add sshd_pubkey_authentication variable, with the default set to yes

diff --git a/manifests/init.pp b/manifests/init.pp
index 029ab957abc2c67d9409f34d1cc50b273a38d026..413c46a1eef81557ba31ffb0a72049857b8ca4d0 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -51,6 +51,10 @@
 # sshd_agent_forwarding:       If you want to allow ssh-agent forwarding
 #                              Valid Values: yes or no
 #                              Default: no
+#
+# sshd_pubkey_authentication:  If you want to enable public key authentication
+#                              Valid Values: yes or no
+#                              Default: yes
 
 class sshd {
     include sshd::client 
@@ -97,6 +101,10 @@ class sshd::base {
         '' => 'no',
        default => $sshd_challenge_response_authentication
     }
+    $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
+       '' => 'no',
+       default => $sshd_pubkey_authentication
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',

diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index a053001646ea76a985fca27458dada3aad8126f8..b0bea46ad41a673e0e8abdc2eaf09bed580ef8e3 100644 (file)
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -45,7 +45,11 @@ PermitRootLogin without-password
 #MaxAuthTries 6
 
 #RSAAuthentication yes
-#PubkeyAuthentication yes
+<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %>
+PubkeyAuthentication yes
+<%- else %>
+PubkeyAuthentication no
+<%- end %>
 #AuthorizedKeysFile    .ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index a1d7a45a55989a596c999c704612a834889a8ffb..d105ecc64afa0c91a9e5772a01fdfb2f5907763a 100644 (file)
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -35,7 +35,12 @@ PermitRootLogin without-password
 StrictModes yes
 
 RSAAuthentication yes
+<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %>
 PubkeyAuthentication yes
+<%- else %>
+PubkeyAuthentication no
+<%- end %>
+
 #AuthorizedKeysFile    %h/.ssh/authorized_keys
 
 # rhosts authentication should not be used

diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index 5605f146690fcc7081d93893efa44ebf2a3ce2f4..353875458c2848193d2ac175527b03df419d2cbb 100644 (file)
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -48,7 +48,11 @@ PermitRootLogin without-password
 #MaxAuthTries 6
 
 #RSAAuthentication yes
-#PubkeyAuthentication yes
+<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %>
+PubkeyAuthentication yes
+<%- else %>
+PubkeyAuthentication no
+<%- end %>
 #AuthorizedKeysFile    .ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 954b42037b537082288c35b5be13009b333b950d..bee3548b7845a74ec4a7381ff747adf3e30364a3 100644 (file)
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -41,7 +41,12 @@ PermitRootLogin without-password
 #MaxAuthTries 6
 
 #RSAAuthentication yes
-#PubkeyAuthentication yes
+<%- if real_sshd_sshd_pubkey_authentication.to_s == 'yes' then %>
+PubkeyAuthentication yes
+<%- else %>
+PubkeyAuthentication no
+<%- end %>
+
 #AuthorizedKeysFile    .ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts