From 7f1dae4a63aea6da15753430c8e9af589e94250b Mon Sep 17 00:00:00 2001 From: Jan Vansteenkiste Date: Thu, 27 Feb 2020 09:51:50 +0100 Subject: [PATCH] Correct the fixtures for debian 10 sshd_config As the original author of the pr said: He added the vanilla configuration files as spec tests. Since the module uses it's own template, this won't work. I copied the debian9 fixtures sshd_config since the defaults in puppet are identical for debian 10. Closes #323 --- spec/fixtures/sshd_config_debian10 | 115 ++++++++++++++++------------- 1 file changed, 62 insertions(+), 53 deletions(-) diff --git a/spec/fixtures/sshd_config_debian10 b/spec/fixtures/sshd_config_debian10 index 0d269e9..5b150ee 100644 --- a/spec/fixtures/sshd_config_debian10 +++ b/spec/fixtures/sshd_config_debian10 @@ -1,124 +1,133 @@ # This file is being maintained by Puppet. # DO NOT EDIT -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the +# possible, but leave them commented. Uncommented options change a # default value. #Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: +Port 22 +#Protocol 2,1 +Protocol 2 +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 # Logging +# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH +SyslogFacility AUTH #LogLevel INFO +LogLevel INFO # Authentication: -#LoginGraceTime 2m -#PermitRootLogin prohibit-password +#LoginGraceTime 120 +LoginGraceTime 120 +#PermitRootLogin yes +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 -#MaxSessions 10 +#RSAAuthentication yes #PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody +PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 #HostbasedAuthentication no +HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication +# RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no +IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes +IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes +PasswordAuthentication yes #PermitEmptyPasswords no -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication yes # Kerberos options -#KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no +GSSAPIAuthentication yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no UsePAM yes -#AllowAgentForwarding yes +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes +AllowTcpForwarding yes #GatewayPorts no +#X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes -#PermitTTY yes -PrintMotd no +X11UseLocalhost yes +#PrintMotd yes +PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no +ClientAliveInterval 0 +ClientAliveCountMax 3 +#ShowPatchLevel no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 +#MaxSessions 10 + #PermitTunnel no #ChrootDirectory none -#VersionAddendum none # no default banner path #Banner none - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* +Banner none # override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server