mirror of
https://github.com/saltstack-formulas/openssh-formula.git
synced 2024-11-28 01:18:12 +01:00
844e96b57b
Opt-in to enforce RSA key length
270 lines
11 KiB
Plaintext
270 lines
11 KiB
Plaintext
sshd_config:
|
|
# This keyword is totally optional
|
|
ConfigBanner: |
|
|
# Alternative banner for the config file
|
|
# (Indented) hash signs lose their special meaning here
|
|
# and the lines will be written as-is.
|
|
Port: 22
|
|
Protocol: 2
|
|
HostKey:
|
|
- /etc/ssh/ssh_host_rsa_key
|
|
- /etc/ssh/ssh_host_dsa_key
|
|
- /etc/ssh/ssh_host_ecdsa_key
|
|
- /etc/ssh/ssh_host_ed25519_key
|
|
UsePrivilegeSeparation: 'yes'
|
|
KeyRegenerationInterval: 3600
|
|
ServerKeyBits: 1024
|
|
SyslogFacility: AUTH
|
|
LogLevel: INFO
|
|
ClientAliveInterval: 0
|
|
ClientAliveCountMax: 3
|
|
LoginGraceTime: 120
|
|
PermitRootLogin: 'yes'
|
|
PasswordAuthentication: 'no'
|
|
StrictModes: 'yes'
|
|
MaxAuthTries: 6
|
|
MaxSessions: 10
|
|
RSAAuthentication: 'yes'
|
|
PubkeyAuthentication: 'yes'
|
|
AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
|
|
AuthorizedKeysCommandUser: 'nobody'
|
|
IgnoreRhosts: 'yes'
|
|
RhostsRSAAuthentication: 'no'
|
|
HostbasedAuthentication: 'no'
|
|
PermitEmptyPasswords: 'no'
|
|
ChallengeResponseAuthentication: 'no'
|
|
AuthenticationMethods: 'publickey,keyboard-interactive'
|
|
AuthorizedKeysFile: '%h/.ssh/authorized_keys'
|
|
X11Forwarding: 'no'
|
|
X11DisplayOffset: 10
|
|
PrintMotd: 'yes'
|
|
PrintLastLog: 'yes'
|
|
TCPKeepAlive: 'yes'
|
|
AcceptEnv: "LANG LC_*"
|
|
Subsystem: "sftp /usr/lib/openssh/sftp-server"
|
|
UsePAM: 'yes'
|
|
UseDNS: 'yes'
|
|
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
|
|
DenyUsers: 'yoda chewbaca@112.10.21.1'
|
|
AllowGroups: 'wheel staff imperial'
|
|
DenyGroups: 'rebel'
|
|
matches:
|
|
sftp_chroot:
|
|
type:
|
|
Group: sftpusers
|
|
options:
|
|
ChrootDirectory: /sftp-chroot/%u
|
|
X11Forwarding: no
|
|
AllowTcpForwarding: no
|
|
ForceCommand: internal-sftp
|
|
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
|
|
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
|
|
# The configuration given in the example below is based on:
|
|
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
|
|
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
|
|
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
|
|
KexAlgorithms:
|
|
- 'curve25519-sha256@libssh.org'
|
|
- 'diffie-hellman-group-exchange-sha256'
|
|
Ciphers:
|
|
- 'chacha20-poly1305@openssh.com'
|
|
- 'aes256-gcm@openssh.com'
|
|
- 'aes128-gcm@openssh.com'
|
|
- 'aes256-ctr'
|
|
- 'aes192-ctr'
|
|
- 'aes128-ctr'
|
|
MACs:
|
|
- 'hmac-sha2-512-etm@openssh.com'
|
|
- 'hmac-sha2-256-etm@openssh.com'
|
|
- 'hmac-ripemd160-etm@openssh.com'
|
|
- 'umac-128-etm@openssh.com'
|
|
- 'hmac-sha2-512'
|
|
- 'hmac-sha2-256'
|
|
- 'hmac-ripemd160'
|
|
- 'umac-128@openssh.com'
|
|
|
|
# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
|
|
# pillar will overwrite the defaults of your distribution's SSH client. This
|
|
# will also force the default configuration for all the SSH clients on the
|
|
# machine. This can break SSH connections with servers using older versions of
|
|
# openssh. Please make sure you understand the implication of different settings
|
|
ssh_config:
|
|
StrictHostKeyChecking: no
|
|
ForwardAgent: no
|
|
ForwardX11: no
|
|
RhostsRSAAuthentication: no
|
|
RSAAuthentication: yes
|
|
PasswordAuthentication: yes
|
|
HostbasedAuthentication: no
|
|
GSSAPIAuthentication: no
|
|
GSSAPIDelegateCredentials: no
|
|
BatchMode: 'yes'
|
|
CheckHostIP: 'yes'
|
|
AddressFamily: 'any'
|
|
ConnectTimeout: 0
|
|
IdentityFile: '~/.ssh/id_rsa'
|
|
Port: 22
|
|
Protocol: 2
|
|
Cipher: '3des'
|
|
Tunnel: 'no'
|
|
TunnelDevice: 'any:any'
|
|
PermitLocalCommand: 'no'
|
|
VisualHostKey: 'no'
