 'no'

  169.       # yamllint disable rule:line-length

  170.       # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.

  171.       # WARNING! Please make sure you understand the implications of the below

  172.       # settings. The examples provided below might break your connection to older /

  173.       # legacy openssh servers.

  174.       # The configuration given in the example below is based on:

  175.       # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  176.       # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  177.       # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'

  178.       # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  179.       # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'

  180.       # yamllint enable rule:line-length

  181.       KexAlgorithms:

  182.         - 'curve25519-sha256@libssh.org'

  183.         - 'diffie-hellman-group-exchange-sha256'

  184.         - 'diffie-hellman-group-exchange-sha1'

  185.         - 'diffie-hellman-group14-sha1'

  186.       Ciphers:

  187.         - 'chacha20-poly1305@openssh.com'

  188.         - 'aes256-gcm@openssh.com'

  189.         - 'aes128-gcm@openssh.com'

  190.         - 'aes256-ctr'

  191.         - 'aes192-ctr'

  192.         - 'aes128-ctr'

  193.       MACs:

  194.         - 'hmac-sha2-512-etm@openssh.com'

  195.         - 'hmac-sha2-256-etm@openssh.com'

  196.         - 'umac-128-etm@openssh.com'

  197.         - 'hmac-sha2-512'

  198.         - 'hmac-sha2-256'

  199.         - 'umac-128@openssh.com'

  200. 

  201. 

  202. openssh:

  203.   # Instead of adding a custom banner file you can set it in pillar

  204.   banner_string: |

  205.     Welcome to {{ grains['id'] }}!

  206. 

  207.   # Set installed package version

  208.   server_version: latest

  209.   client_version: latest

  210. 

  211.   # Controls if SSHD should be enabled/started

  212.   sshd_enable: true

  213.   auth:

  214.     joe-valid-ssh-key-desktop:

  215.       - user: joe

  216.         present: true

  217.         enc: ssh-rsa

  218.         comment: main key - desktop

  219.         source: salt://ssh_keys/joe.desktop.pub

  220.     joe-valid-ssh-key-notebook:

  221.       - user: joe

  222.         present: true

  223.         enc: ssh-rsa

  224.         comment: main key - notebook

  225.         source: salt://ssh_keys/joe.netbook.pub

  226.     joe-non-valid-ssh-key:

  227.       - user: joe

  228.         present: false

  229.         enc: ssh-rsa

  230.         comment: obsolete key - removed

  231.         source: salt://ssh_keys/joe.no-valid.pub

  232.   # Maps users to source files

  233.   # Designed to play nice with ext_pillar

  234.   # salt.states.ssh_auth: If source is set, comment and enc will be ignored

  235.   auth_map:

  236.     personal_keys:  # store name

  237.       source: salt://ssh_keys

  238.       users:

  239.         joe:

  240.           joe.desktop: {}

  241.           joe.netbook:

  242.             options: []  # see salt.states.ssh_auth.present

  243.           joe.no-valid:

  244.             present: false

  245. 

  246.   generate_dsa_keys: false

  247.   absent_dsa_keys: false

  248.   provide_dsa_keys: false

  249.   dsa:

  250.     private_key: |

  251.       -----BEGIN DSA PRIVATE KEY-----

  252.       NOT_DEFINED

  253.       -----END DSA PRIVATE KEY-----

  254.     public_key: |

  255.       ssh-dss NOT_DEFINED

  256. 

  257.   generate_ecdsa_keys: false

  258.   absent_ecdsa_keys: false

  259.   provide_ecdsa_keys: false

  260.   ecdsa:

  261.     private_key: |

  262.       -----BEGIN EC PRIVATE KEY-----

  263.       NOT_DEFINED

  264.       -----END EC PRIVATE KEY-----

  265.     public_key: |

  266.       ecdsa-sha2-nistp256 NOT_DEFINED

  267. 

  268.   generate_rsa_keys: false

  269.   generate_rsa_size: 4096

  270.   # Will remove the old key if it is to short and generate a new one.

  271.   enforce_rsa_size: false

  272.   absent_rsa_keys: false

  273.   provide_rsa_keys: false

  274.   rsa:

  275.     private_key: |

  276.       -----BEGIN RSA PRIVATE KEY-----

  277.       NOT_DEFINED

  278.       -----END RSA PRIVATE KEY-----

  279.     public_key: |

  280.       ssh-rsa NOT_DEFINED

  281. 

  282.   generate_ed25519_keys: false

  283.   absent_ed25519_keys: false

  284.   provide_ed25519_keys: false

  285.   ed25519:

  286.     private_key: |

  287.       -----BEGIN OPENSSH PRIVATE KEY-----

  288.       NOT_DEFINED

  289.       -----END OPENSSH PRIVATE KEY-----

  290.     public_key: |

  291.       ssh-ed25519 NOT_DEFINED

  292. 

