Saltstack Official OpenSSH Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

356 lines
13KB

  1. sshd_config:
  2. # This keyword is totally optional
  3. ConfigBanner: |
  4. # Alternative banner for the config file
  5. # (Indented) hash signs lose their special meaning here
  6. # and the lines will be written as-is.
  7. Port: 22
  8. Protocol: 2
  9. HostKey:
  10. - /etc/ssh/ssh_host_rsa_key
  11. - /etc/ssh/ssh_host_dsa_key
  12. - /etc/ssh/ssh_host_ecdsa_key
  13. - /etc/ssh/ssh_host_ed25519_key
  14. UsePrivilegeSeparation: 'sandbox'
  15. KeyRegenerationInterval: 3600
  16. ServerKeyBits: 1024
  17. SyslogFacility: AUTH
  18. LogLevel: INFO
  19. ClientAliveInterval: 0
  20. ClientAliveCountMax: 3
  21. LoginGraceTime: 120
  22. PermitRootLogin: 'yes'
  23. PasswordAuthentication: 'no'
  24. StrictModes: 'yes'
  25. MaxAuthTries: 6
  26. MaxSessions: 10
  27. RSAAuthentication: 'yes'
  28. PubkeyAuthentication: 'yes'
  29. AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
  30. AuthorizedKeysCommandUser: 'nobody'
  31. IgnoreRhosts: 'yes'
  32. RhostsRSAAuthentication: 'no'
  33. HostbasedAuthentication: 'no'
  34. PermitEmptyPasswords: 'no'
  35. ChallengeResponseAuthentication: 'no'
  36. AuthenticationMethods: 'publickey,keyboard-interactive'
  37. AuthorizedKeysFile: '%h/.ssh/authorized_keys'
  38. X11Forwarding: 'no'
  39. X11DisplayOffset: 10
  40. PrintMotd: 'yes'
  41. PrintLastLog: 'yes'
  42. TCPKeepAlive: 'yes'
  43. AcceptEnv: "LANG LC_*"
  44. Subsystem: "sftp /usr/lib/openssh/sftp-server"
  45. UsePAM: 'yes'
  46. UseDNS: 'yes'
  47. # set as string
  48. AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
  49. # or set as list
  50. AllowUsers:
  51. - vader@10.0.0.1
  52. - maul@evil.com
  53. - sidious
  54. - luke
  55. # set as string
  56. DenyUsers: 'yoda chewbaca@112.10.21.1'
  57. # or set as list
  58. DenyUsers:
  59. - yoda
  60. - chewbaca@112.10.21.1
  61. # set as string
  62. AllowGroups: 'wheel staff imperial'
  63. # or set as list
  64. AllowGroups:
  65. - wheel
  66. - staff
  67. - imperial
  68. # set as string
  69. DenyGroups: 'rebel'
  70. # or set as list
  71. DenyGroups:
  72. - rebel
  73. - badcompany
  74. matches:
  75. sftp_chroot:
  76. type:
  77. Group: sftpusers
  78. options:
  79. ChrootDirectory: /sftp-chroot/%u
  80. X11Forwarding: no
  81. AllowTcpForwarding: no
  82. ForceCommand: internal-sftp
  83. # Supports complex compound matches in Match criteria. For example, be able
  84. # to match against multiple Users for a given Match, or be able to match
  85. # against address ranges. Or Groups. Or any combination thereof.
  86. #
  87. # Support for matching users can take one of several different appearances
  88. # in pillar data:
  89. match_1:
  90. type:
  91. User: one_user
  92. options:
  93. ChrootDirectory: /ex/%u
  94. match_2:
  95. type:
  96. User:
  97. - jim
  98. - bob
  99. - sally
  100. options:
  101. ChrootDirectory: /ex/%u
  102. # Note the syntax of match_3. By using empty dicts for each user, we can
  103. # leverage Salt's pillar mergine. If we use simple lists, we cannot do
  104. # this; Salt can't merge simple lists, because it doesn't know what order
  105. # they ought to be in.
