added sshd_rhosts_rsa_authentication variable, default set to no

added sshd_hostbased_authentication variable, default set to no

diff --git a/manifests/init.pp b/manifests/init.pp
index cf089bc92aded47116fca77f839f5630ac1aa249..02f2e42aef25c08d8557158ddc30a067f3063dd2 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -60,6 +60,14 @@
 #                              Valid Values: yes or no
 #                              Default: no
 #                              
+# sshd_rhosts_rsa_authentication:      If you want to enable rhosts RSA Authentication
+#                              Valid Values: yes or no
+#                              Default: no
+#
+# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
+#                               Valid Values: yes or no
+#                               Default: no
+#                              
 # sshd_strict_modes:           If you want to set StrictModes (check file modes/ownership before accepting login)
 #                              Valid Values: yes or no
 #                              Default: yes
@@ -125,6 +133,14 @@ class sshd::base {
         '' => 'yes',
        default => $sshd_ignore_rhosts
     }
+    $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
+       '' => 'no',
+       default => $sshd_rhosts_rsa_authentication
+    }
+    $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
+       '' => 'no',
+       default => $sshd_hostbased_authentication
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',

diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index e2b40056769b22bc702b7f027f3e64a0455a63b0..0dbe4e68e6bb05cd0cfcca68df2f4c125def7a90 100644 (file)
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -64,9 +64,19 @@ PubkeyAuthentication no
 #AuthorizedKeysFile    .ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
+
 # similar for protocol version 2
-#HostbasedAuthentication no
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
+HostbasedAuthentication no
+<% end -%>
+
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no

diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 155c4daf80852b84553350dc5269bab282339ce9..28e799d48f80fa284b70a003994c189a68f6b0aa 100644 (file)
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -53,8 +53,12 @@ PubkeyAuthentication no
 
 #AuthorizedKeysFile    %h/.ssh/authorized_keys
 
-# rhosts authentication should not be used
-#RhostsAuthentication no
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 <%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
@@ -63,10 +67,13 @@ IgnoreRhosts yes
 IgnoreRhosts no
 <% end -%>
 
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
 # similar for protocol version 2
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
 HostbasedAuthentication no
+<% end -%>
+
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 

diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index c8dbda47ec76cffa5988445a1850a8c192a8c088..443d8ac4ce93eb8e43e064d71944b982f42984ab 100644 (file)
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -67,9 +67,19 @@ PubkeyAuthentication no
 #AuthorizedKeysFile    .ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
+
 # similar for protocol version 2
-#HostbasedAuthentication no
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
+HostbasedAuthentication no
+<% end -%>
+
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no

diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 420f9cca6b508a8e7177b61d9e0eae96ba66f8e0..e6e9bbc23c38610ccdddfb7a72157d54b18ac1cd 100644 (file)
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -61,9 +61,19 @@ PubkeyAuthentication no
 #AuthorizedKeysFile    .ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
+<%- if real_sshd_rhosts_rsa_authentication.to_s == 'yes' then %>
+RhostsRSAAuthentication yes
+<%- else %>
+RhostsRSAAuthentication no
+<% end -%>
+
 # similar for protocol version 2
-#HostbasedAuthentication no
+<%- if real_sshd_hostbased_authentication.to_s == 'yes' then %>
+HostbasedAuthentication yes
+<%- else %>
+HostbasedAuthentication no
+<% end -%>
+
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no