|
- sshd_config:
- # This keyword is totally optional
- ConfigBanner: |
- # Alternative banner for the config file
- # (Indented) hash signs lose their special meaning here
- # and the lines will be written as-is.
- Port: 22
- Protocol: 2
- HostKey:
- - /etc/ssh/ssh_host_rsa_key
- - /etc/ssh/ssh_host_dsa_key
- - /etc/ssh/ssh_host_ecdsa_key
- - /etc/ssh/ssh_host_ed25519_key
- UsePrivilegeSeparation: 'sandbox'
- KeyRegenerationInterval: 3600
- ServerKeyBits: 1024
- SyslogFacility: AUTH
- LogLevel: INFO
- ClientAliveInterval: 0
- ClientAliveCountMax: 3
- LoginGraceTime: 120
- PermitRootLogin: 'yes'
- PasswordAuthentication: 'no'
- StrictModes: 'yes'
- MaxAuthTries: 6
- MaxSessions: 10
- RSAAuthentication: 'yes'
- PubkeyAuthentication: 'yes'
- AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
- AuthorizedKeysCommandUser: 'nobody'
- IgnoreRhosts: 'yes'
- RhostsRSAAuthentication: 'no'
- HostbasedAuthentication: 'no'
- PermitEmptyPasswords: 'no'
- ChallengeResponseAuthentication: 'no'
- AuthenticationMethods: 'publickey,keyboard-interactive'
- AuthorizedKeysFile: '%h/.ssh/authorized_keys'
- X11Forwarding: 'no'
- X11DisplayOffset: 10
- PrintMotd: 'yes'
- PrintLastLog: 'yes'
- TCPKeepAlive: 'yes'
- AcceptEnv: "LANG LC_*"
- Subsystem: "sftp /usr/lib/openssh/sftp-server"
- UsePAM: 'yes'
- UseDNS: 'yes'
- # set as string
- AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
- # or set as list
- AllowUsers:
- - vader@10.0.0.1
- - maul@evil.com
- - sidious
- - luke
- # set as string
- DenyUsers: 'yoda chewbaca@112.10.21.1'
- # or set as list
- DenyUsers:
- - yoda
- - chewbaca@112.10.21.1
- # set as string
- AllowGroups: 'wheel staff imperial'
- # or set as list
- AllowGroups:
- - wheel
- - staff
- - imperial
- # set as string
- DenyGroups: 'rebel'
- # or set as list
- DenyGroups:
- - rebel
- - badcompany
- matches:
- sftp_chroot:
- type:
- Group: sftpusers
- options:
- ChrootDirectory: /sftp-chroot/%u
- X11Forwarding: no
- AllowTcpForwarding: no
- ForceCommand: internal-sftp
- # Supports complex compound matches in Match criteria. For example, be able
- # to match against multiple Users for a given Match, or be able to match
- # against address ranges. Or Groups. Or any combination thereof.
- #
- # Support for matching users can take one of several different appearances
- # in pillar data:
- match_1:
- type:
- User: one_user
- options:
- ChrootDirectory: /ex/%u
- match_2:
- type:
- User:
- - jim
- - bob
- - sally
- options:
- ChrootDirectory: /ex/%u
- # Note the syntax of match_3. By using empty dicts for each user, we can
- # leverage Salt's pillar mergine. If we use simple lists, we cannot do
- # this; Salt can't merge simple lists, because it doesn't know what order
- # they ought to be in.
- match_3:
- type:
- User:
- jim: ~
- bob: ~
- sally: ~
- options:
- ChrootDirectory: /ex/%u
-
- # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
- # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
- # The configuration given in the example below is based on:
- # https://stribika.github.io/2015/01/04/secure-secure-shell.html
- #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
- #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
- #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
- KexAlgorithms:
- - 'curve25519-sha256@libssh.org'
- - 'diffie-hellman-group-exchange-sha256'
- Ciphers:
- - 'chacha20-poly1305@openssh.com'
- - 'aes256-gcm@openssh.com'
- - 'aes128-gcm@openssh.com'
- - 'aes256-ctr'
- - 'aes192-ctr'
- - 'aes128-ctr'
- MACs:
- - 'hmac-sha2-512-etm@openssh.com'
- - 'hmac-sha2-256-etm@openssh.com'
- - 'umac-128-etm@openssh.com'
- - 'hmac-sha2-512'
- - 'hmac-sha2-256'
- - 'umac-128@openssh.com'
-
- # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
- # pillar will overwrite the defaults of your distribution's SSH client. This
- # will also force the default configuration for all the SSH clients on the
- # machine. This can break SSH connections with servers using older versions of
- # openssh. Please make sure you understand the implication of different settings
- ssh_config:
- StrictHostKeyChecking: no
- ForwardAgent: no
- ForwardX11: no
- RhostsRSAAuthentication: no
- RSAAuthentication: yes
- PasswordAuthentication: yes
- HostbasedAuthentication: no
- GSSAPIAuthentication: no
- GSSAPIDelegateCredentials: no
- BatchMode: 'yes'
- CheckHostIP: 'yes'
- AddressFamily: 'any'
- ConnectTimeout: 0
- IdentityFile: '~/.ssh/id_rsa'
- Port: 22
- Protocol: 2
- Cipher: '3des'
- Tunnel: 'no'
- TunnelDevice: 'any:any'
- PermitLocalCommand: 'no'
- VisualHostKey: 'no'
- # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
- # WARNING! Please make sure you understand the implications of the below
- # settings. The examples provided below might break your connection to older /
- # legacy openssh servers.
