ExternalMirrors
/
openssh-formula
mirror of https://github.com/saltstack-formulas/openssh-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 27 Wiki Activity
Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
175 Commits
3 Branches
Tree: f5a74f3fa0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f5a74f3fa0'
${ noResults }
openssh-formula/pillar.example

247 lines
9.8KB
Raw Blame History 

  1. sshd_config:

  2.   # This keyword is totally optional

  3.   ConfigBanner: |

  4.     # Alternative banner for the config file

  5.     # (Indented) hash signs lose their special meaning here

  6.     # and the lines will be written as-is.

  7.   Port: 22

  8.   Protocol: 2

  9.   HostKey:

  10.     - /etc/ssh/ssh_host_rsa_key

  11.     - /etc/ssh/ssh_host_dsa_key

  12.     - /etc/ssh/ssh_host_ecdsa_key

  13.     - /etc/ssh/ssh_host_ed25519_key

  14.   UsePrivilegeSeparation: 'yes'

  15.   KeyRegenerationInterval: 3600

  16.   ServerKeyBits: 1024

  17.   SyslogFacility: AUTH

  18.   LogLevel: INFO

  19.   ClientAliveInterval: 0

  20.   ClientAliveCountMax: 3

  21.   LoginGraceTime: 120

  22.   PermitRootLogin: 'yes'

  23.   PasswordAuthentication: 'no'

  24.   StrictModes: 'yes'

  25.   MaxAuthTries: 6

  26.   MaxSessions: 10

  27.   RSAAuthentication: 'yes'

  28.   PubkeyAuthentication: 'yes'

  29.   AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'

  30.   AuthorizedKeysCommandUser: 'nobody'

  31.   IgnoreRhosts: 'yes'

  32.   RhostsRSAAuthentication: 'no'

  33.   HostbasedAuthentication: 'no'

  34.   PermitEmptyPasswords: 'no'

  35.   ChallengeResponseAuthentication: 'no'

  36.   AuthenticationMethods: 'publickey,keyboard-interactive'

  37.   AuthorizedKeysFile: '%h/.ssh/authorized_keys'

  38.   X11Forwarding: 'no'

  39.   X11DisplayOffset: 10

  40.   PrintMotd: 'yes'

  41.   PrintLastLog: 'yes'

  42.   TCPKeepAlive: 'yes'

  43.   AcceptEnv: "LANG LC_*"

  44.   Subsystem: "sftp /usr/lib/openssh/sftp-server"

  45.   UsePAM: 'yes'

  46.   UseDNS: 'yes'

  47.   AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'

  48.   DenyUsers: 'yoda chewbaca@112.10.21.1'

  49.   AllowGroups: 'wheel staff imperial'

  50.   DenyGroups: 'rebel'

  51.   matches:

  52.     sftp_chroot:

  53.       type:

  54.         Group: sftpusers

  55.       options:

  56.         ChrootDirectory: /sftp-chroot/%u

  57.         X11Forwarding: no

  58.         AllowTcpForwarding: no

  59.         ForceCommand: internal-sftp

  60.   # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.

  61.   # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  62.   # The configuration given in the example below is based on:

  63.   # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  64.   #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'

  65.   #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  66.   #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'

  67.   KexAlgorithms:

  68.     - 'curve25519-sha256@libssh.org'

  69.     - 'diffie-hellman-group-exchange-sha256'

  70.   Ciphers:

  71.     - 'chacha20-poly1305@openssh.com'

  72.     - 'aes256-gcm@openssh.com'

  73.     - 'aes128-gcm@openssh.com'

  74.     - 'aes256-ctr'

  75.     - 'aes192-ctr'

  76.     - 'aes128-ctr'

  77.   MACs:

  78.     - 'hmac-sha2-512-etm@openssh.com'

  79.     - 'hmac-sha2-256-etm@openssh.com'

  80.     - 'hmac-ripemd160-etm@openssh.com'

  81.     - 'umac-128-etm@openssh.com'

  82.     - 'hmac-sha2-512'

  83.     - 'hmac-sha2-256'

  84.     - 'hmac-ripemd160'

  85.     - 'umac-128@openssh.com'

  86. 

  87. ssh_config:

  88.   StrictHostKeyChecking: no

  89.   ForwardAgent: no

  90.   ForwardX11: no

  91.   RhostsRSAAuthentication: no

  92.   RSAAuthentication: yes

  93.   PasswordAuthentication: yes

  94.   HostbasedAuthentication: no

  95.   GSSAPIAuthentication: no

  96.   GSSAPIDelegateCredentials: no

  97.   BatchMode: 'yes'

  98.   CheckHostIP: 'yes'

  99.   AddressFamily: 'any'

  100.   ConnectTimeout: 0

  101.   IdentityFile: '~/.ssh/id_rsa'

  102.   Port: 22

  103.   Protocol: 2

  104.   Cipher: '3des'

  105.   Tunnel: 'no'

  106.   TunnelDevice: 'any:any'

  107.   PermitLocalCommand: 'no'

  108.   VisualHostKey: 'no'

  109.   # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.

