add variable sshd_permit_empty_passwords, with the default set to no

diff --git a/manifests/init.pp b/manifests/init.pp
index 02f2e42aef25c08d8557158ddc30a067f3063dd2..5ba3e226a7f43db1d75633fd4816cb9d23e5dc9a 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -71,6 +71,11 @@
 # sshd_strict_modes:           If you want to set StrictModes (check file modes/ownership before accepting login)
 #                              Valid Values: yes or no
 #                              Default: yes
+#
+# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
+#                              Valid Values: yes or no
+#                              Default: no
+
 
 class sshd {
     include sshd::client 
@@ -141,6 +146,10 @@ class sshd::base {
        '' => 'no',
        default => $sshd_hostbased_authentication
     }
+    $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
+       '' => 'no',
+       default => $sshd_permit_empty_passwords
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',

diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index a7848423c1deaa5d8e42fa79f635e8499624d86b..92ba92e38abec116c175502c978a15074437e34e 100644 (file)
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -94,7 +94,13 @@ PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
-#PermitEmptyPasswords no
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
+PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>

diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index cf2495373d0700b597e1cc9cee69c7c7f4b6d55d..92cb7b0fc7512de9436cf31fd550d4050d148702 100644 (file)
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -78,7 +78,11 @@ HostbasedAuthentication no
 #IgnoreUserKnownHosts yes
 
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
 PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>

diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index 57a80a1a5e90da3a593421c960d96b5a81362691..a9f99163604612af416f940f15b16ccc7b110f68 100644 (file)
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -97,7 +97,13 @@ PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
-#PermitEmptyPasswords no
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
+PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>

diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 1de6a55b68c55b478d26801eaf57d645c597c651..dd6bb698a9f9713435c9b84e0f9fa095266b8f20 100644 (file)
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -91,7 +91,13 @@ PasswordAuthentication yes
 <%- else %>
 PasswordAuthentication no
 <%- end %>
-#PermitEmptyPasswords no
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+<%- if real_sshd_empty_passwords.to_s == 'yes' then %>
+PermitEmptyPasswords yes
+<% else -%>
+PermitEmptyPasswords no
+<% end -%>
 
 # Change to no to disable s/key passwords
 <%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>