Added support to manage ssh certificates
This commit is contained in:
parent
6e418aa945
commit
47211d0648
2
LICENSE
2
LICENSE
|
@ -1,4 +1,4 @@
|
|||
Copyright (c) 2013 Salt Stack Formulas
|
||||
Copyright (c) 2013-2014 Salt Stack Formulas
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
|
|
24
README.rst
24
README.rst
|
@ -18,6 +18,21 @@ Available states
|
|||
|
||||
Installs the ``openssh`` server package and service.
|
||||
|
||||
``openssh.auth``
|
||||
-----------
|
||||
|
||||
Manages SSH certificates for users.
|
||||
|
||||
``openssh.banner``
|
||||
------------------
|
||||
|
||||
Installs a banner that users see when SSH-ing in.
|
||||
|
||||
``openssh.client``
|
||||
------------------
|
||||
|
||||
Installs the openssh client package.
|
||||
|
||||
``openssh.config``
|
||||
------------------
|
||||
|
||||
|
@ -26,12 +41,3 @@ Installs the ssh daemon configuration file included in this formula
|
|||
by values from pillar. ``pillar.example`` results in the generation
|
||||
of the default ``sshd_config`` file on Debian Wheezy.
|
||||
|
||||
``openssh.client``
|
||||
------------------
|
||||
|
||||
Installs the openssh client package.
|
||||
|
||||
``openssh.banner``
|
||||
------------------
|
||||
|
||||
Installs a banner that users see when SSH-ing in.
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
include:
|
||||
- openssh
|
||||
|
||||
{% from "openssh/map.jinja" import openssh with context %}
|
||||
{% set openssh_pillar = pillar.get('openssh', {}) %}
|
||||
{% set auth = openssh_pillar.get('auth', {}) %}
|
||||
{% for user,keys in auth.items() -%}
|
||||
{% for key in keys -%}
|
||||
{% if 'present' in key and key['present'] %}
|
||||
{{ key['name'] }}:
|
||||
ssh_auth.present:
|
||||
- user: {{ user }}
|
||||
{% if 'source' in key %}
|
||||
- source: {{ key['source'] }}
|
||||
{% else %}
|
||||
{% if 'enc' in key %}
|
||||
- enc: {{ key['enc'] }}
|
||||
{% endif %}
|
||||
{% if 'comment' in key %}
|
||||
- comment: {{ key['comment'] }}
|
||||
{% endif %}
|
||||
{% if 'options' in key %}
|
||||
- options: {{ key['options'] }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
- require:
|
||||
- service: {{ openssh.service }}
|
||||
{% else %}
|
||||
{{ key['name'] }}:
|
||||
ssh_auth.absent:
|
||||
- user: {{ user }}
|
||||
{% if 'enc' in key %}
|
||||
- enc: {{ key['enc'] }}
|
||||
{% endif %}
|
||||
{% if 'comment' in key %}
|
||||
- comment: {{ key['comment'] }}
|
||||
{% endif %}
|
||||
{% if 'options' in key %}
|
||||
- options: {{ key['options'] }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
|
@ -1,4 +1,5 @@
|
|||
{% set sshd_config = pillar.get('sshd_config', {}) %}
|
||||
{% set openssh_pillar = pillar.get('openssh', {}) %}
|
||||
{% set sshd_config = openssh_pillar.get('sshd_config', {}) %}
|
||||
|
||||
# This file is managed by salt. Manual changes risk being overwritten.
|
||||
# The contents of the original sshd_config are kept on the bottom for
|
||||
|
|
|
@ -1,30 +1,43 @@
|
|||
sshd_config:
|
||||
Port: 22
|
||||
Protocol: 2
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
UsePrivilegeSeparation: yes
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 768
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: yes
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
AcceptEnv: "LANG LC_*"
|
||||
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
||||
UsePAM: yes
|
||||
openssh:
|
||||
sshd_config:
|
||||
Port: 22
|
||||
Protocol: 2
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
UsePrivilegeSeparation: yes
|
||||
KeyRegenerationInterval: 3600
|
||||
ServerKeyBits: 768
|
||||
SyslogFacility: AUTH
|
||||
LogLevel: INFO
|
||||
LoginGraceTime: 120
|
||||
PermitRootLogin: yes
|
||||
StrictModes: yes
|
||||
RSAAuthentication: yes
|
||||
PubkeyAuthentication: yes
|
||||
IgnoreRhosts: yes
|
||||
RhostsRSAAuthentication: no
|
||||
HostbasedAuthentication: no
|
||||
PermitEmptyPasswords: no
|
||||
ChallengeResponseAuthentication: no
|
||||
X11Forwarding: yes
|
||||
X11DisplayOffset: 10
|
||||
PrintMotd: no
|
||||
PrintLastLog: yes
|
||||
TCPKeepAlive: yes
|
||||
AcceptEnv: "LANG LC_*"
|
||||
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
||||
UsePAM: yes
|
||||
|
||||
auth:
|
||||
joe:
|
||||
- name: JOE_VALID_SSH_PUBLIC_KEY
|
||||
present: True
|
||||
enc: ssh-rsa
|
||||
comment: main key
|
||||
- name: JOE_NON_VALID_SSH_PUBLIC_KEY
|
||||
present: False
|
||||
enc: ssh-rsa
|
||||
comment: obsolete key - removed
|
||||
|
||||
|
|
Loading…
Reference in New Issue