  110.   # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  111.   # The configuration given in the example below is based on:

  112.   # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  113.   #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'

  114.   #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  115.   #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'

  116.   KexAlgorithms:

  117.     - 'curve25519-sha256@libssh.org'

  118.     - 'diffie-hellman-group-exchange-sha256'

  119.     - 'diffie-hellman-group-exchange-sha1'

  120.     - 'diffie-hellman-group14-sha1'

  121.   Ciphers:

  122.     - 'chacha20-poly1305@openssh.com'

  123.     - 'aes256-gcm@openssh.com'

  124.     - 'aes128-gcm@openssh.com'

  125.     - 'aes256-ctr'

  126.     - 'aes192-ctr'

  127.     - 'aes128-ctr'

  128.   MACs:

  129.     - 'hmac-sha2-512-etm@openssh.com'

  130.     - 'hmac-sha2-256-etm@openssh.com'

  131.     - 'hmac-ripemd160-etm@openssh.com'

  132.     - 'umac-128-etm@openssh.com'

  133.     - 'hmac-sha2-512'

  134.     - 'hmac-sha2-256'

  135.     - 'hmac-ripemd160'

  136.     - 'umac-128@openssh.com'

  137. 

  138. 

  139. openssh:

  140.   # Controls if SSHD should be enabled/started

  141.   sshd_enable: true

  142.   auth:

  143.     joe-valid-ssh-key-desktop:

  144.       - user: joe

  145.         present: True

  146.         enc: ssh-rsa

  147.         comment: main key - desktop

  148.         source: salt://ssh_keys/joe.desktop.pub

  149.     joe-valid-ssh-key-notebook:

  150.       - user: joe

  151.         present: True

  152.         enc: ssh-rsa

  153.         comment: main key - notebook

  154.         source: salt://ssh_keys/joe.netbook.pub

  155.     joe-non-valid-ssh-key:

  156.       - user: joe

  157.         present: False

  158.         enc: ssh-rsa

  159.         comment: obsolete key - removed

  160.         source: salt://ssh_keys/joe.no-valid.pub

  161. 

  162.   generate_dsa_keys: False

  163.   absent_dsa_keys: False

  164.   provide_dsa_keys: False

  165.   dsa:

  166.     private_key: |

  167.       -----BEGIN DSA PRIVATE KEY-----

  168.       NOT_DEFINED

  169.       -----END DSA PRIVATE KEY-----

  170.     public_key: |

  171.       ssh-dss NOT_DEFINED

  172. 

  173.   generate_ecdsa_keys: False

  174.   absent_ecdsa_keys: False

  175.   provide_ecdsa_keys: False

  176.   ecdsa:

  177.     private_key: |

  178.       -----BEGIN EC PRIVATE KEY-----

  179.       NOT_DEFINED

  180.       -----END EC PRIVATE KEY-----

  181.     public_key: |

  182.       ecdsa-sha2-nistp256 NOT_DEFINED

  183. 

  184.   generate_rsa_keys: False

  185.   generate_rsa_size: 4096

  186.   absent_rsa_keys: False

  187.   provide_rsa_keys: False

  188.   rsa:

  189.     private_key: |

  190.       -----BEGIN RSA PRIVATE KEY-----

  191.       NOT_DEFINED

  192.       -----END RSA PRIVATE KEY-----

  193.     public_key: |

  194.       ssh-rsa NOT_DEFINED

  195. 

  196.   generate_ed25519_keys: False

  197.   absent_ed25519_keys: False

  198.   provide_ed25519_keys: False

  199.   ed25519:

  200.     private_key: |

  201.       -----BEGIN OPENSSH PRIVATE KEY-----

  202.       NOT_DEFINED

  203.       -----END OPENSSH PRIVATE KEY-----

  204.     public_key: |

  205.       ssh-ed25519 NOT_DEFINED

  206. 

  207.   known_hosts:

  208.     # The next 2 settings restrict the set of minions that will be added in

  209.     # the generated ssh_known_hosts files (the default is to match all minions)

  210.     target: '*'

  211.     expr_form: 'glob'

  212.     # Name of mining functions used to gather public keys and hostnames

  213.     # (the default values are shown here)

  214.     mine_keys_function: public_ssh_host_keys

  215.     mine_hostname_function: public_ssh_hostname

  216.     # List of DNS entries also pointing to our managed machines and that we want

  217.     # to inject in our generated ssh_known_hosts file

  218.     aliases:

  219.       - cname-to-minion.example.org

  220.       - alias.example.org

  221. 

  222.   # specify DH parameters (see /etc/ssh/moduli)

  223.   moduli: |

  224.     # Time Type Tests Tries Size Generator Modulus

  225.     20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63

  226.     20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB

  227.     20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53

  228.     20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F

  229.   # ALTERNATIVELY, specify the location of the moduli file. Examples:

  230.   #moduli_source: http://some.server.somewhere/salt/moduli

  231.   #moduli_source: salt://files/ssh/moduli

  232.   # If moduli is specified, moduli_source will be ignored.

  233.   # Also, a proper hash file *must* be included in the same path. E.g.:

  234.   #     http://some.server.somewhere/salt/moduli.hash

  235.   #     salt://files/ssh/moduli.hash

  236.   # These will be automatically referenced to by the ssh_moduli state.

  237. 

  238. # Required for openssh.known_hosts

  239. mine_functions:

  240.   public_ssh_host_keys:

  241.     mine_function: cmd.run

  242.     cmd: cat /etc/ssh/ssh_host_*_key.pub

  243.     python_shell: True

  244.   public_ssh_hostname:

  245.     mine_function: grains.get

  246.     key: id