  106. match_3:
  107. type:
  108. User:
  109. jim: ~
  110. bob: ~
  111. sally: ~
  112. options:
  113. ChrootDirectory: /ex/%u
  114. # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
  115. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  116. # The configuration given in the example below is based on:
  117. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  118. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
  119. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  120. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  121. KexAlgorithms:
  122. - 'curve25519-sha256@libssh.org'
  123. - 'diffie-hellman-group-exchange-sha256'
  124. Ciphers:
  125. - 'chacha20-poly1305@openssh.com'
  126. - 'aes256-gcm@openssh.com'
  127. - 'aes128-gcm@openssh.com'
  128. - 'aes256-ctr'
  129. - 'aes192-ctr'
  130. - 'aes128-ctr'
  131. MACs:
  132. - 'hmac-sha2-512-etm@openssh.com'
  133. - 'hmac-sha2-256-etm@openssh.com'
  134. - 'umac-128-etm@openssh.com'
  135. - 'hmac-sha2-512'
  136. - 'hmac-sha2-256'
  137. - 'umac-128@openssh.com'
  138. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
  139. # pillar will overwrite the defaults of your distribution's SSH client. This
  140. # will also force the default configuration for all the SSH clients on the
  141. # machine. This can break SSH connections with servers using older versions of
  142. # openssh. Please make sure you understand the implication of different settings
  143. ssh_config:
  144. StrictHostKeyChecking: no
  145. ForwardAgent: no
  146. ForwardX11: no
  147. RhostsRSAAuthentication: no
  148. RSAAuthentication: yes
  149. PasswordAuthentication: yes
  150. HostbasedAuthentication: no
  151. GSSAPIAuthentication: no
  152. GSSAPIDelegateCredentials: no
  153. BatchMode: 'yes'
  154. CheckHostIP: 'yes'
  155. AddressFamily: 'any'
  156. ConnectTimeout: 0
  157. IdentityFile: '~/.ssh/id_rsa'
  158. Port: 22
  159. Protocol: 2
  160. Cipher: '3des'
  161. Tunnel: 'no'
  162. TunnelDevice: 'any:any'
  163. PermitLocalCommand: 'no'
  164. VisualHostKey: 'no'
  165. # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
  166. # WARNING! Please make sure you understand the implications of the below
  167. # settings. The examples provided below might break your connection to older /
  168. # legacy openssh servers.
  169. # The configuration given in the example below is based on:
  170. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  171. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  172. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
  173. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  174. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  175. KexAlgorithms:
  176. - 'curve25519-sha256@libssh.org'
  177. - 'diffie-hellman-group-exchange-sha256'
  178. - 'diffie-hellman-group-exchange-sha1'
  179. - 'diffie-hellman-group14-sha1'
  180. Ciphers:
  181. - 'chacha20-poly1305@openssh.com'
  182. - 'aes256-gcm@openssh.com'
  183. - 'aes128-gcm@openssh.com'
  184. - 'aes256-ctr'
  185. - 'aes192-ctr'
  186. - 'aes128-ctr'
  187. MACs:
  188. - 'hmac-sha2-512-etm@openssh.com'
  189. - 'hmac-sha2-256-etm@openssh.com'
  190. - 'umac-128-etm@openssh.com'
  191. - 'hmac-sha2-512'
  192. - 'hmac-sha2-256'
  193. - 'umac-128@openssh.com'
  194. openssh:
  195. # Instead of adding a custom banner file you can set it in pillar
  196. banner_string: |
  197. Welcome to {{ grains['id'] }}!
  198. # Controls if SSHD should be enabled/started
  199. sshd_enable: true
  200. auth:
  201. joe-valid-ssh-key-desktop:
  202. - user: joe
  203. present: True
  204. enc: ssh-rsa
  205. comment: main key - desktop
  206. source: salt://ssh_keys/joe.desktop.pub
  207. joe-valid-ssh-key-notebook:
  208. - user: joe
  209. present: True
  210. enc: ssh-rsa
  211. comment: main key - notebook
  212. source: salt://ssh_keys/joe.netbook.pub
  213. joe-non-valid-ssh-key:
  214. - user: joe
  215. present: False
  216. enc: ssh-rsa
  217. comment: obsolete key - removed
  218. source: salt://ssh_keys/joe.no-valid.pub
  219. # Maps users to source files
  220. # Designed to play nice with ext_pillar
  221. # salt.states.ssh_auth: If source is set, comment and enc will be ignored
  222. auth_map:
  223. personal_keys: # store name
  224. source: salt://ssh_keys
  225. users:
  226. joe:
  227. joe.desktop: {}
  228. joe.netbook:
  229. options: [] # see salt.states.ssh_auth.present
  230. joe.no-valid:
  231. present: False
  232. generate_dsa_keys: False
  233. absent_dsa_keys: False
  234. provide_dsa_keys: False
  235. dsa:
  236. private_key: |
  237. -----BEGIN DSA PRIVATE KEY-----
  238. NOT_DEFINED
  239. -----END DSA PRIVATE KEY-----
  240. public_key: |
  241. ssh-dss NOT_DEFINED
  242. generate_ecdsa_keys: False
  243. absent_ecdsa_keys: False
  244. provide_ecdsa_keys: False
  245. ecdsa:
  246. private_key: |
  247. -----BEGIN EC PRIVATE KEY-----
  248. NOT_DEFINED
  249. -----END EC PRIVATE KEY-----
  250. public_key: |
  251. ecdsa-sha2-nistp256 NOT_DEFINED
  252. generate_rsa_keys: False
  253. generate_rsa_size: 4096
  254. # Will remove the old key if it is to short and generate a new one.
