ExternalMirrors
/
openssh-formula
mirror of https://github.com/saltstack-formulas/openssh-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 27 Wiki Activity
Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
281 Commits
3 Branches
Tree: a47596f15a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a47596f15a'
${ noResults }
openssh-formula/pillar.example

391 lines
15KB
Raw Blame History 

  1. sshd_config:

  2.   # This keyword is totally optional

  3.   ConfigBanner: |

  4.     # Alternative banner for the config file

  5.     # (Indented) hash signs lose their special meaning here

  6.     # and the lines will be written as-is.

  7.   Port: 22

  8.   Protocol: 2

  9.   HostKey:

  10.     - /etc/ssh/ssh_host_rsa_key

  11.     - /etc/ssh/ssh_host_dsa_key

  12.     - /etc/ssh/ssh_host_ecdsa_key

  13.     - /etc/ssh/ssh_host_ed25519_key

  14.   UsePrivilegeSeparation: 'sandbox'

  15.   SyslogFacility: AUTH

  16.   LogLevel: INFO

  17.   ClientAliveInterval: 0

  18.   ClientAliveCountMax: 3

  19.   LoginGraceTime: 120

  20.   PermitRootLogin: 'yes'

  21.   PasswordAuthentication: 'no'

  22.   StrictModes: 'yes'

  23.   MaxAuthTries: 6

  24.   MaxSessions: 10

  25.   PubkeyAuthentication: 'yes'

  26.   AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'

  27.   AuthorizedKeysCommandUser: 'nobody'

  28.   IgnoreRhosts: 'yes'

  29.   HostbasedAuthentication: 'no'

  30.   PermitEmptyPasswords: 'no'

  31.   ChallengeResponseAuthentication: 'no'

  32.   AuthenticationMethods: 'publickey,keyboard-interactive'

  33.   AuthorizedKeysFile: '%h/.ssh/authorized_keys'

  34.   X11Forwarding: 'no'

  35.   X11DisplayOffset: 10

  36.   PrintMotd: 'yes'

  37.   PrintLastLog: 'yes'

  38.   TCPKeepAlive: 'yes'

  39.   AcceptEnv: "LANG LC_*"

  40.   Subsystem: "sftp /usr/lib/openssh/sftp-server"

  41.   UsePAM: 'yes'

  42.   UseDNS: 'yes'

  43.   # set as string

  44.   AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'

  45.   # or set as list

  46.   AllowUsers:

  47.     - vader@10.0.0.1

  48.     - maul@evil.com

  49.     - sidious

  50.     - luke

  51.   # set as string

  52.   DenyUsers: 'yoda chewbaca@112.10.21.1'

  53.   # or set as list

  54.   DenyUsers:

  55.     - yoda

  56.     - chewbaca@112.10.21.1

  57.   # set as string

  58.   AllowGroups: 'wheel staff imperial'

  59.   # or set as list

  60.   AllowGroups:

  61.     - wheel

  62.     - staff

  63.     - imperial

  64.   # set as string

  65.   DenyGroups: 'rebel'

  66.   # or set as list

  67.   DenyGroups:

  68.     - rebel

  69.     - badcompany

  70.   matches:

  71.     sftp_chroot:

  72.       type:

  73.         Group: sftpusers

  74.       options:

  75.         ChrootDirectory: /sftp-chroot/%u

  76.         X11Forwarding: no

  77.         AllowTcpForwarding: no

  78.         ForceCommand: internal-sftp

  79.     # Supports complex compound matches in Match criteria. For example, be able

  80.     # to match against multiple Users for a given Match, or be able to match

  81.     # against address ranges. Or Groups. Or any combination thereof.

  82.     #

  83.     # Support for matching users can take one of several different appearances

  84.     # in pillar data:

  85.     match_1:

  86.       type:

  87.         User: one_user

  88.       options:

  89.         ChrootDirectory: /ex/%u

  90.     match_2:

  91.       type:

  92.         User:

  93.           - jim

  94.           - bob

  95.           - sally

  96.       options:

  97.         ChrootDirectory: /ex/%u

  98.     # Note the syntax of match_3. By using empty dicts for each user, we can

  99.     # leverage Salt's pillar mergine. If we use simple lists, we cannot do

  100.     # this; Salt can't merge simple lists, because it doesn't know what order

  101.     # they ought to be in.

