forked from saltstack-formulas/openssh-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
355 lines (343 loc) · 13.2 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
sshd_config:
# This keyword is totally optional
ConfigBanner: |
# Alternative banner for the config file
# (Indented) hash signs lose their special meaning here
# and the lines will be written as-is.
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: 'sandbox'
KeyRegenerationInterval: 3600
ServerKeyBits: 1024
SyslogFacility: AUTH
LogLevel: INFO
ClientAliveInterval: 0
ClientAliveCountMax: 3
LoginGraceTime: 120
PermitRootLogin: 'yes'
PasswordAuthentication: 'no'
StrictModes: 'yes'
MaxAuthTries: 6
MaxSessions: 10
RSAAuthentication: 'yes'
PubkeyAuthentication: 'yes'
AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
AuthorizedKeysCommandUser: 'nobody'
IgnoreRhosts: 'yes'
RhostsRSAAuthentication: 'no'
HostbasedAuthentication: 'no'
PermitEmptyPasswords: 'no'
ChallengeResponseAuthentication: 'no'
AuthenticationMethods: 'publickey,keyboard-interactive'
AuthorizedKeysFile: '%h/.ssh/authorized_keys'
X11Forwarding: 'no'
X11DisplayOffset: 10
PrintMotd: 'yes'
PrintLastLog: 'yes'
TCPKeepAlive: 'yes'
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: 'yes'
UseDNS: 'yes'
# set as string
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
# or set as list
AllowUsers:
- vader@10.0.0.1
- maul@evil.com
- sidious
- luke
# set as string
DenyUsers: 'yoda chewbaca@112.10.21.1'
# or set as list
DenyUsers:
- yoda
- chewbaca@112.10.21.1
# set as string
AllowGroups: 'wheel staff imperial'
# or set as list
AllowGroups:
- wheel
- staff
- imperial
# set as string
DenyGroups: 'rebel'
# or set as list
DenyGroups:
- rebel
- badcompany
matches:
sftp_chroot:
type:
Group: sftpusers
options:
ChrootDirectory: /sftp-chroot/%u
X11Forwarding: no
AllowTcpForwarding: no
ForceCommand: internal-sftp
# Supports complex compound matches in Match criteria. For example, be able
# to match against multiple Users for a given Match, or be able to match
# against address ranges. Or Groups. Or any combination thereof.
#
# Support for matching users can take one of several different appearances
# in pillar data:
match_1:
type:
User: one_user
options:
ChrootDirectory: /ex/%u
match_2:
type:
User:
- jim
- bob
- sally
options:
ChrootDirectory: /ex/%u
# Note the syntax of match_3. By using empty dicts for each user, we can
# leverage Salt's pillar mergine. If we use simple lists, we cannot do
# this; Salt can't merge simple lists, because it doesn't know what order
# they ought to be in.
match_3:
type:
User:
jim: ~
bob: ~
sally: ~
options:
ChrootDirectory: /ex/%u
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
KexAlgorithms:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
Ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
- 'aes128-gcm@openssh.com'
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
- 'umac-128-etm@openssh.com'
- 'hmac-sha2-512'
- 'hmac-sha2-256'
- 'umac-128@openssh.com'
# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
# pillar will overwrite the defaults of your distribution's SSH client. This
# will also force the default configuration for all the SSH clients on the
# machine. This can break SSH connections with servers using older versions of
# openssh. Please make sure you understand the implication of different settings
ssh_config:
StrictHostKeyChecking: no
ForwardAgent: no
ForwardX11: no
RhostsRSAAuthentication: no
RSAAuthentication: yes
PasswordAuthentication: yes
HostbasedAuthentication: no
GSSAPIAuthentication: no
GSSAPIDelegateCredentials: no
BatchMode: 'yes'
CheckHostIP: 'yes'
AddressFamily: 'any'
ConnectTimeout: 0
IdentityFile: '~/.ssh/id_rsa'
Port: 22
Protocol: 2
Cipher: '3des'
Tunnel: 'no'
TunnelDevice: 'any:any'
PermitLocalCommand: 'no'
VisualHostKey: 'no'
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
# WARNING! Please make sure you understand the implications of the below
# settings. The examples provided below might break your connection to older /
# legacy openssh servers.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
#KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
#Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
#MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
KexAlgorithms:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
- 'diffie-hellman-group-exchange-sha1'
- 'diffie-hellman-group14-sha1'
Ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
- 'aes128-gcm@openssh.com'
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
- 'umac-128-etm@openssh.com'
- 'hmac-sha2-512'
- 'hmac-sha2-256'
- 'umac-128@openssh.com'
openssh:
# Instead of adding a custom banner file you can set it in pillar
banner_string: |
Welcome to {{ grains['id'] }}!
