Saltstack Official OpenSSH Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

270 lines
11KB

  1. sshd_config:
  2. # This keyword is totally optional
  3. ConfigBanner: |
  4. # Alternative banner for the config file
  5. # (Indented) hash signs lose their special meaning here
  6. # and the lines will be written as-is.
  7. Port: 22
  8. Protocol: 2
  9. HostKey:
  10. - /etc/ssh/ssh_host_rsa_key
  11. - /etc/ssh/ssh_host_dsa_key
  12. - /etc/ssh/ssh_host_ecdsa_key
  13. - /etc/ssh/ssh_host_ed25519_key
  14. UsePrivilegeSeparation: 'yes'
  15. KeyRegenerationInterval: 3600
  16. ServerKeyBits: 1024
  17. SyslogFacility: AUTH
  18. LogLevel: INFO
  19. ClientAliveInterval: 0
  20. ClientAliveCountMax: 3
  21. LoginGraceTime: 120
  22. PermitRootLogin: 'yes'
  23. PasswordAuthentication: 'no'
  24. StrictModes: 'yes'
  25. MaxAuthTries: 6
  26. MaxSessions: 10
  27. RSAAuthentication: 'yes'
  28. PubkeyAuthentication: 'yes'
  29. AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
  30. AuthorizedKeysCommandUser: 'nobody'
  31. IgnoreRhosts: 'yes'
  32. RhostsRSAAuthentication: 'no'
  33. HostbasedAuthentication: 'no'
  34. PermitEmptyPasswords: 'no'
  35. ChallengeResponseAuthentication: 'no'
  36. AuthenticationMethods: 'publickey,keyboard-interactive'
  37. AuthorizedKeysFile: '%h/.ssh/authorized_keys'
  38. X11Forwarding: 'no'
  39. X11DisplayOffset: 10
  40. PrintMotd: 'yes'
  41. PrintLastLog: 'yes'
  42. TCPKeepAlive: 'yes'
  43. AcceptEnv: "LANG LC_*"
  44. Subsystem: "sftp /usr/lib/openssh/sftp-server"
  45. UsePAM: 'yes'
  46. UseDNS: 'yes'
  47. AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
  48. DenyUsers: 'yoda chewbaca@112.10.21.1'
  49. AllowGroups: 'wheel staff imperial'
  50. DenyGroups: 'rebel'
  51. matches:
  52. sftp_chroot:
  53. type:
  54. Group: sftpusers
  55. options:
  56. ChrootDirectory: /sftp-chroot/%u
  57. X11Forwarding: no
  58. AllowTcpForwarding: no
  59. ForceCommand: internal-sftp
  60. # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
  61. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  62. # The configuration given in the example below is based on:
  63. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  64. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
  65. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  66. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
  67. KexAlgorithms:
  68. - 'curve25519-sha256@libssh.org'
  69. - 'diffie-hellman-group-exchange-sha256'
  70. Ciphers:
  71. - 'chacha20-poly1305@openssh.com'
  72. - 'aes256-gcm@openssh.com'
  73. - 'aes128-gcm@openssh.com'
  74. - 'aes256-ctr'
  75. - 'aes192-ctr'
  76. - 'aes128-ctr'
  77. MACs:
  78. - 'hmac-sha2-512-etm@openssh.com'
  79. - 'hmac-sha2-256-etm@openssh.com'
  80. - 'hmac-ripemd160-etm@openssh.com'
  81. - 'umac-128-etm@openssh.com'
  82. - 'hmac-sha2-512'
  83. - 'hmac-sha2-256'
  84. - 'hmac-ripemd160'
  85. - 'umac-128@openssh.com'
  86. # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
  87. # pillar will overwrite the defaults of your distribution's SSH client. This
  88. # will also force the default configuration for all the SSH clients on the
  89. # machine. This can break SSH connections with servers using older versions of
  90. # openssh. Please make sure you understand the implication of different settings
  91. ssh_config:
  92. StrictHostKeyChecking: no
  93. ForwardAgent: no
  94. ForwardX11: no
  95. RhostsRSAAuthentication: no
  96. RSAAuthentication: yes
  97. PasswordAuthentication: yes
  98. HostbasedAuthentication: no
  99. GSSAPIAuthentication: no
  100. GSSAPIDelegateCredentials: no
  101. BatchMode: 'yes'
  102. CheckHostIP: 'yes'
  103. AddressFamily: 'any'
  104. ConnectTimeout: 0
  105. IdentityFile: '~/.ssh/id_rsa'
  106. Port: 22
  107. Protocol: 2
  108. Cipher: '3des'
  109. Tunnel: 'no'
  110. TunnelDevice: 'any:any'
  111. PermitLocalCommand: 'no'
  112. VisualHostKey: 'no'
  113. # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
  114. # WARNING! Please make sure you understand the implications of the below
  115. # settings. The examples provided below might break your connection to older /
  116. # legacy openssh servers.
