sshd_config: Port: 22 Protocol: 2 HostKey: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation: 'yes' KeyRegenerationInterval: 3600 ServerKeyBits: 768 SyslogFacility: AUTH LogLevel: INFO LoginGraceTime: 120 PermitRootLogin: 'yes' PasswordAuthentication: 'no' StrictModes: 'yes' RSAAuthentication: 'yes' PubkeyAuthentication: 'yes' IgnoreRhosts: 'yes' RhostsRSAAuthentication: 'no' HostbasedAuthentication: 'no' PermitEmptyPasswords: 'no' ChallengeResponseAuthentication: 'no' AuthenticationMethods: 'publickey,keyboard-interactive' X11Forwarding: 'yes' X11DisplayOffset: 10 PrintMotd: 'no' PrintLastLog: 'yes' TCPKeepAlive: 'yes' AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' DenyUsers: 'yoda chewbaca@112.10.21.1' AllowGroups: 'wheel staff imperial' DenyGroups: 'rebel' matches: sftp_chroot: type: Group: sftpusers options: ChrootDirectory: /sftp-chroot/%u X11Forwarding: no AllowTcpForwarding: no ForceCommand: internal-sftp # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. KexAlgorithms: 'diffie-hellman-group14-sha1,diffie-hellman-group1-sha1' Ciphers: 'aes128-ctr,aes256-ctr' MACs: 'hmac-sha1' openssh: auth: joe-valid-ssh-key-desktop: - user: joe present: True enc: ssh-rsa comment: main key - desktop joe-valid-ssh-key-notebook: - user: joe present: True enc: ssh-rsa comment: main key - notebook joe-non-valid-ssh-key: - user: joe present: False enc: ssh-rsa comment: obsolete key - removed generate_dsa_keys: False absent_dsa_keys: False provide_dsa_keys: False dsa: private_key: | -----BEGIN DSA PRIVATE KEY----- NOT_DEFINED -----END DSA PRIVATE KEY----- public_key: | ssh-dss NOT_DEFINED generate_ecdsa_keys: False absent_ecdsa_keys: False provide_ecdsa_keys: False ecdsa: private_key: | -----BEGIN EC PRIVATE KEY----- NOT_DEFINED -----END EC PRIVATE KEY----- public_key: | ecdsa-sha2-nistp256 NOT_DEFINED generate_rsa_keys: False absent_rsa_keys: False provide_rsa_keys: False rsa: private_key: | -----BEGIN RSA PRIVATE KEY----- NOT_DEFINED -----END RSA PRIVATE KEY----- public_key: | ssh-rsa NOT_DEFINED generate_ed25519_keys: False absent_ed25519_keys: False provide_ed25519_keys: False ed25519: private_key: | -----BEGIN OPENSSH PRIVATE KEY----- NOT_DEFINED -----END OPENSSH PRIVATE KEY----- public_key: | ssh-ed25519 NOT_DEFINED known_hosts: # The next 2 settings restrict the set of minions that will be added in # the generated ssh_known_hosts files (the default is to match all minions) target: '*' expr_form: 'glob' # Name of mining functions used to gather public keys and hostnames # (the default values are shown here) mine_keys_function: public_ssh_host_keys mine_hostname_function: public_ssh_hostname # List of DNS entries also pointing to our managed machines and that we want # to inject in our generated ssh_known_hosts file aliases: - cname-to-minion.example.org - alias.example.org # Required for openssh.known_hosts mine_functions: public_ssh_host_keys: mine_function: cmd.run cmd: cat /etc/ssh/ssh_host_*_key.pub python_shell: True public_ssh_hostname: mine_function: grains.get key: id