salt
/
openssh-formula
forked from ExternalMirrors/openssh-formula
Watch 1
Star 0
Fork 0
Code Releases 0 Activity
Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
234 Commits
1 Branch
Tree: 9cdb9aaba0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9cdb9aaba0'
${ noResults }
openssh-formula/pillar.example

340 lines
13KB
Raw Blame History 

  1. sshd_config:

  2.   # This keyword is totally optional

  3.   ConfigBanner: |

  4.     # Alternative banner for the config file

  5.     # (Indented) hash signs lose their special meaning here

  6.     # and the lines will be written as-is.

  7.   Port: 22

  8.   Protocol: 2

  9.   HostKey:

  10.     - /etc/ssh/ssh_host_rsa_key

  11.     - /etc/ssh/ssh_host_dsa_key

  12.     - /etc/ssh/ssh_host_ecdsa_key

  13.     - /etc/ssh/ssh_host_ed25519_key

  14.   UsePrivilegeSeparation: 'sandbox'

  15.   KeyRegenerationInterval: 3600

  16.   ServerKeyBits: 1024

  17.   SyslogFacility: AUTH

  18.   LogLevel: INFO

  19.   ClientAliveInterval: 0

  20.   ClientAliveCountMax: 3

  21.   LoginGraceTime: 120

  22.   PermitRootLogin: 'yes'

  23.   PasswordAuthentication: 'no'

  24.   StrictModes: 'yes'

  25.   MaxAuthTries: 6

  26.   MaxSessions: 10

  27.   RSAAuthentication: 'yes'

  28.   PubkeyAuthentication: 'yes'

  29.   AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'

  30.   AuthorizedKeysCommandUser: 'nobody'

  31.   IgnoreRhosts: 'yes'

  32.   RhostsRSAAuthentication: 'no'

  33.   HostbasedAuthentication: 'no'

  34.   PermitEmptyPasswords: 'no'

  35.   ChallengeResponseAuthentication: 'no'

  36.   AuthenticationMethods: 'publickey,keyboard-interactive'

  37.   AuthorizedKeysFile: '%h/.ssh/authorized_keys'

  38.   X11Forwarding: 'no'

  39.   X11DisplayOffset: 10

  40.   PrintMotd: 'yes'

  41.   PrintLastLog: 'yes'

  42.   TCPKeepAlive: 'yes'

  43.   AcceptEnv: "LANG LC_*"

  44.   Subsystem: "sftp /usr/lib/openssh/sftp-server"

  45.   UsePAM: 'yes'

  46.   UseDNS: 'yes'

  47.   # set as string

  48.   AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'

  49.   # or set as list

  50.   AllowUsers: 

  51.     - vader@10.0.0.1 

  52.     - maul@evil.com 

  53.     - sidious 

  54.     - luke

  55.   # set as string 

  56.   DenyUsers: 'yoda chewbaca@112.10.21.1'

  57.   # or set as list

  58.   DenyUsers:

  59.     - yoda

  60.     - chewbaca@112.10.21.1

  61.   # set as string

  62.   AllowGroups: 'wheel staff imperial'

  63.   # or set as list

  64.   AllowGroups:

  65.     - wheel

  66.     - staff

  67.     - imperial

  68.   # set as string

  69.   DenyGroups: 'rebel'

  70.   # or set as list

  71.   DenyGroups:

  72.     - rebel

  73.     - badcompany

  74.   matches:

  75.     sftp_chroot:

  76.       type:

  77.         Group: sftpusers

  78.       options:

  79.         ChrootDirectory: /sftp-chroot/%u

  80.         X11Forwarding: no

  81.         AllowTcpForwarding: no

  82.         ForceCommand: internal-sftp

  83.     # Supports complex compound matches in Match criteria. For example, be able

  84.     # to match against multiple Users for a given Match, or be able to match

  85.     # against address ranges. Or Groups. Or any combination thereof.

  86.     #

  87.     # Support for matching users can take one of several different appearances

  88.     # in pillar data:

  89.     match_1:

  90.       type:

  91.         User: one_user

  92.       options:

  93.         ChrootDirectory: /ex/%u

  94.     match_2:

  95.       type:

  96.         User:

  97.           - jim

  98.           - bob

  99.           - sally

  100.       options:

  101.         ChrootDirectory: /ex/%u

  102.     # Note the syntax of match_3. By using empty dicts for each user, we can

  103.     # leverage Salt's pillar mergine. If we use simple lists, we cannot do

  104.     # this; Salt can't merge simple lists, because it doesn't know what order

  105.     # they ought to be in.

  106.     match_3:

  107.       type:

  108.         User:

  109.           jim: ~

  110.           bob: ~

  111.           sally: ~

  112.       options:

  113.         ChrootDirectory: /ex/%u

  114. 

