Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

395 line
15KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. sshd_config:
  5. # This keyword is totally optional
  6. ConfigBanner: |
  7. # Alternative banner for the config file
  8. # (Indented) hash signs lose their special meaning here
  9. # and the lines will be written as-is.
  10. Port: 22
  11. Protocol: 2
  12. HostKey:
  13. - /etc/ssh/ssh_host_rsa_key
  14. - /etc/ssh/ssh_host_dsa_key
  15. - /etc/ssh/ssh_host_ecdsa_key
  16. - /etc/ssh/ssh_host_ed25519_key
  17. SyslogFacility: AUTH
  18. LogLevel: INFO
  19. ClientAliveInterval: 0
  20. ClientAliveCountMax: 3
  21. LoginGraceTime: 120
  22. PermitRootLogin: 'yes'
  23. PasswordAuthentication: 'no'
  24. StrictModes: 'yes'
  25. MaxAuthTries: 6
  26. MaxSessions: 10
  27. PubkeyAuthentication: 'yes'
  28. AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
  29. AuthorizedKeysCommandUser: 'nobody'
  30. IgnoreRhosts: 'yes'
  31. HostbasedAuthentication: 'no'
  32. PermitEmptyPasswords: 'no'
  33. ChallengeResponseAuthentication: 'no'
  34. AuthenticationMethods: 'publickey'
  35. AuthorizedKeysFile: '%h/.ssh/authorized_keys'
  36. X11Forwarding: 'no'
  37. X11DisplayOffset: 10
  38. PrintMotd: 'yes'
  39. PrintLastLog: 'yes'
  40. TCPKeepAlive: 'yes'
  41. AcceptEnv: "LANG LC_*"
  42. Subsystem: "sftp /usr/lib/openssh/sftp-server"
  43. UsePAM: 'yes'
  44. UseDNS: 'yes'
  45. # set as string
  46. # AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
  47. # or set as list
  48. AllowUsers:
  49. - vader@10.0.0.1
  50. - maul@evil.com
  51. - sidious
  52. - luke
  53. # set as string
  54. # DenyUsers: 'yoda chewbaca@112.10.21.1'
  55. # or set as list
  56. DenyUsers:
  57. - yoda
  58. - chewbaca@112.10.21.1
  59. # set as string
  60. # AllowGroups: 'wheel staff imperial'
  61. # or set as list
  62. AllowGroups:
  63. - wheel
  64. - staff
  65. - imperial
  66. # set as string
  67. # DenyGroups: 'rebel'
  68. # or set as list
  69. DenyGroups:
  70. - rebel
  71. - badcompany
  72. matches:
  73. sftp_chroot:
  74. type:
  75. Group: sftpusers
  76. options:
  77. ChrootDirectory: /sftp-chroot/%u
  78. X11Forwarding: 'no'
  79. AllowTcpForwarding: 'no'
  80. ForceCommand: internal-sftp
  81. # Supports complex compound matches in Match criteria. For example, be able
  82. # to match against multiple Users for a given Match, or be able to match
  83. # against address ranges. Or Groups. Or any combination thereof.
  84. #
  85. # Support for matching users can take one of several different appearances
  86. # in pillar data:
  87. match_1:
  88. type:
  89. User: one_user
  90. options:
  91. ChrootDirectory: /ex/%u
  92. match_2:
  93. type:
  94. User:
  95. - jim
  96. - bob
  97. - sally
  98. options:
  99. ChrootDirectory: /ex/%u
  100. # Note the syntax of match_3. By using empty dicts for each user, we can
  101. # leverage Salt's pillar mergine. If we use simple lists, we cannot do
  102. # this; Salt can't merge simple lists, because it doesn't know what order
  103. # they ought to be in.