  102.     match_3:

  103.       type:

  104.         User:

  105.           jim: ~

  106.           bob: ~

  107.           sally: ~

  108.       options:

  109.         ChrootDirectory: /ex/%u

  110. 

  111.   # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.

  112.   # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  113.   # The configuration given in the example below is based on:

  114.   # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  115.   #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'

  116.   #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  117.   #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'

  118.   KexAlgorithms:

  119.     - 'curve25519-sha256@libssh.org'

  120.     - 'diffie-hellman-group-exchange-sha256'

  121.   Ciphers:

  122.     - 'chacha20-poly1305@openssh.com'

  123.     - 'aes256-gcm@openssh.com'

  124.     - 'aes128-gcm@openssh.com'

  125.     - 'aes256-ctr'

  126.     - 'aes192-ctr'

  127.     - 'aes128-ctr'

  128.   MACs:

  129.     - 'hmac-sha2-512-etm@openssh.com'

  130.     - 'hmac-sha2-256-etm@openssh.com'

  131.     - 'umac-128-etm@openssh.com'

  132.     - 'hmac-sha2-512'

  133.     - 'hmac-sha2-256'

  134.     - 'umac-128@openssh.com'

  135. 

  136. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config

  137. # pillar will overwrite the defaults of your distribution's SSH client. This

  138. # will also force the default configuration for all the SSH clients on the

  139. # machine. This can break SSH connections with servers using older versions of

  140. # openssh. Please make sure you understand the implication of different settings

  141. ssh_config:

  142.   Hosts:

  143.     '*':

  144.       StrictHostKeyChecking: no

  145.       ForwardAgent: no

  146.       ForwardX11: no

  147.       RhostsRSAAuthentication: no

  148.       RSAAuthentication: yes

  149.       PasswordAuthentication: yes

  150.       HostbasedAuthentication: no

  151.       GSSAPIAuthentication: no

  152.       GSSAPIDelegateCredentials: no

  153.       BatchMode: 'yes'

  154.       CheckHostIP: 'yes'

  155.       AddressFamily: 'any'

  156.       ConnectTimeout: 0

  157.       IdentityFile: '~/.ssh/id_rsa'

  158.       Port: 22

  159.       Protocol: 2

  160.       Cipher: '3des'

  161.       Tunnel: 'no'

  162.       TunnelDevice: 'any:any'

  163.       PermitLocalCommand: 'no'

  164.       VisualHostKey: 'no'

  165.       # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.

  166.       # WARNING! Please make sure you understand the implications of the below

  167.       # settings. The examples provided below might break your connection to older /

  168.       # legacy openssh servers.

  169.       # The configuration given in the example below is based on:

  170.       # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  171.       # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  172.       #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'

  173.       #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  174.       #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'

  175.       KexAlgorithms:

  176.         - 'curve25519-sha256@libssh.org'

  177.         - 'diffie-hellman-group-exchange-sha256'

  178.         - 'diffie-hellman-group-exchange-sha1'

  179.         - 'diffie-hellman-group14-sha1'

  180.       Ciphers:

  181.         - 'chacha20-poly1305@openssh.com'

  182.         - 'aes256-gcm@openssh.com'

  183.         - 'aes128-gcm@openssh.com'

  184.         - 'aes256-ctr'

  185.         - 'aes192-ctr'

  186.         - 'aes128-ctr'

  187.       MACs:

  188.         - 'hmac-sha2-512-etm@openssh.com'

  189.         - 'hmac-sha2-256-etm@openssh.com'

  190.         - 'umac-128-etm@openssh.com'

  191.         - 'hmac-sha2-512'

  192.         - 'hmac-sha2-256'

  193.         - 'umac-128@openssh.com'

  194. 

