From db4cbaf3b494a81c99fa06e04c1b879d65d685d2 Mon Sep 17 00:00:00 2001 From: James Shewey Date: Thu, 6 Jul 2017 15:30:13 -0600 Subject: [PATCH 1/2] Fix errors with AuthorizedKeys directives Some distros get mad if certian options are present,This should help resolve those issues. --- openssh/files/sshd_config | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 9a1615c..c2a49af 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -128,8 +128,14 @@ {{ option_default_uncommented('RSAAuthentication', 'yes') }} {{ option_default_uncommented('PubkeyAuthentication', 'yes') }} {{ option('AuthorizedKeysFile', '%h/.ssh/authorized_keys') }} -{{ option('AuthorizedKeysCommand', 'none') }} -{{ option('AuthorizedKeysCommandUser', 'nobody') }} +{%- if server.authorized_keys_command is defined %} +AuthorizedKeysCommand {{ server.authorized_keys_command.command }} +{% if grains['os_family'] == 'RedHat' %} +{% if grains['osmajorrelease'] != '6' %} +AuthorizedKeysCommandUser {{ server.authorized_keys_command.get('user', 'nobody') }} +{%- endif %} +{%- endif %} +{%- endif %} # Don't read the user's ~/.rhosts and ~/.shosts files {{ option_default_uncommented('IgnoreRhosts', 'yes') }} From 5f60a60e738eaf6208a35df81fbc9e5cbf1d1e29 Mon Sep 17 00:00:00 2001 From: James Shewey Date: Wed, 12 Jul 2017 10:51:48 -0600 Subject: [PATCH 2/2] Document Pillar Usage Ugh. That was a terrible first try on my PR. It would be better to check for BOTH values presence and move them under a single directive. --- pillar.example | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pillar.example b/pillar.example index 4aa3b2e..fc643d4 100644 --- a/pillar.example +++ b/pillar.example @@ -26,8 +26,9 @@ sshd_config: MaxSessions: 10 RSAAuthentication: 'yes' PubkeyAuthentication: 'yes' - AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys' - AuthorizedKeysCommandUser: 'nobody' + AuthorizedKeysCommand: + - Command: '/usr/bin/sss_ssh_authorizedkeys' + - User: 'nobody' IgnoreRhosts: 'yes' RhostsRSAAuthentication: 'no' HostbasedAuthentication: 'no'