X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fssh%2Ftemplates%2Fsshd_config.erb;h=870f16fa68f99c58c2a7b19a7f0026ebb23fd3fe;hb=d0c098685b92334a611a0c596a35f538b95ead47;hp=0bc6efb7d6b5c0461a0b538cdd55cdc38ecbde97;hpb=3748ea9639537d06563ae9f7d57e187088a767e2;p=mirror%2Fdsa-puppet.git diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 0bc6efb7d..870f16fa6 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -1,85 +1,78 @@ -# Package generated configuration file -# See the sshd(8) manpage for details +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## -# What ports, IPs and protocols we listen for Port 22 -<%= extraports = case fqdn - when "ravel.debian.org" then "Port 443" - when "agnesi.debian.org" then "Port 2260" +<%= extraports = case @fqdn + when "paradis.debian.org" then " +ListenAddress 0.0.0.0:22 +ListenAddress [::]:22 +ListenAddress 5.153.231.31:443 +ListenAddress [2001:41c8:1000:21::21:31]:443 +" end extraports %> # Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 +HostKey /etc/ssh/ssh_host_rsa_key +<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%> +HostKey /etc/ssh/ssh_host_ed25519_key +<% end %> +<% if scope.function_has_role(['ssh.upload.d.o']) -%> +# On ssh upload hosts we have many clients doing ssh connections to us. +# sshd has - by default - a limit of 10 on the number of currently +# unauthenticated (or not yet authenticated) connections. Raise that limit. +MaxStartups 100:30:200 +<% end %> -# Logging -SyslogFacility AUTH -LogLevel INFO +LogLevel VERBOSE # Authentication: -LoginGraceTime 120 PermitRootLogin without-password -StrictModes yes -RSAAuthentication yes -PubkeyAuthentication yes - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) ChallengeResponseAuthentication no -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding no -X11DisplayOffset 10 PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no #MaxStartups 10:30:60 -#Banner /etc/issue.net -# Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes -<% if nodeinfo.has_key?('wheezy') and nodeinfo['wheezy'] %> -AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u -<% else %> -AuthorizedKeysFile /etc/ssh/userkeys/%u -AuthorizedKeysFile2 /var/lib/misc/userkeys/%u -<% end %> + +AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userkeys/%u.more /etc/ssh/puppetkeys/%u + PasswordAuthentication no + +<%= + allnodeinfo = scope.lookupvar('deprecated::allnodeinfo') + out = '' + settings = '# Banner "You are coming from a debian.org host."' + allnodeinfo.keys.sort.each do |node| + next unless allnodeinfo[node].has_key?('ipHostNumber') + out += "# Match Address " + out += allnodeinfo[node]['ipHostNumber'].collect do |ipnum| + if ipnum =~ /:/ + "#{ipnum}/128" + else + "#{ipnum}/32" + end + end.join(',') + out += " # #{node}" + out += "\n" + out += settings + out += "\n\n" + end + out +%> + +Match Group sftponly + AllowStreamLocalForwarding no + AllowTCPForwarding no + X11Forwarding no + ForceCommand internal-sftp