# Controls if SSHD should be enabled/started
sshd_enable: true
auth:
joe-valid-ssh-key-desktop:
- user: joe
present: True
enc: ssh-rsa
comment: main key - desktop
source: salt://ssh_keys/joe.desktop.pub
joe-valid-ssh-key-notebook:
- user: joe
present: True
enc: ssh-rsa
comment: main key - notebook
source: salt://ssh_keys/joe.netbook.pub
joe-non-valid-ssh-key:
- user: joe
present: False
enc: ssh-rsa
comment: obsolete key - removed
source: salt://ssh_keys/joe.no-valid.pub
# Maps users to source files
# Designed to play nice with ext_pillar
# salt.states.ssh_auth: If source is set, comment and enc will be ignored
auth_map:
personal_keys: # store name
source: salt://ssh_keys
users:
joe:
joe.desktop: {}
joe.netbook:
options: [] # see salt.states.ssh_auth.present
joe.no-valid:
present: False
generate_dsa_keys: False
absent_dsa_keys: False
provide_dsa_keys: False
dsa:
private_key: |
-----BEGIN DSA PRIVATE KEY-----
NOT_DEFINED
-----END DSA PRIVATE KEY-----
public_key: |
ssh-dss NOT_DEFINED
generate_ecdsa_keys: False
absent_ecdsa_keys: False
provide_ecdsa_keys: False
ecdsa:
private_key: |
-----BEGIN EC PRIVATE KEY-----
NOT_DEFINED
-----END EC PRIVATE KEY-----
public_key: |
ecdsa-sha2-nistp256 NOT_DEFINED
generate_rsa_keys: False
generate_rsa_size: 4096
# Will remove the old key if it is to short and generate a new one.
enforce_rsa_size: False
absent_rsa_keys: False
provide_rsa_keys: False
rsa:
private_key: |
-----BEGIN RSA PRIVATE KEY-----
NOT_DEFINED
-----END RSA PRIVATE KEY-----
public_key: |
ssh-rsa NOT_DEFINED
generate_ed25519_keys: False
absent_ed25519_keys: False
provide_ed25519_keys: False
ed25519:
private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
NOT_DEFINED
-----END OPENSSH PRIVATE KEY-----
public_key: |
ssh-ed25519 NOT_DEFINED
known_hosts:
# The next 2 settings restrict the set of minions that will be added in
# the generated ssh_known_hosts files (the default is to match all minions)
target: '*'
tgt_type: 'glob'
# Name of mining functions used to gather public keys and hostnames
# (the default values are shown here)
mine_keys_function: public_ssh_host_keys
mine_hostname_function: public_ssh_hostname
# List of DNS entries also pointing to our managed machines and that we want
# to inject in our generated ssh_known_hosts file
aliases:
- cname-to-minion.example.org
- alias.example.org
# Includes short hostnames derived from the FQDN
# (host.example.test -> host)
# (Deactivated by default, because there can be collisions!)
hostnames: False
#hostnames:
# Restrict wich hosts you want to use via their hostname
# (i.e. ssh user@host instead of ssh user@host.example.com)
# target: '*' # Defaults to "*.{{ grains['domain']}}"
# tgt_type: 'glob'
# To activate the defaults you can just set an empty dict.
#hostnames: {}
# Include localhost, 127.0.0.1 and ::1 (default: False)
include_localhost: False
# Host keys fetched via salt-ssh
salt_ssh:
# The salt-ssh user
user: salt-master
# specify public host names of a minion
public_ssh_host_names:
minion.id:
- minion.id
- alias.of.minion.id
# specify public host keys of a minion
public_ssh_host_keys:
minion.id: |
ssh-rsa [...]
ssh-ed25519 [...]
# Here you can list keys for hosts which are not among your minions:
static:
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
# specify DH parameters (see /etc/ssh/moduli)
moduli: |
# Time Type Tests Tries Size Generator Modulus
20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
# ALTERNATIVELY, specify the location of the moduli file. Examples:
#moduli_source: http://some.server.somewhere/salt/moduli
#moduli_source: salt://files/ssh/moduli
# If moduli is specified, moduli_source will be ignored.
# Also, a proper hash file *must* be included in the same path. E.g.:
# http://some.server.somewhere/salt/moduli.hash
# salt://files/ssh/moduli.hash
# These will be automatically referenced to by the ssh_moduli state.
# Required for openssh.known_hosts
mine_functions:
public_ssh_host_keys:
mine_function: cmd.run
cmd: cat /etc/ssh/ssh_host_*_key.pub
python_shell: True
public_ssh_hostname:
mine_function: grains.get
key: id