diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index fafb1c6..ffa8e57 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -74,9 +74,10 @@ {%- endmacro -%} {%- if sshd_config.get('ConfigBanner', False) -%} -{{ sshd_config['ConfigBanner'] }} + {%- do processed_options.append('ConfigBanner') -%} + {{ sshd_config['ConfigBanner'] }} {%- else -%} -# This file is managed by salt. Manual changes risk being overwritten. + # This file is managed by salt. Manual changes risk being overwritten. {%- endif %} {%- set global_src_url = salt ['pillar.get']('__formulas:print_template_url', None) %} {%- set local_src_url = salt ['pillar.get']('openssh-formula:print_template_url', None) %} @@ -207,13 +208,14 @@ # needs to to a DNS lookup # # DenyUsers -{{ option('DenyUsers', '') }} +{{ option_string_or_list('DenyUsers', '', True , sep=' ')}} # AllowUsers -{{ option('AllowUsers', '') }} +{{ option_string_or_list('AllowUsers', '', True , sep=' ')}} # DenyGroups -{{ option('DenyGroups', '') }} +{{ option_string_or_list('DenyGroups', '', True , sep=' ')}} # AllowGroups -{{ option('AllowGroups', '') }} +{{ option_string_or_list('AllowGroups', '', True , sep=' ')}} + # Specifies the available KEX (Key Exchange) algorithms. {{ option_string_or_list('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1', True) }} diff --git a/pillar.example b/pillar.example index a1c6de7..935fb57 100644 --- a/pillar.example +++ b/pillar.example @@ -44,10 +44,33 @@ sshd_config: Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' + # set as string AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' + # or set as list + AllowUsers: + - vader@10.0.0.1 + - maul@evil.com + - sidious + - luke + # set as string DenyUsers: 'yoda chewbaca@112.10.21.1' + # or set as list + DenyUsers: + - yoda + - chewbaca@112.10.21.1 + # set as string AllowGroups: 'wheel staff imperial' + # or set as list + AllowGroups: + - wheel + - staff + - imperial + # set as string DenyGroups: 'rebel' + # or set as list + DenyGroups: + - rebel + - badcompany matches: sftp_chroot: type: