add sshd_ignore_rhosts option, default set to yes

diff --git a/manifests/init.pp b/manifests/init.pp
index 858e1b5a29aec5505287bf3a0672796da0e10194..cf089bc92aded47116fca77f839f5630ac1aa249 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -121,6 +121,10 @@ class sshd::base {
        '' => 'yes',
        default => $sshd_strict_modes
     }
+    $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
+        '' => 'yes',
+       default => $sshd_ignore_rhosts
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',

diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index 849d9fbeb23016b09007c298ba9c36c04443f111..e2b40056769b22bc702b7f027f3e64a0455a63b0 100644 (file)
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -70,8 +70,13 @@ PubkeyAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
+
 # Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
+<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+IgnoreRhosts yes
+<%- else %>
+IgnoreRhosts no
+<% end -%>
 
 # To disable tunneled clear text passwords, change to no here!
 <%- if real_sshd_password_authentication.to_s == 'yes' then %>

diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 7105dfdb62a2a62cad91e9bab9475cccd0d6f8f2..155c4daf80852b84553350dc5269bab282339ce9 100644 (file)
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -55,8 +55,14 @@ PubkeyAuthentication no
 
 # rhosts authentication should not be used
 #RhostsAuthentication no
+
 # Don't read the user's ~/.rhosts and ~/.shosts files
+<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
 IgnoreRhosts yes
+<%- else %>
+IgnoreRhosts no
+<% end -%>
+
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 # similar for protocol version 2

diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index 04712bdd195328f0638ba38dd43ce6c7f9b7d4ca..c8dbda47ec76cffa5988445a1850a8c192a8c088 100644 (file)
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -73,8 +73,13 @@ PubkeyAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
+
 # Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
+<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+IgnoreRhosts yes
+<%- else %>
+IgnoreRhosts no
+<% end -%>
 
 # To disable tunneled clear text passwords, change to no here!
 <%- if real_sshd_password_authentication.to_s == 'yes' then %>

diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index b7e467332026e7e3d77d097fccf3bb694936ea95..420f9cca6b508a8e7177b61d9e0eae96ba66f8e0 100644 (file)
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -67,8 +67,13 @@ PubkeyAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
+
 # Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
+<%- if real_sshd_pubkey_authentication.to_s == 'yes' then %>
+IgnoreRhosts yes
+<%- else %>
+IgnoreRhosts no
+<% end -%>
 
 # To disable tunneled clear text passwords, change to no here!
 <%- if real_sshd_password_authentication.to_s == 'yes' then %>