# -*- coding: utf-8 -*-
# vim: ft=yaml
---
sshd_config:
  # This keyword is totally optional
  ConfigBanner: |
    # Alternative banner for the config file
    # (Indented) hash signs lose their special meaning here
    # and the lines will be written as-is.
  Port: 22
  Protocol: 2
  HostKey:
    - /etc/ssh/ssh_host_rsa_key
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_ecdsa_key
    - /etc/ssh/ssh_host_ed25519_key
  SyslogFacility: AUTH
  LogLevel: INFO
  ClientAliveInterval: 0
  ClientAliveCountMax: 3
  LoginGraceTime: 120
  PermitRootLogin: 'yes'
  PasswordAuthentication: 'no'
  StrictModes: 'yes'
  MaxAuthTries: 6
  MaxSessions: 10
  PubkeyAuthentication: 'yes'
  AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
  AuthorizedKeysCommandUser: 'nobody'
  IgnoreRhosts: 'yes'
  HostbasedAuthentication: 'no'
  PermitEmptyPasswords: 'no'
  ChallengeResponseAuthentication: 'no'
  AuthenticationMethods: 'publickey'
  AuthorizedKeysFile: '%h/.ssh/authorized_keys'
  X11Forwarding: 'no'
  X11DisplayOffset: 10
  PrintMotd: 'yes'
  PrintLastLog: 'yes'
  TCPKeepAlive: 'yes'
  AcceptEnv: "LANG LC_*"
  Subsystem: "sftp /usr/lib/openssh/sftp-server"
  UsePAM: 'yes'
  UseDNS: 'yes'
  # set as string
  # AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
  # or set as list
  AllowUsers:
    - vader@10.0.0.1
    - maul@evil.com
    - sidious
    - luke
  # set as string
  # DenyUsers: 'yoda chewbaca@112.10.21.1'
  # or set as list
  DenyUsers:
    - yoda
    - chewbaca@112.10.21.1
  # set as string
  # AllowGroups: 'wheel staff imperial'
  # or set as list
  AllowGroups:
    - wheel
    - staff
    - imperial
  # set as string
  # DenyGroups: 'rebel'
  # or set as list
  DenyGroups:
    - rebel
    - badcompany
  matches:
    sftp_chroot:
      type:
        Group: sftpusers
      options:
        ChrootDirectory: /sftp-chroot/%u
        X11Forwarding: 'no'
        AllowTcpForwarding: 'no'
        ForceCommand: internal-sftp
    # Supports complex compound matches in Match criteria. For example, be able
    # to match against multiple Users for a given Match, or be able to match
    # against address ranges. Or Groups. Or any combination thereof.
    #
    # Support for matching users can take one of several different appearances
    # in pillar data:
    match_1:
      type:
        User: one_user
      options:
        ChrootDirectory: /ex/%u
    match_2:
      type:
        User:
          - jim
          - bob
          - sally
      options:
        ChrootDirectory: /ex/%u
    # Note the syntax of match_3. By using empty dicts for each user, we can
    # leverage Salt's pillar mergine. If we use simple lists, we cannot do
    # this; Salt can't merge simple lists, because it doesn't know what order
    # they ought to be in.
    match_3:
      type:
        User:
          jim: ~
          bob: ~
          sally: ~
      options:
        ChrootDirectory: /ex/%u

  # yamllint disable rule:line-length
  # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
  # The configuration given in the example below is based on:
  # https://stribika.github.io/2015/01/04/secure-secure-shell.html
  # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
  # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
  # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  # yamllint enable rule:line-length
  KexAlgorithms:
    - 'curve25519-sha256@libssh.org'
    - 'diffie-hellman-group-exchange-sha256'
  Ciphers:
    - 'chacha20-poly1305@openssh.com'
    - 'aes256-gcm@openssh.com'
    - 'aes128-gcm@openssh.com'
    - 'aes256-ctr'
    - 'aes192-ctr'
    - 'aes128-ctr'
  MACs:
    - 'hmac-sha2-512-etm@openssh.com'
    - 'hmac-sha2-256-etm@openssh.com'
    - 'umac-128-etm@openssh.com'
    - 'hmac-sha2-512'
    - 'hmac-sha2-256'
    - 'umac-128@openssh.com'

# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
# pillar will overwrite the defaults of your distribution's SSH client. This
# will also force the default configuration for all the SSH clients on the
# machine. This can break SSH connections with servers using older versions of
# openssh. Please make sure you understand the implication of different settings
ssh_config:
  Hosts:
    '*':
      StrictHostKeyChecking: 'no'
      ForwardAgent: 'no'
      ForwardX11: 'no'
      RhostsRSAAuthentication: 'no'
      RSAAuthentication: 'yes'
      PasswordAuthentication: 'yes'
      HostbasedAuthentication: 'no'
      GSSAPIAuthentication: 'no'
      GSSAPIDelegateCredentials: 'no'
      BatchMode: 'yes'
      CheckHostIP: 'yes'
      AddressFamily: 'any'
      ConnectTimeout: 0
      IdentityFile: '~/.ssh/id_rsa'
      Port: 22
      Protocol: 2
      Cipher: '3des'
      Tunnel: 'no'
      TunnelDevice: 'any:any'
      PermitLocalCommand: 'no'
      VisualHostKey: 'no'
      # yamllint disable rule:line-length
      # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
      # WARNING! Please make sure you understand the implications of the below
      # settings. The examples provided below might break your connection to older /
      # legacy openssh servers.
      # The configuration given in the example below is based on:
      # https://stribika.github.io/2015/01/04/secure-secure-shell.html
      # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
      # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
      # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
      # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
      # yamllint enable rule:line-length
      KexAlgorithms:
        - 'curve25519-sha256@libssh.org'
        - 'diffie-hellman-group-exchange-sha256'
        - 'diffie-hellman-group-exchange-sha1'
        - 'diffie-hellman-group14-sha1'
      Ciphers:
        - 'chacha20-poly1305@openssh.com'
        - 'aes256-gcm@openssh.com'
        - 'aes128-gcm@openssh.com'
        - 'aes256-ctr'
        - 'aes192-ctr'
        - 'aes128-ctr'
      MACs:
        - 'hmac-sha2-512-etm@openssh.com'
        - 'hmac-sha2-256-etm@openssh.com'
        - 'umac-128-etm@openssh.com'
        - 'hmac-sha2-512'
        - 'hmac-sha2-256'
        - 'umac-128@openssh.com'


openssh:
  # Instead of adding a custom banner file you can set it in pillar
  banner_string: |
    Welcome to {{ grains['id'] }}!

  # Set installed package version
  server_version: latest
  client_version: latest

  # Controls if SSHD should be enabled/started
  sshd_enable: true
  auth:
    joe-valid-ssh-key-desktop:
      - user: joe
        present: true
        enc: ssh-rsa
        comment: main key - desktop
        source: salt://ssh_keys/joe.desktop.pub
    joe-valid-ssh-key-notebook:
      - user: joe
        present: true
        enc: ssh-rsa
        comment: main key - notebook
        source: salt://ssh_keys/joe.netbook.pub
    joe-non-valid-ssh-key:
      - user: joe
        present: false
        enc: ssh-rsa
        comment: obsolete key - removed
        source: salt://ssh_keys/joe.no-valid.pub
  # Maps users to source files
  # Designed to play nice with ext_pillar
  # salt.states.ssh_auth: If source is set, comment and enc will be ignored
  auth_map:
    personal_keys:  # store name
      source: salt://ssh_keys
      users:
        joe:
          joe.desktop: {}
          joe.netbook:
            options: []  # see salt.states.ssh_auth.present
          joe.no-valid:
            present: false

  generate_dsa_keys: false
  absent_dsa_keys: false
  provide_dsa_keys: false
  dsa:
    private_key: |
      -----BEGIN DSA PRIVATE KEY-----
      NOT_DEFINED
      -----END DSA PRIVATE KEY-----
    public_key: |
      ssh-dss NOT_DEFINED

  generate_ecdsa_keys: false
  absent_ecdsa_keys: false
  provide_ecdsa_keys: false
  ecdsa:
    private_key: |
      -----BEGIN EC PRIVATE KEY-----
      NOT_DEFINED
      -----END EC PRIVATE KEY-----
    public_key: |
      ecdsa-sha2-nistp256 NOT_DEFINED

  generate_rsa_keys: false
  generate_rsa_size: 4096
  # Will remove the old key if it is to short and generate a new one.
  enforce_rsa_size: false
  absent_rsa_keys: false
  provide_rsa_keys: false
  rsa:
    private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      NOT_DEFINED
      -----END RSA PRIVATE KEY-----
    public_key: |
      ssh-rsa NOT_DEFINED

  generate_ed25519_keys: false
  absent_ed25519_keys: false
  provide_ed25519_keys: false
  ed25519:
    private_key: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      NOT_DEFINED
      -----END OPENSSH PRIVATE KEY-----
    public_key: |
      ssh-ed25519 NOT_DEFINED

  known_hosts:
    # The next 2 settings restrict the set of minions that will be added in
    # the generated ssh_known_hosts files (the default is to match all minions)
    target: '*'
    tgt_type: 'glob'
    # Name of mining functions used to gather public keys and hostnames
    # (the default values are shown here)
    mine_keys_function: public_ssh_host_keys
    mine_hostname_function: public_ssh_hostname
    # List of DNS entries also pointing to our managed machines and that we want
    # to inject in our generated ssh_known_hosts file
    aliases:
      - cname-to-minion.example.org
      - alias.example.org
    # Includes short hostnames derived from the FQDN
    # (host.example.test -> host)
    # (Deactivated by default, because there can be collisions!)
    hostnames: false
    # hostnames:
    # Restrict wich hosts you want to use via their hostname
    # (i.e. ssh user@host instead of ssh user@host.example.com)
    #  target: '*'  # Defaults to "*.{{ grains['domain']}}"
    #  tgt_type: 'glob'
    # To activate the defaults you can just set an empty dict.
    # hostnames: {}
    # Include localhost, 127.0.0.1 and ::1 (default: false)
    include_localhost: false
    # Host keys fetched via salt-ssh
    salt_ssh:
      # The salt-ssh user
      user: salt-master
      # specify public host names of a minion
      public_ssh_host_names:
        minion.id:
          - minion.id
          - alias.of.minion.id
      # specify public host keys of a minion
      public_ssh_host_keys:
        minion.id: |
          ssh-rsa [...]
          ssh-ed25519 [...]
    # Here you can list keys for hosts which are not among your minions:
    static:
      github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
      gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
    # Prevent an ever-changing ssh_known_hosts file caused by a domain which
    # is served from multiple IP addresses.
    # To disable completely:
    # omit_ip_address: true
    # Or to disable by specific hosts:
    omit_ip_address:
      - github.com

  # yamllint disable rule:line-length
  # specify DH parameters (see /etc/ssh/moduli)
  moduli: |
    # Time Type Tests Tries Size Generator Modulus
    20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
    20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
    20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
    20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
  # yamllint enable rule:line-length
  # ALTERNATIVELY, specify the location of the moduli file. Examples:
  # moduli_source: http://some.server.somewhere/salt/moduli
  # moduli_source: salt://files/ssh/moduli
  # If moduli is specified, moduli_source will be ignored.
  # Also, a proper hash file *must* be included in the same path. E.g.:
  #     http://some.server.somewhere/salt/moduli.hash
  #     salt://files/ssh/moduli.hash
  # These will be automatically referenced to by the ssh_moduli state.

  tofs:
    # The files_switch key serves as a selector for alternative
    # directories under the formula files directory. See TOFS pattern
    # doc for more info.
    # Note: Any value not evaluated by `config.get` will be used literally.
    # This can be used to set custom paths, as many levels deep as required.
    # files_switch:
    #   - any/path/can/be/used/here
    #   - id
    #   - role
    #   - osfinger
    #   - os
    #   - os_family
    # All aspects of path/file resolution are customisable using the options below.
    # This is unnecessary in most cases; there are sensible defaults.
    # path_prefix: template_alt
    # dirs:
    #   files: files_alt
    #   default: default_alt
    source_files:
      manage ssh_known_hosts file:
        - alt_ssh_known_hosts
      sshd_config:
        - alt_sshd_config
      ssh_config:
        - alt_ssh_config
      sshd_banner:
        - fire_banner

# Required for openssh.known_hosts
mine_functions:
  public_ssh_host_keys:
    mine_function: cmd.run
    cmd: cat /etc/ssh/ssh_host_*_key.pub
    python_shell: true
  public_ssh_hostname:
    mine_function: grains.get
    key: id