Saltstack Official OpenSSH Formula
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

pillar.example 10KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254
  1. sshd_config:
  2. # This keyword is totally optional
  3. ConfigBanner: |
  4. # Alternative banner for the config file
  5. # (Indented) hash signs lose their special meaning here
  6. # and the lines will be written as-is.
  7. Port: 22
  8. Protocol: 2
  9. HostKey:
  10. - /etc/ssh/ssh_host_rsa_key
  11. - /etc/ssh/ssh_host_dsa_key
  12. - /etc/ssh/ssh_host_ecdsa_key
  13. - /etc/ssh/ssh_host_ed25519_key
  14. UsePrivilegeSeparation: 'yes'
  15. KeyRegenerationInterval: 3600
  16. ServerKeyBits: 1024
  17. SyslogFacility: AUTH
  18. LogLevel: INFO
  19. ClientAliveInterval: 0
  20. ClientAliveCountMax: 3
  21. LoginGraceTime: 120
  22. PermitRootLogin: 'yes'
  23. PasswordAuthentication: 'no'
  24. StrictModes: 'yes'
  25. MaxAuthTries: 6
  26. MaxSessions: 10
  27. RSAAuthentication: 'yes'
  28. PubkeyAuthentication: 'yes'
  29. AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
  30. AuthorizedKeysCommandUser: 'nobody'
  31. IgnoreRhosts: 'yes'
  32. RhostsRSAAuthentication: 'no'
  33. HostbasedAuthentication: 'no'
  34. PermitEmptyPasswords: 'no'
  35. ChallengeResponseAuthentication: 'no'
  36. AuthenticationMethods: 'publickey,keyboard-interactive'
  37. AuthorizedKeysFile: '%h/.ssh/authorized_keys'
  38. X11Forwarding: 'no'
  39. X11DisplayOffset: 10
  40. PrintMotd: 'yes'
  41. PrintLastLog: 'yes'
  42. TCPKeepAlive: 'yes'
  43. AcceptEnv: "LANG LC_*"
  44. Subsystem: "sftp /usr/lib/openssh/sftp-server"
  45. UsePAM: 'yes'
  46. UseDNS: 'yes'
  47. AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
  48. DenyUsers: 'yoda chewbaca@112.10.21.1'
  49. AllowGroups: 'wheel staff imperial'
  50. DenyGroups: 'rebel'
  51. matches:
  52. sftp_chroot:
  53. type:
  54. Group: sftpusers
  55. options:
  56. ChrootDirectory: /sftp-chroot/%u
  57. X11Forwarding: no
  58. AllowTcpForwarding: no
  59. ForceCommand: internal-sftp
  60. # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
  61. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  62. # The configuration given in the example below is based on:
  63. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  64. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
  65. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  66. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
  67. KexAlgorithms:
  68. - 'curve25519-sha256@libssh.org'
  69. - 'diffie-hellman-group-exchange-sha256'
  70. Ciphers:
  71. - 'chacha20-poly1305@openssh.com'
  72. - 'aes256-gcm@openssh.com'
  73. - 'aes128-gcm@openssh.com'
  74. - 'aes256-ctr'
  75. - 'aes192-ctr'
  76. - 'aes128-ctr'
  77. MACs:
  78. - 'hmac-sha2-512-etm@openssh.com'
  79. - 'hmac-sha2-256-etm@openssh.com'
  80. - 'hmac-ripemd160-etm@openssh.com'
  81. - 'umac-128-etm@openssh.com'
  82. - 'hmac-sha2-512'
  83. - 'hmac-sha2-256'
  84. - 'hmac-ripemd160'
  85. - 'umac-128@openssh.com'
  86. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
  87. # pillar will overwrite the defaults of your distribution's SSH client. This
  88. # will also force the default configuration for all the SSH clients on the
  89. # machine. This can break SSH connections with servers using older versions of
  90. # openssh. Please make sure you understand the implication of different settings
  91. ssh_config:
  92. StrictHostKeyChecking: no
  93. ForwardAgent: no
  94. ForwardX11: no
  95. RhostsRSAAuthentication: no
  96. RSAAuthentication: yes
  97. PasswordAuthentication: yes
  98. HostbasedAuthentication: no
  99. GSSAPIAuthentication: no
  100. GSSAPIDelegateCredentials: no
  101. BatchMode: 'yes'
  102. CheckHostIP: 'yes'
  103. AddressFamily: 'any'
  104. ConnectTimeout: 0
  105. IdentityFile: '~/.ssh/id_rsa'
  106. Port: 22
  107. Protocol: 2
  108. Cipher: '3des'
  109. Tunnel: 'no'
  110. TunnelDevice: 'any:any'
  111. PermitLocalCommand: 'no'
  112. VisualHostKey: 'no'
  113. # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
  114. # WARNING! Please make sure you understand the implications of the below
  115. # settings. The examples provided below might break your connection to older /
  116. # legacy openssh servers.
