# This file is being maintained by Puppet. # DO NOT EDIT # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 <% @sshd_config_port_array.each do |p| -%> <%= "Port #{p}" %> <% end -%> #Protocol 2,1 Protocol 2 <% if @sshd_addressfamily_real != nil -%> #AddressFamily any AddressFamily <%= @sshd_addressfamily_real %> <% end -%> <% if @sshd_listen_address.class == Array -%> <% @sshd_listen_address.each do |val| -%> ListenAddress <%= val %> <% end -%> <% elsif @sshd_listen_address.class == String -%> ListenAddress <%= @sshd_listen_address %> <% end -%> # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key <% @sshd_config_hostkey_real.each do |hostkey| -%> HostKey <%= hostkey %> <% end -%> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 <% if @sshd_config_serverkeybits_real != nil -%> ServerKeyBits <%= @sshd_config_serverkeybits_real %> <% end -%> # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility <%= @sshd_config_syslog_facility %> #LogLevel INFO LogLevel <%= @sshd_config_loglevel %> # Authentication: #LoginGraceTime 120 LoginGraceTime <%= @sshd_config_login_grace_time %> #PermitRootLogin yes PermitRootLogin <%= @permit_root_login %> #StrictModes yes <% if @sshd_config_strictmodes -%> StrictModes <%= @sshd_config_strictmodes %> <% end -%> #MaxAuthTries 6 <% if @sshd_config_maxauthtries %> MaxAuthTries <%= @sshd_config_maxauthtries %> <% end -%> #RSAAuthentication yes #PubkeyAuthentication yes PubkeyAuthentication <%= @sshd_pubkeyauthentication %> #AuthorizedKeysFile .ssh/authorized_keys <% if @sshd_config_authkey_location -%> AuthorizedKeysFile <%= @sshd_config_authkey_location %> <% end -%> <% if @sshd_authorized_keys_command -%> AuthorizedKeysCommand <%= @sshd_authorized_keys_command %> <% end -%> <% if @sshd_authorized_keys_command_user -%> AuthorizedKeysCommandUser <%= @sshd_authorized_keys_command_user %> <% end -%> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no HostbasedAuthentication <%= @sshd_hostbasedauthentication %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no IgnoreUserKnownHosts <%= @sshd_ignoreuserknownhosts %> # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes IgnoreRhosts <%= @sshd_ignorerhosts %> # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PasswordAuthentication <%= @sshd_password_authentication %> <% if @sshd_pamauthenticationviakbdint_real != nil -%> # Use PAM via keyboard interactive method for authentication. # Depending on the setup of pam.conf(4) this may allow tunneled clear text # passwords even when PasswordAuthentication is set to no. This is dependent # on what the individual modules request and is out of the control of sshd # or the protocol. PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %> <% end -%> #PermitEmptyPasswords no <% if @sshd_config_permitemptypasswords != nil -%> PermitEmptyPasswords <%= @sshd_config_permitemptypasswords %> <% end -%> # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication <%= @sshd_config_challenge_resp_auth %> # Kerberos options <% if @sshd_kerberos_authentication != nil -%> #KerberosAuthentication no KerberosAuthentication <%= @sshd_kerberos_authentication %> <% end -%> #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication <%= @sshd_gssapiauthentication %> <% if @sshd_gssapikeyexchange_real != nil -%> GSSAPIKeyExchange <%= @sshd_gssapikeyexchange_real %> <% end -%> <% if @sshd_gssapicleanupcredentials_real != nil -%> #GSSAPICleanupCredentials yes GSSAPICleanupCredentials <%= @sshd_gssapicleanupcredentials_real %> <% end -%> <% if @sshd_use_pam_real != nil -%> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM <%= @sshd_use_pam_real %> <% end -%> <% if @sshd_acceptenv_real == true -%> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL <% end -%> #AllowTcpForwarding yes AllowTcpForwarding <%= @sshd_allow_tcp_forwarding %> #GatewayPorts no #X11Forwarding no X11Forwarding <%= @sshd_x11_forwarding %> #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes PrintMotd <%= @sshd_config_print_motd %> #PrintLastLog yes #TCPKeepAlive yes TCPKeepAlive <%= @sshd_config_tcp_keepalive %> #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no <% if @sshd_config_permituserenvironment != nil -%> PermitUserEnvironment <%= @sshd_config_permituserenvironment %> <% end -%> #Compression delayed #ClientAliveInterval 0 ClientAliveInterval <%= @sshd_client_alive_interval %> ClientAliveCountMax <%= @sshd_client_alive_count_max %> #ShowPatchLevel no <% if @sshd_config_use_dns_real != nil -%> #UseDNS yes UseDNS <%= @sshd_config_use_dns_real %> <% end -%> #PidFile /var/run/sshd.pid <% if @sshd_config_maxstartups -%> MaxStartups <%= @sshd_config_maxstartups %> <% else -%> #MaxStartups 10:30:100 <% end -%> <% if @sshd_config_maxsessions -%> MaxSessions <%= @sshd_config_maxsessions %> <% else -%> #MaxSessions 10 <% end -%> #PermitTunnel no <% if @sshd_config_chrootdirectory -%> ChrootDirectory <%= @sshd_config_chrootdirectory %> <% else -%> #ChrootDirectory none <% end -%> <% if @sshd_config_forcecommand -%> ForceCommand <%= @sshd_config_forcecommand %> <% end -%> # no default banner path #Banner none Banner <%= @sshd_config_banner %> <% if @sshd_config_xauth_location_real -%> #XAuthLocation /usr/bin/xauth XAuthLocation <%= @sshd_config_xauth_location_real %> <% end -%> # override default of no subsystems Subsystem sftp <%= @sshd_config_subsystem_sftp_real %> <% if @sshd_config_ciphers -%> Ciphers <%= @sshd_config_ciphers.join(',') %> <% end -%> <% if @sshd_config_macs -%> MACs <%= @sshd_config_macs.join(',') %> <% end -%> <% if @sshd_config_denyusers_real != [] -%> DenyUsers <%= @sshd_config_denyusers_real.join(' ') %> <% end -%> <% if @sshd_config_denygroups_real != [] -%> DenyGroups <%= @sshd_config_denygroups_real.join(' ') %> <% end -%> <% if @sshd_config_allowusers_real != [] -%> AllowUsers <%= @sshd_config_allowusers_real.join(' ') %> <% end -%> <% if @sshd_config_allowgroups_real != [] -%> AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %> <% end -%> <% if @sshd_config_match -%> <% @sshd_config_match.sort.each do |key, hash| -%> Match <%= key %> <% hash.sort.each do |values| -%> <%= values %> <% end -%> <% end -%> <% end -%>