  104. match_3:
  105. type:
  106. User:
  107. jim: ~
  108. bob: ~
  109. sally: ~
  110. options:
  111. ChrootDirectory: /ex/%u
  112. # yamllint disable rule:line-length
  113. # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
  114. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  115. # The configuration given in the example below is based on:
  116. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  117. # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
  118. # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  119. # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  120. # yamllint enable rule:line-length
  121. KexAlgorithms:
  122. - 'curve25519-sha256@libssh.org'
  123. - 'diffie-hellman-group-exchange-sha256'
  124. Ciphers:
  125. - 'chacha20-poly1305@openssh.com'
  126. - 'aes256-gcm@openssh.com'
  127. - 'aes128-gcm@openssh.com'
  128. - 'aes256-ctr'
  129. - 'aes192-ctr'
  130. - 'aes128-ctr'
  131. MACs:
  132. - 'hmac-sha2-512-etm@openssh.com'
  133. - 'hmac-sha2-256-etm@openssh.com'
  134. - 'umac-128-etm@openssh.com'
  135. - 'hmac-sha2-512'
  136. - 'hmac-sha2-256'
  137. - 'umac-128@openssh.com'
  138. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
  139. # pillar will overwrite the defaults of your distribution's SSH client. This
  140. # will also force the default configuration for all the SSH clients on the
  141. # machine. This can break SSH connections with servers using older versions of
  142. # openssh. Please make sure you understand the implication of different settings
  143. ssh_config:
  144. Hosts:
  145. '*':
  146. StrictHostKeyChecking: 'no'
  147. ForwardAgent: 'no'
  148. ForwardX11: 'no'
  149. RhostsRSAAuthentication: 'no'
  150. RSAAuthentication: 'yes'
  151. PasswordAuthentication: 'yes'
  152. HostbasedAuthentication: 'no'
  153. GSSAPIAuthentication: 'no'
  154. GSSAPIDelegateCredentials: 'no'
  155. BatchMode: 'yes'
  156. CheckHostIP: 'yes'
  157. AddressFamily: 'any'
  158. ConnectTimeout: 0
  159. IdentityFile: '~/.ssh/id_rsa'
  160. Port: 22
  161. Protocol: 2
  162. Cipher: '3des'
  163. Tunnel: 'no'
  164. TunnelDevice: 'any:any'
  165. PermitLocalCommand: 'no'
  166. VisualHostKey: 'no'
  167. # yamllint disable rule:line-length
  168. # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
  169. # WARNING! Please make sure you understand the implications of the below
  170. # settings. The examples provided below might break your connection to older /
  171. # legacy openssh servers.
  172. # The configuration given in the example below is based on:
  173. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  174. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  175. # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
  176. # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  177. # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  178. # yamllint enable rule:line-length
  179. KexAlgorithms:
  180. - 'curve25519-sha256@libssh.org'
  181. - 'diffie-hellman-group-exchange-sha256'
  182. - 'diffie-hellman-group-exchange-sha1'
  183. - 'diffie-hellman-group14-sha1'
  184. Ciphers:
  185. - 'chacha20-poly1305@openssh.com'
  186. - 'aes256-gcm@openssh.com'
  187. - 'aes128-gcm@openssh.com'
  188. - 'aes256-ctr'
  189. - 'aes192-ctr'
  190. - 'aes128-ctr'
  191. MACs:
  192. - 'hmac-sha2-512-etm@openssh.com'
  193. - 'hmac-sha2-256-etm@openssh.com'
  194. - 'umac-128-etm@openssh.com'
  195. - 'hmac-sha2-512'
  196. - 'hmac-sha2-256'
  197. - 'umac-128@openssh.com'
  198. openssh:
  199. # Instead of adding a custom banner file you can set it in pillar
  200. banner_string: |
  201. Welcome to {{ grains['id'] }}!
  202. # Set installed package version
  203. server_version: latest
  204. client_version: latest
  205. # Controls if SSHD should be enabled/started
  206. sshd_enable: true
  207. auth:
  208. joe-valid-ssh-key-desktop:
  209. - user: joe
  210. present: true
  211. enc: ssh-rsa
  212. comment: main key - desktop
  213. source: salt://ssh_keys/joe.desktop.pub
  214. joe-valid-ssh-key-notebook:
  215. - user: joe
  216. present: true
  217. enc: ssh-rsa
  218. comment: main key - notebook
  219. source: salt://ssh_keys/joe.netbook.pub
  220. joe-non-valid-ssh-key:
  221. - user: joe
  222. present: false
  223. enc: ssh-rsa
  224. comment: obsolete key - removed
  225. source: salt://ssh_keys/joe.no-valid.pub
  226. # Maps users to source files
  227. # Designed to play nice with ext_pillar
  228. # salt.states.ssh_auth: If source is set, comment and enc will be ignored
  229. auth_map:
  230. personal_keys: # store name
  231. source: salt://ssh_keys
  232. users:
  233. joe:
  234. joe.desktop: {}
  235. joe.netbook:
  236. options: [] # see salt.states.ssh_auth.present
  237. joe.no-valid:
  238. present: false
  239. generate_dsa_keys: false
  240. absent_dsa_keys: false
  241. provide_dsa_keys: false
  242. dsa:
  243. private_key: |
  244. -----BEGIN DSA PRIVATE KEY-----
  245. NOT_DEFINED
  246. -----END DSA PRIVATE KEY-----
  247. public_key: |
  248. ssh-dss NOT_DEFINED
  249. generate_ecdsa_keys: false
  250. absent_ecdsa_keys: false
  251. provide_ecdsa_keys: false
  252. ecdsa:
  253. private_key: |
  254. -----BEGIN EC PRIVATE KEY-----
  255. NOT_DEFINED
  256. -----END EC PRIVATE KEY-----
  257. public_key: |
  258. ecdsa-sha2-nistp256 NOT_DEFINED
  259. generate_rsa_keys: false
  260. generate_rsa_size: 4096
  261. # Will remove the old key if it is to short and generate a new one.