|
|
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
|
|
# WARNING! Please make sure you understand the implications of the below
|
|
# settings. The examples provided below might break your connection to older /
|
|
# legacy openssh servers.
|
|
# The configuration given in the example below is based on:
|
|
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
|
|
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
|
|
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
|
|
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
|
|
KexAlgorithms:
|
|
- 'curve25519-sha256@libssh.org'
|
|
- 'diffie-hellman-group-exchange-sha256'
|
|
- 'diffie-hellman-group-exchange-sha1'
|
|
- 'diffie-hellman-group14-sha1'
|
|
Ciphers:
|
|
- 'chacha20-poly1305@openssh.com'
|
|
- 'aes256-gcm@openssh.com'
|
|
- 'aes128-gcm@openssh.com'
|
|
- 'aes256-ctr'
|
|
- 'aes192-ctr'
|
|
- 'aes128-ctr'
|
|
MACs:
|
|
- 'hmac-sha2-512-etm@openssh.com'
|
|
- 'hmac-sha2-256-etm@openssh.com'
|
|
- 'hmac-ripemd160-etm@openssh.com'
|
|
- 'umac-128-etm@openssh.com'
|
|
- 'hmac-sha2-512'
|
|
- 'hmac-sha2-256'
|
|
- 'hmac-ripemd160'
|
|
- 'umac-128@openssh.com'
|
|
|
|
|
|
openssh:
|
|
# Controls if SSHD should be enabled/started
|
|
sshd_enable: true
|
|
auth:
|
|
joe-valid-ssh-key-desktop:
|
|
- user: joe
|
|
present: True
|
|
enc: ssh-rsa
|
|
comment: main key - desktop
|
|
source: salt://ssh_keys/joe.desktop.pub
|
|
joe-valid-ssh-key-notebook:
|
|
- user: joe
|
|
present: True
|
|
enc: ssh-rsa
|
|
comment: main key - notebook
|
|
source: salt://ssh_keys/joe.netbook.pub
|
|
joe-non-valid-ssh-key:
|
|
- user: joe
|
|
present: False
|
|
enc: ssh-rsa
|
|
comment: obsolete key - removed
|
|
source: salt://ssh_keys/joe.no-valid.pub
|
|
# Maps users to source files
|
|
# Designed to play nice with ext_pillar
|
|
# salt.states.ssh_auth: If source is set, comment and enc will be ignored
|
|
auth_map:
|
|
personal_keys: # store name
|
|
source: salt://ssh_keys
|
|
users:
|
|
joe:
|
|
joe.desktop: {}
|
|
joe.netbook:
|
|
options: [] # see salt.states.ssh_auth.present
|
|
joe.no-valid:
|
|
present: False
|
|
|
|
generate_dsa_keys: False
|
|
absent_dsa_keys: False
|
|
provide_dsa_keys: False
|
|
dsa:
|
|
private_key: |
|
|
-----BEGIN DSA PRIVATE KEY-----
|
|
NOT_DEFINED
|
|
-----END DSA PRIVATE KEY-----
|
|
public_key: |
|
|
ssh-dss NOT_DEFINED
|
|
|
|
generate_ecdsa_keys: False
|
|
absent_ecdsa_keys: False
|
|
provide_ecdsa_keys: False
|
|
ecdsa:
|
|
private_key: |
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
NOT_DEFINED
|
|
-----END EC PRIVATE KEY-----
|
|
public_key: |
|
|
ecdsa-sha2-nistp256 NOT_DEFINED
|
|
|
|
generate_rsa_keys: False
|
|
generate_rsa_size: 4096
|
|
# Will remove the old key if it is to short and generate a new one.
|
|
enforce_rsa_size: False
|
|
absent_rsa_keys: False
|
|
provide_rsa_keys: False
|
|
rsa:
|
|
private_key: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
NOT_DEFINED
|
|
-----END RSA PRIVATE KEY-----
|
|
public_key: |
|
|
ssh-rsa NOT_DEFINED
|
|
|
|
generate_ed25519_keys: False
|
|
absent_ed25519_keys: False
|
|
provide_ed25519_keys: False
|
|
ed25519:
|
|
private_key: |
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
NOT_DEFINED
|
|
-----END OPENSSH PRIVATE KEY-----
|
|
public_key: |
|
|
ssh-ed25519 NOT_DEFINED
|
|
|
|
known_hosts:
|
|
# The next 2 settings restrict the set of minions that will be added in
|
|
# the generated ssh_known_hosts files (the default is to match all minions)
|
|
target: '*'
|
|
expr_form: 'glob'
|
|
# Name of mining functions used to gather public keys and hostnames
|
|
# (the default values are shown here)
|
|
mine_keys_function: public_ssh_host_keys
|
|
mine_hostname_function: public_ssh_hostname
|
|
# List of DNS entries also pointing to our managed machines and that we want
|
|
# to inject in our generated ssh_known_hosts file
|
|
aliases:
|
|
- cname-to-minion.example.org
|
|
- alias.example.org
|
|
|
|
# specify DH parameters (see /etc/ssh/moduli)
|
|
moduli: |
|
|
# Time Type Tests Tries Size Generator Modulus
|
|
20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
|
|
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
|
|
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
|
|
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
|
|
# ALTERNATIVELY, specify the location of the moduli file. Examples:
|
|
#moduli_source: http://some.server.somewhere/salt/moduli
|
|
#moduli_source: salt://files/ssh/moduli
|
|
# If moduli is specified, moduli_source will be ignored.
|
|
# Also, a proper hash file *must* be included in the same path. E.g.:
|
|
# http://some.server.somewhere/salt/moduli.hash
|
|
# salt://files/ssh/moduli.hash
|
|
# These will be automatically referenced to by the ssh_moduli state.
|
|
|
|
# Required for openssh.known_hosts
|
|
mine_functions:
|
|
public_ssh_host_keys:
|
|
mine_function: cmd.run
|
|
cmd: cat /etc/ssh/ssh_host_*_key.pub
|
|
python_shell: True
|
|
public_ssh_hostname:
|
|
mine_function: grains.get
|
|
key: id
|