  115.   # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.

  116.   # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  117.   # The configuration given in the example below is based on:

  118.   # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  119.   #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'

  120.   #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  121.   #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'

  122.   KexAlgorithms:

  123.     - 'curve25519-sha256@libssh.org'

  124.     - 'diffie-hellman-group-exchange-sha256'

  125.   Ciphers:

  126.     - 'chacha20-poly1305@openssh.com'

  127.     - 'aes256-gcm@openssh.com'

  128.     - 'aes128-gcm@openssh.com'

  129.     - 'aes256-ctr'

  130.     - 'aes192-ctr'

  131.     - 'aes128-ctr'

  132.   MACs:

  133.     - 'hmac-sha2-512-etm@openssh.com'

  134.     - 'hmac-sha2-256-etm@openssh.com'

  135.     - 'hmac-ripemd160-etm@openssh.com'

  136.     - 'umac-128-etm@openssh.com'

  137.     - 'hmac-sha2-512'

  138.     - 'hmac-sha2-256'

  139.     - 'hmac-ripemd160'

  140.     - 'umac-128@openssh.com'

  141. 

  142. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config

  143. # pillar will overwrite the defaults of your distribution's SSH client. This

  144. # will also force the default configuration for all the SSH clients on the

  145. # machine. This can break SSH connections with servers using older versions of

  146. # openssh. Please make sure you understand the implication of different settings

  147. ssh_config:

  148.   StrictHostKeyChecking: no

  149.   ForwardAgent: no

  150.   ForwardX11: no

  151.   RhostsRSAAuthentication: no

  152.   RSAAuthentication: yes

  153.   PasswordAuthentication: yes

  154.   HostbasedAuthentication: no

  155.   GSSAPIAuthentication: no

  156.   GSSAPIDelegateCredentials: no

  157.   BatchMode: 'yes'

  158.   CheckHostIP: 'yes'

  159.   AddressFamily: 'any'

  160.   ConnectTimeout: 0

  161.   IdentityFile: '~/.ssh/id_rsa'

  162.   Port: 22

  163.   Protocol: 2

  164.   Cipher: '3des'

  165.   Tunnel: 'no'

  166.   TunnelDevice: 'any:any'

  167.   PermitLocalCommand: 'no'

  168.   VisualHostKey: 'no'

  169.   # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.

  170.   # WARNING! Please make sure you understand the implications of the below

  171.   # settings. The examples provided below might break your connection to older /

  172.   # legacy openssh servers.

  173.   # The configuration given in the example below is based on:

  174.   # https://stribika.github.io/2015/01/04/secure-secure-shell.html

  175.   # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.

  176.   #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'

  177.   #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

  178.   #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'

  179.   KexAlgorithms:

  180.     - 'curve25519-sha256@libssh.org'

  181.     - 'diffie-hellman-group-exchange-sha256'

  182.     - 'diffie-hellman-group-exchange-sha1'

  183.     - 'diffie-hellman-group14-sha1'

  184.   Ciphers:

  185.     - 'chacha20-poly1305@openssh.com'

  186.     - 'aes256-gcm@openssh.com'

  187.     - 'aes128-gcm@openssh.com'

  188.     - 'aes256-ctr'

  189.     - 'aes192-ctr'

  190.     - 'aes128-ctr'

  191.   MACs:

  192.     - 'hmac-sha2-512-etm@openssh.com'

  193.     - 'hmac-sha2-256-etm@openssh.com'

  194.     - 'hmac-ripemd160-etm@openssh.com'

  195.     - 'umac-128-etm@openssh.com'

  196.     - 'hmac-sha2-512'

  197.     - 'hmac-sha2-256'

  198.     - 'hmac-ripemd160'

  199.     - 'umac-128@openssh.com'

  200. 

  201. 

  202. openssh:

  203.   # Instead of adding a custom banner file you can set it in pillar

  204.   banner_string: |

  205.     Welcome to {{ grains['id'] }}!

  206. 

  207.   # Controls if SSHD should be enabled/started

  208.   sshd_enable: true

  209.   auth:

  210.     joe-valid-ssh-key-desktop:

  211.       - user: joe

  212.         present: True

  213.         enc: ssh-rsa

  214.         comment: main key - desktop

  215.         source: salt://ssh_keys/joe.desktop.pub

  216.     joe-valid-ssh-key-notebook:

  217.       - user: joe

  218.         present: True

  219.         enc: ssh-rsa

  220.         comment: main key - notebook

  221.         source: salt://ssh_keys/joe.netbook.pub

  222.     joe-non-valid-ssh-key:

  223.       - user: joe

  224.         present: False

  225.         enc: ssh-rsa

  226.         comment: obsolete key - removed

  227.         source: salt://ssh_keys/joe.no-valid.pub

  228.   # Maps users to source files

  229.   # Designed to play nice with ext_pillar

  230.   # salt.states.ssh_auth: If source is set, comment and enc will be ignored

  231.   auth_map:

  232.     personal_keys:  # store name

  233.       source: salt://ssh_keys

  234.       users:

  235.         joe:

  236.           joe.desktop: {}

  237.           joe.netbook:

  238.             options: []  # see salt.states.ssh_auth.present

  239.           joe.no-valid:

  240.             present: False

  241. 