  195. 

  196. openssh:

  197.   # Banner file can be retrieved either by TOFS or by url

  198.   banner_src: banner_fire

  199.   # banner_src: salt://ssh/files/banner_src  # <- old style

  200. 

  201.   # Instead of adding a custom banner file you can set it in pillar

  202.   banner_string: |

  203.     Welcome to {{ grains['id'] }}!

  204. 

  205.   # Set installed package version

  206.   server_version: latest

  207.   client_version: latest

  208. 

  209.   # Controls if SSHD should be enabled/started

  210.   sshd_enable: true

  211.   auth:

  212.     joe-valid-ssh-key-desktop:

  213.       - user: joe

  214.         present: True

  215.         enc: ssh-rsa

  216.         comment: main key - desktop

  217.         source: salt://ssh_keys/joe.desktop.pub

  218.     joe-valid-ssh-key-notebook:

  219.       - user: joe

  220.         present: True

  221.         enc: ssh-rsa

  222.         comment: main key - notebook

  223.         source: salt://ssh_keys/joe.netbook.pub

  224.     joe-non-valid-ssh-key:

  225.       - user: joe

  226.         present: False

  227.         enc: ssh-rsa

  228.         comment: obsolete key - removed

  229.         source: salt://ssh_keys/joe.no-valid.pub

  230.   # Maps users to source files

  231.   # Designed to play nice with ext_pillar

  232.   # salt.states.ssh_auth: If source is set, comment and enc will be ignored

  233.   auth_map:

  234.     personal_keys:  # store name

  235.       source: salt://ssh_keys

  236.       users:

  237.         joe:

  238.           joe.desktop: {}

  239.           joe.netbook:

  240.             options: []  # see salt.states.ssh_auth.present

  241.           joe.no-valid:

  242.             present: False

  243. 

  244.   generate_dsa_keys: False

  245.   absent_dsa_keys: False

  246.   provide_dsa_keys: False

  247.   dsa:

  248.     private_key: |

  249.       -----BEGIN DSA PRIVATE KEY-----

  250.       NOT_DEFINED

  251.       -----END DSA PRIVATE KEY-----

  252.     public_key: |

  253.       ssh-dss NOT_DEFINED

  254. 

  255.   generate_ecdsa_keys: False

  256.   absent_ecdsa_keys: False

  257.   provide_ecdsa_keys: False

  258.   ecdsa:

  259.     private_key: |

  260.       -----BEGIN EC PRIVATE KEY-----

  261.       NOT_DEFINED

  262.       -----END EC PRIVATE KEY-----

  263.     public_key: |

  264.       ecdsa-sha2-nistp256 NOT_DEFINED

  265. 

  266.   generate_rsa_keys: False

  267.   generate_rsa_size: 4096

  268.   # Will remove the old key if it is to short and generate a new one.

  269.   enforce_rsa_size: False

  270.   absent_rsa_keys: False

  271.   provide_rsa_keys: False

  272.   rsa:

  273.     private_key: |

  274.       -----BEGIN RSA PRIVATE KEY-----

  275.       NOT_DEFINED

  276.       -----END RSA PRIVATE KEY-----

  277.     public_key: |

  278.       ssh-rsa NOT_DEFINED

  279. 

  280.   generate_ed25519_keys: False

  281.   absent_ed25519_keys: False

  282.   provide_ed25519_keys: False

  283.   ed25519:

  284.     private_key: |

  285.       -----BEGIN OPENSSH PRIVATE KEY-----

  286.       NOT_DEFINED

  287.       -----END OPENSSH PRIVATE KEY-----

  288.     public_key: |

  289.       ssh-ed25519 NOT_DEFINED

  290. 

