diff options
author | Fredrik Thulin <fredrik@thulin.net> | 2014-02-27 10:52:15 +0100 |
---|---|---|
committer | Fredrik Thulin <fredrik@thulin.net> | 2014-02-27 10:52:15 +0100 |
commit | baffa6e766cb7b69454f9d833e670003e6a8646f (patch) | |
tree | 84ed3124297b5e7d471aebc3ff92b00946f04893 | |
parent | 4e2859018cc13954c88c6f13a5d03e12545a009c (diff) |
some sshd_config hardening from eduid-opssunet-ops-2014-02-27-v04
-rw-r--r-- | global/overlay/etc/puppet/modules/sunet/manifests/server.pp | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp index 72d8d49..875dc69 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -19,4 +19,22 @@ define sunet::server() { # proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( # } + include augeas + augeas { "sshd_config": + context => "/files/etc/ssh/sshd_config", + changes => [ + "set PasswordAuthentication no", + "set X11Forwarding no", + "set LogLevel VERBOSE", # log pubkey used for root login + ], + notify => Service['ssh'], + } -> + file_line { + 'no_sftp_subsystem': + path => '/etc/ssh/sshd_config', + match => 'Subsystem sftp /usr/lib/openssh/sftp-server', + line => '#Subsystem sftp /usr/lib/openssh/sftp-server', + notify => Service['ssh'], + } + } |