  117. # The configuration given in the example below is based on:
  118. # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  119. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  120. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
  121. #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  122. #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
  123. KexAlgorithms:
  124. - 'curve25519-sha256@libssh.org'
  125. - 'diffie-hellman-group-exchange-sha256'
  126. - 'diffie-hellman-group-exchange-sha1'
  127. - 'diffie-hellman-group14-sha1'
  128. Ciphers:
  129. - 'chacha20-poly1305@openssh.com'
  130. - 'aes256-gcm@openssh.com'
  131. - 'aes128-gcm@openssh.com'
  132. - 'aes256-ctr'
  133. - 'aes192-ctr'
  134. - 'aes128-ctr'
  135. MACs:
  136. - 'hmac-sha2-512-etm@openssh.com'
  137. - 'hmac-sha2-256-etm@openssh.com'
  138. - 'hmac-ripemd160-etm@openssh.com'
  139. - 'umac-128-etm@openssh.com'
  140. - 'hmac-sha2-512'
  141. - 'hmac-sha2-256'
  142. - 'hmac-ripemd160'
  143. - 'umac-128@openssh.com'
  144. openssh:
  145. # Controls if SSHD should be enabled/started
  146. sshd_enable: true
  147. auth:
  148. joe-valid-ssh-key-desktop:
  149. - user: joe
  150. present: True
  151. enc: ssh-rsa
  152. comment: main key - desktop
  153. source: salt://ssh_keys/joe.desktop.pub
  154. joe-valid-ssh-key-notebook:
  155. - user: joe
  156. present: True
  157. enc: ssh-rsa
  158. comment: main key - notebook
  159. source: salt://ssh_keys/joe.netbook.pub
  160. joe-non-valid-ssh-key:
  161. - user: joe
  162. present: False
  163. enc: ssh-rsa
  164. comment: obsolete key - removed
  165. source: salt://ssh_keys/joe.no-valid.pub
  166. # Maps users to source files
  167. # Designed to play nice with ext_pillar
  168. # salt.states.ssh_auth: If source is set, comment and enc will be ignored
  169. auth_map:
  170. personal_keys: # store name
  171. source: salt://ssh_keys
  172. users:
  173. joe:
  174. joe.desktop: {}
  175. joe.netbook:
  176. options: [] # see salt.states.ssh_auth.present
  177. joe.no-valid:
  178. present: False
  179. generate_dsa_keys: False
  180. absent_dsa_keys: False
  181. provide_dsa_keys: False
  182. dsa:
  183. private_key: |
  184. -----BEGIN DSA PRIVATE KEY-----
  185. NOT_DEFINED
  186. -----END DSA PRIVATE KEY-----
  187. public_key: |
  188. ssh-dss NOT_DEFINED
  189. generate_ecdsa_keys: False
  190. absent_ecdsa_keys: False
  191. provide_ecdsa_keys: False
  192. ecdsa:
  193. private_key: |
  194. -----BEGIN EC PRIVATE KEY-----
  195. NOT_DEFINED
  196. -----END EC PRIVATE KEY-----
  197. public_key: |
  198. ecdsa-sha2-nistp256 NOT_DEFINED
  199. generate_rsa_keys: False
  200. generate_rsa_size: 4096
  201. # Will remove the old key if it is to short and generate a new one.
  202. enforce_rsa_size: False
  203. absent_rsa_keys: False
  204. provide_rsa_keys: False
  205. rsa:
  206. private_key: |
  207. -----BEGIN RSA PRIVATE KEY-----
  208. NOT_DEFINED
  209. -----END RSA PRIVATE KEY-----
  210. public_key: |
  211. ssh-rsa NOT_DEFINED
  212. generate_ed25519_keys: False
  213. absent_ed25519_keys: False
  214. provide_ed25519_keys: False
  215. ed25519:
  216. private_key: |
  217. -----BEGIN OPENSSH PRIVATE KEY-----
  218. NOT_DEFINED
  219. -----END OPENSSH PRIVATE KEY-----
  220. public_key: |
  221. ssh-ed25519 NOT_DEFINED
  222. known_hosts:
  223. # The next 2 settings restrict the set of minions that will be added in
  224. # the generated ssh_known_hosts files (the default is to match all minions)
  225. target: '*'
  226. expr_form: 'glob'
  227. # Name of mining functions used to gather public keys and hostnames
  228. # (the default values are shown here)
  229. mine_keys_function: public_ssh_host_keys
  230. mine_hostname_function: public_ssh_hostname
  231. # List of DNS entries also pointing to our managed machines and that we want
  232. # to inject in our generated ssh_known_hosts file
  233. aliases:
  234. - cname-to-minion.example.org
  235. - alias.example.org
  236. # specify DH parameters (see /etc/ssh/moduli)
  237. moduli: |
  238. # Time Type Tests Tries Size Generator Modulus
  239. 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
  240. 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
  241. 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
  242. 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
  243. # ALTERNATIVELY, specify the location of the moduli file. Examples:
  244. #moduli_source: http://some.server.somewhere/salt/moduli
  245. #moduli_source: salt://files/ssh/moduli
  246. # If moduli is specified, moduli_source will be ignored.
  247. # Also, a proper hash file *must* be included in the same path. E.g.:
  248. # http://some.server.somewhere/salt/moduli.hash
  249. # salt://files/ssh/moduli.hash
  250. # These will be automatically referenced to by the ssh_moduli state.
  251. # Required for openssh.known_hosts
  252. mine_functions:
  253. public_ssh_host_keys:
  254. mine_function: cmd.run
  255. cmd: cat /etc/ssh/ssh_host_*_key.pub
  256. python_shell: True
  257. public_ssh_hostname:
  258. mine_function: grains.get
  259. key: id