  291.   known_hosts:

  292.     # The next 2 settings restrict the set of minions that will be added in

  293.     # the generated ssh_known_hosts files (the default is to match all minions)

  294.     target: '*'

  295.     tgt_type: 'glob'

  296.     # Name of mining functions used to gather public keys and hostnames

  297.     # (the default values are shown here)

  298.     mine_keys_function: public_ssh_host_keys

  299.     mine_hostname_function: public_ssh_hostname

  300.     # List of DNS entries also pointing to our managed machines and that we want

  301.     # to inject in our generated ssh_known_hosts file

  302.     aliases:

  303.       - cname-to-minion.example.org

  304.       - alias.example.org

  305.     # Includes short hostnames derived from the FQDN

  306.     # (host.example.test -> host)

  307.     # (Deactivated by default, because there can be collisions!)

  308.     hostnames: False

  309.     #hostnames:

  310.     # Restrict wich hosts you want to use via their hostname

  311.     # (i.e. ssh user@host instead of ssh user@host.example.com)

  312.     #  target: '*'  # Defaults to "*.{{ grains['domain']}}"

  313.     #  tgt_type: 'glob'

  314.     # To activate the defaults you can just set an empty dict.

  315.     #hostnames: {}

  316.     # Include localhost, 127.0.0.1 and ::1 (default: False)

  317.     include_localhost: False

  318.     # Host keys fetched via salt-ssh

  319.     salt_ssh:

  320.       # The salt-ssh user

  321.       user: salt-master

  322.       # specify public host names of a minion

  323.       public_ssh_host_names:

  324.         minion.id:

  325.           - minion.id

  326.           - alias.of.minion.id

  327.       # specify public host keys of a minion

  328.       public_ssh_host_keys:

  329.         minion.id: |

  330.           ssh-rsa [...]

  331.           ssh-ed25519 [...]

  332.     # Here you can list keys for hosts which are not among your minions:

  333.     static:

  334.       github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'

  335.       gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'

  336.     # The template of ssh_know_host file can be overriden thanks to TOFS

  337. 

  338.   # specify DH parameters (see /etc/ssh/moduli)

  339.   moduli: |

  340.     # Time Type Tests Tries Size Generator Modulus

  341.     20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63

  342.     20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB

  343.     20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53

  344.     20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F

  345.   # ALTERNATIVELY, specify the location of the moduli file. Examples:

  346.   #moduli_source: http://some.server.somewhere/salt/moduli

  347.   #moduli_source: salt://files/ssh/moduli

  348.   # If moduli is specified, moduli_source will be ignored.

  349.   # Also, a proper hash file *must* be included in the same path. E.g.:

  350.   #     http://some.server.somewhere/salt/moduli.hash

  351.   #     salt://files/ssh/moduli.hash

  352.   # These will be automatically referenced to by the ssh_moduli state.

  353. 

  354. # Required for openssh.known_hosts

  355. mine_functions:

  356.   public_ssh_host_keys:

  357.     mine_function: cmd.run

  358.     cmd: cat /etc/ssh/ssh_host_*_key.pub

  359.     python_shell: True

  360.   public_ssh_hostname:

  361.     mine_function: grains.get

  362.     key: id

  363. 

  364.   tofs:

  365.     # The files_switch key serves as a selector for alternative

  366.     # directories under the formula files directory. See TOFS pattern

  367.     # doc for more info.

  368.     # Note: Any value not evaluated by `config.get` will be used literally.

  369.     # This can be used to set custom paths, as many levels deep as required.

  370.     # files_switch:

  371.     #   - any/path/can/be/used/here

  372.     #   - id

  373.     #   - role

  374.     #   - osfinger

  375.     #   - os

  376.     #   - os_family

  377.     # All aspects of path/file resolution are customisable using the options below.

  378.     # This is unnecessary in most cases; there are sensible defaults.

  379.     # path_prefix: template_alt

  380.     # dirs:

  381.     #   files: files_alt

  382.     #   default: default_alt

  383.     source_files:

  384.       ssh_known_hosts_file_managed:

  385.         - alt_known_hosts

  386.       sshd_config_file_managed:

  387.         - alt_sshd_config

  388.       ssh_config_file_managed:

  389.         - alt_ssh_config

  390.       sshd_banner_file_managed:

  391.         - alt_banner_src