  255. enforce_rsa_size: False
  256. absent_rsa_keys: False
  257. provide_rsa_keys: False
  258. rsa:
  259. private_key: |
  260. -----BEGIN RSA PRIVATE KEY-----
  261. NOT_DEFINED
  262. -----END RSA PRIVATE KEY-----
  263. public_key: |
  264. ssh-rsa NOT_DEFINED
  265. generate_ed25519_keys: False
  266. absent_ed25519_keys: False
  267. provide_ed25519_keys: False
  268. ed25519:
  269. private_key: |
  270. -----BEGIN OPENSSH PRIVATE KEY-----
  271. NOT_DEFINED
  272. -----END OPENSSH PRIVATE KEY-----
  273. public_key: |
  274. ssh-ed25519 NOT_DEFINED
  275. known_hosts:
  276. # The next 2 settings restrict the set of minions that will be added in
  277. # the generated ssh_known_hosts files (the default is to match all minions)
  278. target: '*'
  279. tgt_type: 'glob'
  280. # Name of mining functions used to gather public keys and hostnames
  281. # (the default values are shown here)
  282. mine_keys_function: public_ssh_host_keys
  283. mine_hostname_function: public_ssh_hostname
  284. # List of DNS entries also pointing to our managed machines and that we want
  285. # to inject in our generated ssh_known_hosts file
  286. aliases:
  287. - cname-to-minion.example.org
  288. - alias.example.org
  289. # Includes short hostnames derived from the FQDN
  290. # (host.example.test -> host)
  291. # (Deactivated by default, because there can be collisions!)
  292. hostnames: False
  293. #hostnames:
  294. # Restrict wich hosts you want to use via their hostname
  295. # (i.e. ssh user@host instead of ssh user@host.example.com)
  296. # target: '*' # Defaults to "*.{{ grains['domain']}}"
  297. # tgt_type: 'glob'
  298. # To activate the defaults you can just set an empty dict.
  299. #hostnames: {}
  300. # Include localhost, 127.0.0.1 and ::1 (default: False)
  301. include_localhost: False
  302. # Host keys fetched via salt-ssh
  303. salt_ssh:
  304. # The salt-ssh user
  305. user: salt-master
  306. # specify public host names of a minion
  307. public_ssh_host_names:
  308. minion.id:
  309. - minion.id
  310. - alias.of.minion.id
  311. # specify public host keys of a minion
  312. public_ssh_host_keys:
  313. minion.id: |
  314. ssh-rsa [...]
  315. ssh-ed25519 [...]
  316. # Here you can list keys for hosts which are not among your minions:
  317. static:
  318. github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
  319. gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
  320. # specify DH parameters (see /etc/ssh/moduli)
  321. moduli: |
  322. # Time Type Tests Tries Size Generator Modulus
  323. 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
  324. 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
  325. 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
  326. 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
  327. # ALTERNATIVELY, specify the location of the moduli file. Examples:
  328. #moduli_source: http://some.server.somewhere/salt/moduli
  329. #moduli_source: salt://files/ssh/moduli
  330. # If moduli is specified, moduli_source will be ignored.
  331. # Also, a proper hash file *must* be included in the same path. E.g.:
  332. # http://some.server.somewhere/salt/moduli.hash
  333. # salt://files/ssh/moduli.hash
  334. # These will be automatically referenced to by the ssh_moduli state.
  335. # Required for openssh.known_hosts
  336. mine_functions:
  337. public_ssh_host_keys:
  338. mine_function: cmd.run
  339. cmd: cat /etc/ssh/ssh_host_*_key.pub
  340. python_shell: True
  341. public_ssh_hostname:
  342. mine_function: grains.get
  343. key: id