From baffa6e766cb7b69454f9d833e670003e6a8646f Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 27 Feb 2014 10:52:15 +0100 Subject: some sshd_config hardening from eduid-ops --- .../etc/puppet/modules/sunet/manifests/server.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp index 72d8d49..875dc69 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -19,4 +19,22 @@ define sunet::server() { # proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( # } + include augeas + augeas { "sshd_config": + context => "/files/etc/ssh/sshd_config", + changes => [ + "set PasswordAuthentication no", + "set X11Forwarding no", + "set LogLevel VERBOSE", # log pubkey used for root login + ], + notify => Service['ssh'], + } -> + file_line { + 'no_sftp_subsystem': + path => '/etc/ssh/sshd_config', + match => 'Subsystem sftp /usr/lib/openssh/sftp-server', + line => '#Subsystem sftp /usr/lib/openssh/sftp-server', + notify => Service['ssh'], + } + } -- cgit v1.1