# -*- coding: utf-8 -*- # vim: ft=yaml --- sshd_config: # This keyword is totally optional ConfigBanner: | # Alternative banner for the config file # (Indented) hash signs lose their special meaning here # and the lines will be written as-is. Port: 22 Protocol: 2 HostKey: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation: 'sandbox' SyslogFacility: AUTH LogLevel: INFO ClientAliveInterval: 0 ClientAliveCountMax: 3 LoginGraceTime: 120 PermitRootLogin: 'yes' PasswordAuthentication: 'no' StrictModes: 'yes' MaxAuthTries: 6 MaxSessions: 10 PubkeyAuthentication: 'yes' AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys' AuthorizedKeysCommandUser: 'nobody' IgnoreRhosts: 'yes' HostbasedAuthentication: 'no' PermitEmptyPasswords: 'no' ChallengeResponseAuthentication: 'no' AuthenticationMethods: 'publickey,keyboard-interactive' AuthorizedKeysFile: '%h/.ssh/authorized_keys' X11Forwarding: 'no' X11DisplayOffset: 10 PrintMotd: 'yes' PrintLastLog: 'yes' TCPKeepAlive: 'yes' AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' # set as string # AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' # or set as list AllowUsers: - vader@10.0.0.1 - maul@evil.com - sidious - luke # set as string # DenyUsers: 'yoda chewbaca@112.10.21.1' # or set as list DenyUsers: - yoda - chewbaca@112.10.21.1 # set as string # AllowGroups: 'wheel staff imperial' # or set as list AllowGroups: - wheel - staff - imperial # set as string # DenyGroups: 'rebel' # or set as list DenyGroups: - rebel - badcompany matches: sftp_chroot: type: Group: sftpusers options: ChrootDirectory: /sftp-chroot/%u X11Forwarding: 'no' AllowTcpForwarding: 'no' ForceCommand: internal-sftp # Supports complex compound matches in Match criteria. For example, be able # to match against multiple Users for a given Match, or be able to match # against address ranges. Or Groups. Or any combination thereof. # # Support for matching users can take one of several different appearances # in pillar data: match_1: type: User: one_user options: ChrootDirectory: /ex/%u match_2: type: User: - jim - bob - sally options: ChrootDirectory: /ex/%u # Note the syntax of match_3. By using empty dicts for each user, we can # leverage Salt's pillar mergine. If we use simple lists, we cannot do # this; Salt can't merge simple lists, because it doesn't know what order # they ought to be in. match_3: type: User: jim: ~ bob: ~ sally: ~ options: ChrootDirectory: /ex/%u # yamllint disable rule:line-length # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. # The configuration given in the example below is based on: # https://stribika.github.io/2015/01/04/secure-secure-shell.html # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' # yamllint enable rule:line-length KexAlgorithms: - 'curve25519-sha256@libssh.org' - 'diffie-hellman-group-exchange-sha256' Ciphers: - 'chacha20-poly1305@openssh.com' - 'aes256-gcm@openssh.com' - 'aes128-gcm@openssh.com' - 'aes256-ctr' - 'aes192-ctr' - 'aes128-ctr' MACs: - 'hmac-sha2-512-etm@openssh.com' - 'hmac-sha2-256-etm@openssh.com' - 'umac-128-etm@openssh.com' - 'hmac-sha2-512' - 'hmac-sha2-256' - 'umac-128@openssh.com' # Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config # pillar will overwrite the defaults of your distribution's SSH client. This # will also force the default configuration for all the SSH clients on the # machine. This can break SSH connections with servers using older versions of # openssh. Please make sure you understand the implication of different settings ssh_config: Hosts: '*': StrictHostKeyChecking: 'no' ForwardAgent: 'no' ForwardX11: 'no' RhostsRSAAuthentication: 'no' RSAAuthentication: 'yes' PasswordAuthentication: 'yes' HostbasedAuthentication: 'no' GSSAPIAuthentication: 'no' GSSAPIDelegateCredentials: 'no' BatchMode: 'yes' CheckHostIP: 'yes' AddressFamily: 'any' ConnectTimeout: 0 IdentityFile: '~/.ssh/id_rsa' Port: 22 Protocol: 2 Cipher: '3des' Tunnel: 'no' TunnelDevice: 'any:any' PermitLocalCommand: 'no' VisualHostKey: 'no' # yamllint disable rule:line-length # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first. # WARNING! Please make sure you understand the implications of the below # settings. The examples provided below might break your connection to older / # legacy openssh servers. # The configuration given in the example below is based on: # https://stribika.github.io/2015/01/04/secure-secure-shell.html # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' # yamllint enable rule:line-length KexAlgorithms: - 'curve25519-sha256@libssh.org' - 'diffie-hellman-group-exchange-sha256' - 'diffie-hellman-group-exchange-sha1' - 'diffie-hellman-group14-sha1' Ciphers: - 'chacha20-poly1305@openssh.com' - 'aes256-gcm@openssh.com' - 'aes128-gcm@openssh.com' - 'aes256-ctr' - 'aes192-ctr' - 'aes128-ctr' MACs: - 'hmac-sha2-512-etm@openssh.com' - 'hmac-sha2-256-etm@openssh.com' - 'umac-128-etm@openssh.com' - 'hmac-sha2-512' - 'hmac-sha2-256' - 'umac-128@openssh.com' openssh: # Instead of adding a custom banner file you can set it in pillar banner_string: | Welcome to {{ grains['id'] }}! # Set installed package version server_version: latest client_version: latest # Controls if SSHD should be enabled/started sshd_enable: true auth: joe-valid-ssh-key-desktop: - user: joe present: true enc: ssh-rsa comment: main key - desktop source: salt://ssh_keys/joe.desktop.pub joe-valid-ssh-key-notebook: - user: joe present: true enc: ssh-rsa comment: main key - notebook source: salt://ssh_keys/joe.netbook.pub joe-non-valid-ssh-key: - user: joe present: false enc: ssh-rsa comment: obsolete key - removed source: salt://ssh_keys/joe.no-valid.pub # Maps users to source files # Designed to play nice with ext_pillar # salt.states.ssh_auth: If source is set, comment and enc will be ignored auth_map: personal_keys: # store name source: salt://ssh_keys users: joe: joe.desktop: {} joe.netbook: options: [] # see salt.states.ssh_auth.present joe.no-valid: present: false generate_dsa_keys: false absent_dsa_keys: false provide_dsa_keys: false dsa: private_key: | -----BEGIN DSA PRIVATE KEY----- NOT_DEFINED -----END DSA PRIVATE KEY----- public_key: | ssh-dss NOT_DEFINED generate_ecdsa_keys: false absent_ecdsa_keys: false provide_ecdsa_keys: false ecdsa: private_key: | -----BEGIN EC PRIVATE KEY----- NOT_DEFINED -----END EC PRIVATE KEY----- public_key: | ecdsa-sha2-nistp256 NOT_DEFINED generate_rsa_keys: false generate_rsa_size: 4096 # Will remove the old key if it is to short and generate a new one. enforce_rsa_size: false absent_rsa_keys: false provide_rsa_keys: false rsa: private_key: | -----BEGIN RSA PRIVATE KEY----- NOT_DEFINED -----END RSA PRIVATE KEY----- public_key: | ssh-rsa NOT_DEFINED generate_ed25519_keys: false absent_ed25519_keys: false provide_ed25519_keys: false ed25519: private_key: | -----BEGIN OPENSSH PRIVATE KEY----- NOT_DEFINED -----END OPENSSH PRIVATE KEY----- public_key: | ssh-ed25519 NOT_DEFINED known_hosts: # The next 2 settings restrict the set of minions that will be added in # the generated ssh_known_hosts files (the default is to match all minions) target: '*' tgt_type: 'glob' # Name of mining functions used to gather public keys and hostnames # (the default values are shown here) mine_keys_function: public_ssh_host_keys mine_hostname_function: public_ssh_hostname # List of DNS entries also pointing to our managed machines and that we want # to inject in our generated ssh_known_hosts file aliases: - cname-to-minion.example.org - alias.example.org # Includes short hostnames derived from the FQDN # (host.example.test -> host) # (Deactivated by default, because there can be collisions!) hostnames: false # hostnames: # Restrict wich hosts you want to use via their hostname # (i.e. ssh user@host instead of ssh user@host.example.com) # target: '*' # Defaults to "*.{{ grains['domain']}}" # tgt_type: 'glob' # To activate the defaults you can just set an empty dict. # hostnames: {} # Include localhost, 127.0.0.1 and ::1 (default: false) include_localhost: false # Host keys fetched via salt-ssh salt_ssh: # The salt-ssh user user: salt-master # specify public host names of a minion public_ssh_host_names: minion.id: - minion.id - alias.of.minion.id # specify public host keys of a minion public_ssh_host_keys: minion.id: | ssh-rsa [...] ssh-ed25519 [...] # Here you can list keys for hosts which are not among your minions: static: github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' # yamllint disable rule:line-length # specify DH parameters (see /etc/ssh/moduli) moduli: | # Time Type Tests Tries Size Generator Modulus 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F # yamllint enable rule:line-length # ALTERNATIVELY, specify the location of the moduli file. Examples: # moduli_source: http://some.server.somewhere/salt/moduli # moduli_source: salt://files/ssh/moduli # If moduli is specified, moduli_source will be ignored. # Also, a proper hash file *must* be included in the same path. E.g.: # http://some.server.somewhere/salt/moduli.hash # salt://files/ssh/moduli.hash # These will be automatically referenced to by the ssh_moduli state. # Required for openssh.known_hosts mine_functions: public_ssh_host_keys: mine_function: cmd.run cmd: cat /etc/ssh/ssh_host_*_key.pub python_shell: true public_ssh_hostname: mine_function: grains.get key: id tofs: # The files_switch key serves as a selector for alternative # directories under the formula files directory. See TOFS pattern # doc for more info. # Note: Any value not evaluated by `config.get` will be used literally. # This can be used to set custom paths, as many levels deep as required. # files_switch: # - any/path/can/be/used/here # - id # - role # - osfinger # - os # - os_family # All aspects of path/file resolution are customisable using the options below. # This is unnecessary in most cases; there are sensible defaults. # path_prefix: template_alt # dirs: # files: files_alt # default: default_alt source_files: manage ssh_known_hosts file: - alt_ssh_known_hosts sshd_config: - alt_sshd_config ssh_config: - alt_ssh_config sshd_banner: - fire_banner