-# Package generated configuration file
-# See the sshd(8) manpage for details
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
-# What ports, IPs and protocols we listen for
Port 22
-<%= extraports = case fqdn
- when "ravel.debian.org" then "Port 443"
+<%= extraports = case @fqdn
+ when "paradis.debian.org" then "
+ListenAddress 0.0.0.0:22
+ListenAddress [::]:22
+ListenAddress 5.153.231.31:443
+ListenAddress [2001:41c8:1000:21::21:31]:443
+"
end
extraports
%>
# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
Protocol 2
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 768
+HostKey /etc/ssh/ssh_host_rsa_key
+<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%>
+HostKey /etc/ssh/ssh_host_ed25519_key
+<% end %>
+<% if scope.function_has_role(['ssh.upload.d.o']) -%>
+# On ssh upload hosts we have many clients doing ssh connections to us.
+# sshd has - by default - a limit of 10 on the number of currently
+# unauthenticated (or not yet authenticated) connections. Raise that limit.
+MaxStartups 100:30:200
+<% end %>
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
+LogLevel VERBOSE
# Authentication:
-LoginGraceTime 120
PermitRootLogin without-password
-StrictModes yes
-RSAAuthentication yes
-PubkeyAuthentication yes
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
ChallengeResponseAuthentication no
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-X11Forwarding no
-X11DisplayOffset 10
PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
#MaxStartups 10:30:60
-#Banner /etc/issue.net
-# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
-<% if %w{squeeze}.include?(scope.lookupvar('::lsbdistcodename')) %>
-AuthorizedKeysFile /etc/ssh/userkeys/%u
-AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-<% else %>
-AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u
-<% end %>
+
+AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userkeys/%u.more /etc/ssh/puppetkeys/%u
+
PasswordAuthentication no
+
+<%=
+ allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
+ out = ''
+ settings = '# Banner "You are coming from a debian.org host."'
+ allnodeinfo.keys.sort.each do |node|
+ next unless allnodeinfo[node].has_key?('ipHostNumber')
+ out += "# Match Address "
+ out += allnodeinfo[node]['ipHostNumber'].collect do |ipnum|
+ if ipnum =~ /:/
+ "#{ipnum}/128"
+ else
+ "#{ipnum}/32"
+ end
+ end.join(',')
+ out += " # #{node}"
+ out += "\n"
+ out += settings
+ out += "\n\n"
+ end
+ out
+%>
+
+Match Group sftponly
+ AllowStreamLocalForwarding no
+ AllowTCPForwarding no
+ X11Forwarding no
+ ForceCommand internal-sftp
projects / mirror / dsa-puppet.git / blobdiff