  117. # The configuration given in the example below is based on:
  118. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  119. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  120. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
  121. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  122. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
  123. KexAlgorithms:
  124. - 'curve25519-sha256@libssh.org'
  125. - 'diffie-hellman-group-exchange-sha256'
  126. - 'diffie-hellman-group-exchange-sha1'
  127. - 'diffie-hellman-group14-sha1'
  128. Ciphers:
  129. - 'chacha20-poly1305@openssh.com'
  130. - 'aes256-gcm@openssh.com'
  131. - 'aes128-gcm@openssh.com'
  132. - 'aes256-ctr'
  133. - 'aes192-ctr'
  134. - 'aes128-ctr'
  135. MACs:
  136. - 'hmac-sha2-512-etm@openssh.com'
  137. - 'hmac-sha2-256-etm@openssh.com'
  138. - 'hmac-ripemd160-etm@openssh.com'
  139. - 'umac-128-etm@openssh.com'
  140. - 'hmac-sha2-512'
  141. - 'hmac-sha2-256'
  142. - 'hmac-ripemd160'
  143. - 'umac-128@openssh.com'
  144. openssh:
  145. # Controls if SSHD should be enabled/started
  146. sshd_enable: true
  147. auth:
  148. joe-valid-ssh-key-desktop:
  149. - user: joe
  150. present: True
  151. enc: ssh-rsa
  152. comment: main key - desktop
  153. source: salt://ssh_keys/joe.desktop.pub
  154. joe-valid-ssh-key-notebook:
  155. - user: joe
  156. present: True
  157. enc: ssh-rsa
  158. comment: main key - notebook
  159. source: salt://ssh_keys/joe.netbook.pub
  160. joe-non-valid-ssh-key:
  161. - user: joe
  162. present: False
  163. enc: ssh-rsa
  164. comment: obsolete key - removed
  165. source: salt://ssh_keys/joe.no-valid.pub
  166. generate_dsa_keys: False
  167. absent_dsa_keys: False
  168. provide_dsa_keys: False
  169. dsa:
  170. private_key: |
  171. -----BEGIN DSA PRIVATE KEY-----
  172. NOT_DEFINED
  173. -----END DSA PRIVATE KEY-----
  174. public_key: |
  175. ssh-dss NOT_DEFINED
  176. generate_ecdsa_keys: False
  177. absent_ecdsa_keys: False
  178. provide_ecdsa_keys: False
  179. ecdsa:
  180. private_key: |
  181. -----BEGIN EC PRIVATE KEY-----
  182. NOT_DEFINED
  183. -----END EC PRIVATE KEY-----
  184. public_key: |
  185. ecdsa-sha2-nistp256 NOT_DEFINED
  186. generate_rsa_keys: False
  187. generate_rsa_size: 4096
  188. absent_rsa_keys: False
  189. provide_rsa_keys: False
  190. rsa:
  191. private_key: |
  192. -----BEGIN RSA PRIVATE KEY-----
  193. NOT_DEFINED
  194. -----END RSA PRIVATE KEY-----
  195. public_key: |
  196. ssh-rsa NOT_DEFINED
  197. generate_ed25519_keys: False
  198. absent_ed25519_keys: False
  199. provide_ed25519_keys: False
  200. ed25519:
  201. private_key: |
  202. -----BEGIN OPENSSH PRIVATE KEY-----
  203. NOT_DEFINED
  204. -----END OPENSSH PRIVATE KEY-----
  205. public_key: |
  206. ssh-ed25519 NOT_DEFINED
  207. known_hosts:
  208. # The next 2 settings restrict the set of minions that will be added in
  209. # the generated ssh_known_hosts files (the default is to match all minions)
  210. target: '*'
  211. expr_form: 'glob'
  212. # Name of mining functions used to gather public keys and hostnames
  213. # (the default values are shown here)
  214. mine_keys_function: public_ssh_host_keys
  215. mine_hostname_function: public_ssh_hostname
  216. # List of DNS entries also pointing to our managed machines and that we want
  217. # to inject in our generated ssh_known_hosts file
  218. aliases:
  219. - cname-to-minion.example.org
  220. - alias.example.org
  221. # specify DH parameters (see /etc/ssh/moduli)
  222. moduli: |
  223. # Time Type Tests Tries Size Generator Modulus
  224. 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
  225. 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
  226. 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
  227. 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
  228. # ALTERNATIVELY, specify the location of the moduli file. Examples:
  229. #moduli_source: http://some.server.somewhere/salt/moduli
  230. #moduli_source: salt://files/ssh/moduli
  231. # If moduli is specified, moduli_source will be ignored.
  232. # Also, a proper hash file *must* be included in the same path. E.g.:
  233. # http://some.server.somewhere/salt/moduli.hash
  234. # salt://files/ssh/moduli.hash
  235. # These will be automatically referenced to by the ssh_moduli state.
  236. # Required for openssh.known_hosts
  237. mine_functions:
  238. public_ssh_host_keys:
  239. mine_function: cmd.run
  240. cmd: cat /etc/ssh/ssh_host_*_key.pub
  241. python_shell: True
  242. public_ssh_hostname:
  243. mine_function: grains.get
  244. key: id