From 2f28a008c2964205bc1b818429d34ec6b776113a Mon Sep 17 00:00:00 2001 From: matthew-parlette Date: Fri, 25 Apr 2014 16:33:07 -0400 Subject: [PATCH] Cleared out static parts of config since it was causing issues --- openssh/files/sshd_config | 123 -------------------------------------- pillar.example | 1 + 2 files changed, 1 insertion(+), 123 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index f26f29d..b722ae2 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -18,126 +18,3 @@ {%- endfor %} {%- endif %} {%- endfor %} - -# What ports, IPs and protocols we listen for -#Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -#Protocol 2 -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#Privilege Separation is turned on for security -#UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 3600 -#ServerKeyBits 768 - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: -#LoginGraceTime 120 -#PermitRootLogin yes -#StrictModes yes - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -#ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -#X11Forwarding yes -#X11DisplayOffset 10 -#PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -#AcceptEnv LANG LC_* - -#Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd no # pam does that -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -{% if grains['os_family'] == 'RedHat' %} -UsePrivilegeSeparation yes # RedHat/Centos 6.4 and earlier currently ship 5.3 (sandbox introduced in OpenSSH 5.9) -{% else %} -UsePrivilegeSeparation sandbox # Default for new installations. -{% endif %} -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -Banner /etc/ssh/banner - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server diff --git a/pillar.example b/pillar.example index cd89e7b..58a404c 100644 --- a/pillar.example +++ b/pillar.example @@ -12,6 +12,7 @@ sshd_config: LogLevel: INFO LoginGraceTime: 120 PermitRootLogin: yes + PasswordAuthentication: no StrictModes: yes RSAAuthentication: yes PubkeyAuthentication: yes