X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fssh%2Ftemplates%2Fsshd_config.erb;h=9b49f2fc8c8b2c4bea4596aaaba0a1377fc79046;hb=0e95fbdd080c4c7156bf2c4f938c0b85629a3981;hp=0f8657ae7ba7fffba0ba92f12fc319b2e40279c7;hpb=7bf7eb707f3693636bc5799ce801e2e60b60046e;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index 0f8657ae7..9b49f2fc8 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -1,10 +1,20 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
 # What ports, IPs and protocols we listen for
 Port 22
-<%= extraports = case fqdn
-                        when "ravel.debian.org" then "Port 443"
+<%= extraports = case @fqdn
+                        when "paradis.debian.org" then "
+ListenAddress 0.0.0.0:22
+ListenAddress [::]:22
+ListenAddress 5.153.231.31:443
+ListenAddress [2001:41c8:1000:21::21:31]:443
+"
                  end
 extraports
 %>
@@ -14,13 +24,12 @@ extraports
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
+<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%>
+HostKey /etc/ssh/ssh_host_ed25519_key
+<% end %>
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 768
-
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
@@ -30,14 +39,11 @@ LoginGraceTime 120
 PermitRootLogin without-password
 StrictModes yes
 
-RSAAuthentication yes
 PubkeyAuthentication yes
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
@@ -75,10 +81,13 @@ AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
 
 UsePAM yes
-<% if %w{lenny squeeze}.include?(lsbdistcodename) %>
-AuthorizedKeysFile /etc/ssh/userkeys/%u
-AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-<% else %>
-AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u
-<% end %>
+
+AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userkeys/%u.more
+
 PasswordAuthentication no
+
+Match Group sftponly
+  AllowStreamLocalForwarding no
+  AllowTCPForwarding no
+  X11Forwarding no
+  ForceCommand internal-sftp