  262. enforce_rsa_size: false
  263. absent_rsa_keys: false
  264. provide_rsa_keys: false
  265. rsa:
  266. private_key: |
  267. -----BEGIN RSA PRIVATE KEY-----
  268. NOT_DEFINED
  269. -----END RSA PRIVATE KEY-----
  270. public_key: |
  271. ssh-rsa NOT_DEFINED
  272. generate_ed25519_keys: false
  273. absent_ed25519_keys: false
  274. provide_ed25519_keys: false
  275. ed25519:
  276. private_key: |
  277. -----BEGIN OPENSSH PRIVATE KEY-----
  278. NOT_DEFINED
  279. -----END OPENSSH PRIVATE KEY-----
  280. public_key: |
  281. ssh-ed25519 NOT_DEFINED
  282. known_hosts:
  283. # The next 2 settings restrict the set of minions that will be added in
  284. # the generated ssh_known_hosts files (the default is to match all minions)
  285. target: '*'
  286. tgt_type: 'glob'
  287. # Name of mining functions used to gather public keys and hostnames
  288. # (the default values are shown here)
  289. mine_keys_function: public_ssh_host_keys
  290. mine_hostname_function: public_ssh_hostname
  291. # List of DNS entries also pointing to our managed machines and that we want
  292. # to inject in our generated ssh_known_hosts file
  293. aliases:
  294. - cname-to-minion.example.org
  295. - alias.example.org
  296. # Includes short hostnames derived from the FQDN
  297. # (host.example.test -> host)
  298. # (Deactivated by default, because there can be collisions!)
  299. hostnames: false
  300. # hostnames:
  301. # Restrict wich hosts you want to use via their hostname
  302. # (i.e. ssh user@host instead of ssh user@host.example.com)
  303. # target: '*' # Defaults to "*.{{ grains['domain']}}"
  304. # tgt_type: 'glob'
  305. # To activate the defaults you can just set an empty dict.
  306. # hostnames: {}
  307. # Include localhost, 127.0.0.1 and ::1 (default: false)
  308. include_localhost: false
  309. # Host keys fetched via salt-ssh
  310. salt_ssh:
  311. # The salt-ssh user
  312. user: salt-master
  313. # specify public host names of a minion
  314. public_ssh_host_names:
  315. minion.id:
  316. - minion.id
  317. - alias.of.minion.id
  318. # specify public host keys of a minion
  319. public_ssh_host_keys:
  320. minion.id: |
  321. ssh-rsa [...]
  322. ssh-ed25519 [...]
  323. # Here you can list keys for hosts which are not among your minions:
  324. static:
  325. github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
  326. gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
  327. # yamllint disable rule:line-length
  328. # specify DH parameters (see /etc/ssh/moduli)
  329. moduli: |
  330. # Time Type Tests Tries Size Generator Modulus
  331. 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
  332. 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
  333. 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
  334. 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
  335. # yamllint enable rule:line-length
  336. # ALTERNATIVELY, specify the location of the moduli file. Examples:
  337. # moduli_source: http://some.server.somewhere/salt/moduli
  338. # moduli_source: salt://files/ssh/moduli
  339. # If moduli is specified, moduli_source will be ignored.
  340. # Also, a proper hash file *must* be included in the same path. E.g.:
  341. # http://some.server.somewhere/salt/moduli.hash
  342. # salt://files/ssh/moduli.hash
  343. # These will be automatically referenced to by the ssh_moduli state.
  344. # Required for openssh.known_hosts
  345. mine_functions:
  346. public_ssh_host_keys:
  347. mine_function: cmd.run
  348. cmd: cat /etc/ssh/ssh_host_*_key.pub
  349. python_shell: true
  350. public_ssh_hostname:
  351. mine_function: grains.get
  352. key: id
  353. tofs:
  354. # The files_switch key serves as a selector for alternative
  355. # directories under the formula files directory. See TOFS pattern
  356. # doc for more info.
  357. # Note: Any value not evaluated by `config.get` will be used literally.
  358. # This can be used to set custom paths, as many levels deep as required.
  359. # files_switch:
  360. # - any/path/can/be/used/here
  361. # - id
  362. # - role
  363. # - osfinger
  364. # - os
  365. # - os_family
  366. # All aspects of path/file resolution are customisable using the options below.
  367. # This is unnecessary in most cases; there are sensible defaults.
  368. # path_prefix: template_alt
  369. # dirs:
  370. # files: files_alt
  371. # default: default_alt
  372. source_files:
  373. manage ssh_known_hosts file:
  374. - alt_ssh_known_hosts
  375. sshd_config:
  376. - alt_sshd_config
  377. ssh_config:
  378. - alt_ssh_config
  379. sshd_banner:
  380. - fire_banner