  242.   generate_dsa_keys: False

  243.   absent_dsa_keys: False

  244.   provide_dsa_keys: False

  245.   dsa:

  246.     private_key: |

  247.       -----BEGIN DSA PRIVATE KEY-----

  248.       NOT_DEFINED

  249.       -----END DSA PRIVATE KEY-----

  250.     public_key: |

  251.       ssh-dss NOT_DEFINED

  252. 

  253.   generate_ecdsa_keys: False

  254.   absent_ecdsa_keys: False

  255.   provide_ecdsa_keys: False

  256.   ecdsa:

  257.     private_key: |

  258.       -----BEGIN EC PRIVATE KEY-----

  259.       NOT_DEFINED

  260.       -----END EC PRIVATE KEY-----

  261.     public_key: |

  262.       ecdsa-sha2-nistp256 NOT_DEFINED

  263. 

  264.   generate_rsa_keys: False

  265.   generate_rsa_size: 4096

  266.   # Will remove the old key if it is to short and generate a new one.

  267.   enforce_rsa_size: False

  268.   absent_rsa_keys: False

  269.   provide_rsa_keys: False

  270.   rsa:

  271.     private_key: |

  272.       -----BEGIN RSA PRIVATE KEY-----

  273.       NOT_DEFINED

  274.       -----END RSA PRIVATE KEY-----

  275.     public_key: |

  276.       ssh-rsa NOT_DEFINED

  277. 

  278.   generate_ed25519_keys: False

  279.   absent_ed25519_keys: False

  280.   provide_ed25519_keys: False

  281.   ed25519:

  282.     private_key: |

  283.       -----BEGIN OPENSSH PRIVATE KEY-----

  284.       NOT_DEFINED

  285.       -----END OPENSSH PRIVATE KEY-----

  286.     public_key: |

  287.       ssh-ed25519 NOT_DEFINED

  288. 

  289.   known_hosts:

  290.     # The next 2 settings restrict the set of minions that will be added in

  291.     # the generated ssh_known_hosts files (the default is to match all minions)

  292.     target: '*'

  293.     expr_form: 'glob'

  294.     # Name of mining functions used to gather public keys and hostnames

  295.     # (the default values are shown here)

  296.     mine_keys_function: public_ssh_host_keys

  297.     mine_hostname_function: public_ssh_hostname

  298.     # List of DNS entries also pointing to our managed machines and that we want

  299.     # to inject in our generated ssh_known_hosts file

  300.     aliases:

  301.       - cname-to-minion.example.org

  302.       - alias.example.org

  303.     # Includes short hostnames derived from the FQDN

  304.     # (host.example.test -> host)

  305.     # (Deactivated by default, because there can be collisions!)

  306.     hostnames: False

  307.     #hostnames:

  308.     # Restrict wich hosts you want to use via their hostname

  309.     # (i.e. ssh user@host instead of ssh user@host.example.com)

  310.     #  target: '*'  # Defaults to "*.{}".format(grains['domain']) with a fallback to '*'

  311.     #  expr_form: 'glob'

  312.     # To activate the defaults you can just set an empty dict.

  313.     #hostnames: {}

  314. 

  315.   # specify DH parameters (see /etc/ssh/moduli)

  316.   moduli: |

  317.     # Time Type Tests Tries Size Generator Modulus

  318.     20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63

  319.     20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB

  320.     20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53

  321.     20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F

  322.   # ALTERNATIVELY, specify the location of the moduli file. Examples:

  323.   #moduli_source: http://some.server.somewhere/salt/moduli

  324.   #moduli_source: salt://files/ssh/moduli

  325.   # If moduli is specified, moduli_source will be ignored.

  326.   # Also, a proper hash file *must* be included in the same path. E.g.:

  327.   #     http://some.server.somewhere/salt/moduli.hash

  328.   #     salt://files/ssh/moduli.hash

  329.   # These will be automatically referenced to by the ssh_moduli state.

  330. 

  331. # Required for openssh.known_hosts

  332. mine_functions:

  333.   public_ssh_host_keys:

  334.     mine_function: cmd.run

  335.     cmd: cat /etc/ssh/ssh_host_*_key.pub

  336.     python_shell: True

  337.   public_ssh_hostname:

  338.     mine_function: grains.get

  339.     key: id