add the sshd_strict_modes variable, with the default set to yes

diff --git a/manifests/init.pp b/manifests/init.pp
index a58ee58ef7169f998e4a9571a0321d89f0be6816..858e1b5a29aec5505287bf3a0672796da0e10194 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -56,9 +56,13 @@
 #                              Valid Values: yes or no
 #                              Default: yes
 #
-# sshd_rsa_authentication:     If you wat to enable RSA Authentication
+# sshd_rsa_authentication:     If you want to enable RSA Authentication
 #                              Valid Values: yes or no
 #                              Default: no
+#                              
+# sshd_strict_modes:           If you want to set StrictModes (check file modes/ownership before accepting login)
+#                              Valid Values: yes or no
+#                              Default: yes
 
 class sshd {
     include sshd::client 
@@ -113,6 +117,10 @@ class sshd::base {
        '' => 'no',
        default => $sshd_rsa_authentication
     }
+    $real_sshd_strict_modes = $sshd_strict_modes ? {
+       '' => 'yes',
+       default => $sshd_strict_modes
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',

diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index dc5768009a429a454467db2d5f2bd5ab99d23fd7..849d9fbeb23016b09007c298ba9c36c04443f111 100644 (file)
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -41,7 +41,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 #MaxAuthTries 6
 
 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>

diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index deed847e78f8123542a52177451950c39045cb05..7105dfdb62a2a62cad91e9bab9475cccd0d6f8f2 100644 (file)
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -32,7 +32,12 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
 StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
 
 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>
 RSAAuthentication yes

diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index 3feb4ea862248601e9190d364b1e54ab1fa8e262..04712bdd195328f0638ba38dd43ce6c7f9b7d4ca 100644 (file)
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -39,7 +39,13 @@ Protocol 2
 
 #LoginGraceTime 2m
 PermitRootLogin without-password
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 <%- unless real_sshd_permit_root_login.to_s.empty? then %>
 PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>

diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 47d4a08af5f00f33dafd01db4ce129b7aeba7f59..b7e467332026e7e3d77d097fccf3bb694936ea95 100644 (file)
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -37,7 +37,13 @@ PermitRootLogin <%= real_sshd_permit_root_login %>
 <%- else %>
 PermitRootLogin without-password
 <%- end %>
-#StrictModes yes
+
+<%- if real_sshd_strict_modes.to_s == 'yes' then %>
+StrictModes yes
+<%- else %>
+StrictModes no
+<%- end %>
+
 #MaxAuthTries 6
 
 <%- if real_sshd_rsa_authentication.to_s == 'yes' then %>