- # The configuration given in the example below is based on:
- # https://stribika.github.io/2015/01/04/secure-secure-shell.html
- # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
- #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
- #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
- #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
- KexAlgorithms:
- - 'curve25519-sha256@libssh.org'
- - 'diffie-hellman-group-exchange-sha256'
- - 'diffie-hellman-group-exchange-sha1'
- - 'diffie-hellman-group14-sha1'
- Ciphers:
- - 'chacha20-poly1305@openssh.com'
- - 'aes256-gcm@openssh.com'
- - 'aes128-gcm@openssh.com'
- - 'aes256-ctr'
- - 'aes192-ctr'
- - 'aes128-ctr'
- MACs:
- - 'hmac-sha2-512-etm@openssh.com'
- - 'hmac-sha2-256-etm@openssh.com'
- - 'umac-128-etm@openssh.com'
- - 'hmac-sha2-512'
- - 'hmac-sha2-256'
- - 'umac-128@openssh.com'
-
-
- openssh:
- # Instead of adding a custom banner file you can set it in pillar
- banner_string: |
- Welcome to {{ grains['id'] }}!
-
- # Controls if SSHD should be enabled/started
- sshd_enable: true
- auth:
- joe-valid-ssh-key-desktop:
- - user: joe
- present: True
- enc: ssh-rsa
- comment: main key - desktop
- source: salt://ssh_keys/joe.desktop.pub
- joe-valid-ssh-key-notebook:
- - user: joe
- present: True
- enc: ssh-rsa
- comment: main key - notebook
- source: salt://ssh_keys/joe.netbook.pub
- joe-non-valid-ssh-key:
- - user: joe
- present: False
- enc: ssh-rsa
- comment: obsolete key - removed
- source: salt://ssh_keys/joe.no-valid.pub
- # Maps users to source files
- # Designed to play nice with ext_pillar
- # salt.states.ssh_auth: If source is set, comment and enc will be ignored
- auth_map:
- personal_keys: # store name
- source: salt://ssh_keys
- users:
- joe:
- joe.desktop: {}
- joe.netbook:
- options: [] # see salt.states.ssh_auth.present
- joe.no-valid:
- present: False
-
- generate_dsa_keys: False
- absent_dsa_keys: False
- provide_dsa_keys: False
- dsa:
- private_key: |
- -----BEGIN DSA PRIVATE KEY-----
- NOT_DEFINED
- -----END DSA PRIVATE KEY-----
- public_key: |
- ssh-dss NOT_DEFINED
-
- generate_ecdsa_keys: False
- absent_ecdsa_keys: False
- provide_ecdsa_keys: False
- ecdsa:
- private_key: |
- -----BEGIN EC PRIVATE KEY-----
- NOT_DEFINED
- -----END EC PRIVATE KEY-----
- public_key: |
- ecdsa-sha2-nistp256 NOT_DEFINED
-
- generate_rsa_keys: False
- generate_rsa_size: 4096
- # Will remove the old key if it is to short and generate a new one.
- enforce_rsa_size: False
- absent_rsa_keys: False
- provide_rsa_keys: False
- rsa:
- private_key: |
- -----BEGIN RSA PRIVATE KEY-----
- NOT_DEFINED
- -----END RSA PRIVATE KEY-----
- public_key: |
- ssh-rsa NOT_DEFINED
-
- generate_ed25519_keys: False
- absent_ed25519_keys: False
- provide_ed25519_keys: False
- ed25519:
- private_key: |
- -----BEGIN OPENSSH PRIVATE KEY-----
- NOT_DEFINED
- -----END OPENSSH PRIVATE KEY-----
- public_key: |
- ssh-ed25519 NOT_DEFINED
-
- known_hosts:
- # The next 2 settings restrict the set of minions that will be added in
- # the generated ssh_known_hosts files (the default is to match all minions)
- target: '*'
- tgt_type: 'glob'
- # Name of mining functions used to gather public keys and hostnames
- # (the default values are shown here)
- mine_keys_function: public_ssh_host_keys
- mine_hostname_function: public_ssh_hostname
- # List of DNS entries also pointing to our managed machines and that we want
- # to inject in our generated ssh_known_hosts file
- aliases:
- - cname-to-minion.example.org
- - alias.example.org
- # Includes short hostnames derived from the FQDN
- # (host.example.test -> host)
- # (Deactivated by default, because there can be collisions!)
- hostnames: False
- #hostnames:
- # Restrict wich hosts you want to use via their hostname
- # (i.e. ssh user@host instead of ssh user@host.example.com)
- # target: '*' # Defaults to "*.{}".format(grains['domain']) with a fallback to '*'
- # tgt_type: 'glob'
- # To activate the defaults you can just set an empty dict.
- #hostnames: {}
- # Here you can list keys for hosts which are not among your minions:
- static:
- github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
- gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
-
- # specify DH parameters (see /etc/ssh/moduli)
- moduli: |
- # Time Type Tests Tries Size Generator Modulus
- 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
- 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
- 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
- 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
- # ALTERNATIVELY, specify the location of the moduli file. Examples:
- #moduli_source: http://some.server.somewhere/salt/moduli
- #moduli_source: salt://files/ssh/moduli
- # If moduli is specified, moduli_source will be ignored.
- # Also, a proper hash file *must* be included in the same path. E.g.:
- # http://some.server.somewhere/salt/moduli.hash
- # salt://files/ssh/moduli.hash
- # These will be automatically referenced to by the ssh_moduli state.
-
- # Required for openssh.known_hosts
- mine_functions:
- public_ssh_host_keys:
- mine_function: cmd.run
- cmd: cat /etc/ssh/ssh_host_*_key.pub
- python_shell: True
- public_ssh_hostname:
- mine_function: grains.get
- key: id
|