  293.   known_hosts:

  294.     # The next 2 settings restrict the set of minions that will be added in

  295.     # the generated ssh_known_hosts files (the default is to match all minions)

  296.     target: '*'

  297.     tgt_type: 'glob'

  298.     # Name of mining functions used to gather public keys and hostnames

  299.     # (the default values are shown here)

  300.     mine_keys_function: public_ssh_host_keys

  301.     mine_hostname_function: public_ssh_hostname

  302.     # List of DNS entries also pointing to our managed machines and that we want

  303.     # to inject in our generated ssh_known_hosts file

  304.     aliases:

  305.       - cname-to-minion.example.org

  306.       - alias.example.org

  307.     # Includes short hostnames derived from the FQDN

  308.     # (host.example.test -> host)

  309.     # (Deactivated by default, because there can be collisions!)

  310.     hostnames: false

  311.     # hostnames:

  312.     # Restrict wich hosts you want to use via their hostname

  313.     # (i.e. ssh user@host instead of ssh user@host.example.com)

  314.     #  target: '*'  # Defaults to "*.{{ grains['domain']}}"

  315.     #  tgt_type: 'glob'

  316.     # To activate the defaults you can just set an empty dict.

  317.     # hostnames: {}

  318.     # Include localhost, 127.0.0.1 and ::1 (default: false)

  319.     include_localhost: false

  320.     # Host keys fetched via salt-ssh

  321.     salt_ssh:

  322.       # The salt-ssh user

  323.       user: salt-master

  324.       # specify public host names of a minion

  325.       public_ssh_host_names:

  326.         minion.id:

  327.           - minion.id

  328.           - alias.of.minion.id

  329.       # specify public host keys of a minion

  330.       public_ssh_host_keys:

  331.         minion.id: |

  332.           ssh-rsa [...]

  333.           ssh-ed25519 [...]

  334.     # Here you can list keys for hosts which are not among your minions:

  335.     static:

  336.       github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'

  337.       gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'

  338.     # Prevent an ever-changing ssh_known_hosts file caused by a domain which

  339.     # is served from multiple IP addresses.

  340.     # To disable completely:

  341.     # omit_ip_address: true

  342.     # Or to disable by specific hosts:

  343.     omit_ip_address:

  344.       - github.com

  345. 

  346.   # yamllint disable rule:line-length

  347.   # specify DH parameters (see /etc/ssh/moduli)

  348.   moduli: |

  349.     # Time Type Tests Tries Size Generator Modulus

  350.     20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63

  351.     20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB

  352.     20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53

  353.     20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F

  354.   # yamllint enable rule:line-length

  355.   # ALTERNATIVELY, specify the location of the moduli file. Examples:

  356.   # moduli_source: http://some.server.somewhere/salt/moduli

  357.   # moduli_source: salt://files/ssh/moduli

  358.   # If moduli is specified, moduli_source will be ignored.

  359.   # Also, a proper hash file *must* be included in the same path. E.g.:

  360.   #     http://some.server.somewhere/salt/moduli.hash

  361.   #     salt://files/ssh/moduli.hash

  362.   # These will be automatically referenced to by the ssh_moduli state.

  363. 

  364.   tofs:

  365.     # The files_switch key serves as a selector for alternative

  366.     # directories under the formula files directory. See TOFS pattern

  367.     # doc for more info.

  368.     # Note: Any value not evaluated by `config.get` will be used literally.

  369.     # This can be used to set custom paths, as many levels deep as required.

  370.     # files_switch:

  371.     #   - any/path/can/be/used/here

  372.     #   - id

  373.     #   - role

  374.     #   - osfinger

  375.     #   - os

  376.     #   - os_family

  377.     # All aspects of path/file resolution are customisable using the options below.

  378.     # This is unnecessary in most cases; there are sensible defaults.

  379.     # path_prefix: template_alt

  380.     # dirs:

  381.     #   files: files_alt

  382.     #   default: default_alt

  383.     source_files:

  384.       manage ssh_known_hosts file:

  385.         - alt_ssh_known_hosts

  386.       sshd_config:

  387.         - alt_sshd_config

  388.       ssh_config:

  389.         - alt_ssh_config

  390.       sshd_banner:

  391.         - fire_banner

  392. 

  393. # Required for openssh.known_hosts

  394. mine_functions:

  395.   public_ssh_host_keys:

  396.     mine_function: cmd.run

  397.     cmd: cat /etc/ssh/ssh_host_*_key.pub

  398.     python_shell: true

  399.   public_ssh_hostname:

  400.     mine_function: grains.get

  401.     key: id