-
Notifications
You must be signed in to change notification settings - Fork 295
/
pillar.example
401 lines (387 loc) · 14.8 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
sshd_config:
# This keyword is totally optional
ConfigBanner: |
# Alternative banner for the config file
# (Indented) hash signs lose their special meaning here
# and the lines will be written as-is.
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
SyslogFacility: AUTH
LogLevel: INFO
ClientAliveInterval: 0
ClientAliveCountMax: 3
LoginGraceTime: 120
PermitRootLogin: 'yes'
PasswordAuthentication: 'no'
StrictModes: 'yes'
MaxAuthTries: 6
MaxSessions: 10
PubkeyAuthentication: 'yes'
AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
AuthorizedKeysCommandUser: 'nobody'
IgnoreRhosts: 'yes'
HostbasedAuthentication: 'no'
PermitEmptyPasswords: 'no'
ChallengeResponseAuthentication: 'no'
AuthenticationMethods: 'publickey'
AuthorizedKeysFile: '%h/.ssh/authorized_keys'
X11Forwarding: 'no'
X11DisplayOffset: 10
PrintMotd: 'yes'
PrintLastLog: 'yes'
TCPKeepAlive: 'yes'
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: 'yes'
UseDNS: 'yes'
# set as string
# AllowUsers: '[email protected] [email protected] sidious luke'
# or set as list
AllowUsers:
- sidious
- luke
# set as string
# DenyUsers: 'yoda [email protected]'
# or set as list
DenyUsers:
- yoda
# set as string
# AllowGroups: 'wheel staff imperial'
# or set as list
AllowGroups:
- wheel
- staff
- imperial
# set as string
# DenyGroups: 'rebel'
# or set as list
DenyGroups:
- rebel
- badcompany
matches:
sftp_chroot:
type:
Group: sftpusers
options:
ChrootDirectory: /sftp-chroot/%u
X11Forwarding: 'no'
AllowTcpForwarding: 'no'
ForceCommand: internal-sftp
# Supports complex compound matches in Match criteria. For example, be able
# to match against multiple Users for a given Match, or be able to match
# against address ranges. Or Groups. Or any combination thereof.
#
# Support for matching users can take one of several different appearances
# in pillar data:
match_1:
type:
User: one_user
options:
ChrootDirectory: /ex/%u
match_2:
type:
User:
- jim
- bob
- sally
options:
ChrootDirectory: /ex/%u
# Note the syntax of match_3. By using empty dicts for each user, we can
# leverage Salt's pillar mergine. If we use simple lists, we cannot do
# this; Salt can't merge simple lists, because it doesn't know what order
# they ought to be in.
match_3:
type:
User:
jim: ~
bob: ~
sally: ~
options:
ChrootDirectory: /ex/%u
# yamllint disable rule:line-length
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# KexAlgorithms: '[email protected],diffie-hellman-group-exchange-sha256'
# MACs: '[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]'
# yamllint enable rule:line-length
KexAlgorithms:
- 'diffie-hellman-group-exchange-sha256'
Ciphers:
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512'
- 'hmac-sha2-256'
# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
# pillar will overwrite the defaults of your distribution's SSH client. This
# will also force the default configuration for all the SSH clients on the
# machine. This can break SSH connections with servers using older versions of
# openssh. Please make sure you understand the implication of different settings
ssh_config:
Hosts:
'*':
StrictHostKeyChecking: 'no'
ForwardAgent: 'no'
ForwardX11: 'no'
RhostsRSAAuthentication: 'no'
RSAAuthentication: 'yes'
PasswordAuthentication: 'yes'
HostbasedAuthentication: 'no'
GSSAPIAuthentication: 'no'
GSSAPIDelegateCredentials: 'no'
BatchMode: 'yes'
CheckHostIP: 'yes'
AddressFamily: 'any'
ConnectTimeout: 0
IdentityFile: '~/.ssh/id_rsa'
Port: 22
Protocol: 2
Cipher: '3des'
Tunnel: 'no'
TunnelDevice: 'any:any'
PermitLocalCommand: 'no'
VisualHostKey: 'no'
# yamllint disable rule:line-length
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
# WARNING! Please make sure you understand the implications of the below
# settings. The examples provided below might break your connection to older /
# legacy openssh servers.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# KexAlgorithms: '[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
# MACs: '[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]'
# yamllint enable rule:line-length
KexAlgorithms:
- 'diffie-hellman-group-exchange-sha256'
- 'diffie-hellman-group-exchange-sha1'
- 'diffie-hellman-group14-sha1'
Ciphers:
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512'
- 'hmac-sha2-256'
openssh:
# Instead of adding a custom banner file you can set it in pillar
banner_string: |
Welcome to {{ grains['id'] }}!
# Set installed package version
server_version: latest
client_version: latest
# Controls if SSHD should be enabled/started
sshd_enable: true
auth:
joe-valid-ssh-key-desktop:
- user: joe
present: true
enc: ssh-rsa
comment: main key - desktop
source: salt://ssh_keys/joe.desktop.pub
joe-valid-ssh-key-notebook:
- user: joe
present: true
enc: ssh-rsa
comment: main key - notebook
source: salt://ssh_keys/joe.netbook.pub
joe-non-valid-ssh-key:
- user: joe
present: false
enc: ssh-rsa
comment: obsolete key - removed
source: salt://ssh_keys/joe.no-valid.pub
# Maps users to source files
# Designed to play nice with ext_pillar
# salt.states.ssh_auth: If source is set, comment and enc will be ignored
auth_map:
personal_keys: # store name
source: salt://ssh_keys
users:
joe:
joe.desktop: {}
joe.netbook:
options: [] # see salt.states.ssh_auth.present
joe.no-valid:
present: false
generate_dsa_keys: false
absent_dsa_keys: false
provide_dsa_keys: false
dsa:
private_key: |
-----BEGIN DSA PRIVATE KEY-----
NOT_DEFINED
-----END DSA PRIVATE KEY-----
public_key: |
ssh-dss NOT_DEFINED
generate_ecdsa_keys: false
absent_ecdsa_keys: false
provide_ecdsa_keys: false
ecdsa:
private_key: |
-----BEGIN EC PRIVATE KEY-----
NOT_DEFINED
-----END EC PRIVATE KEY-----
public_key: |
ecdsa-sha2-nistp256 NOT_DEFINED
generate_rsa_keys: false
generate_rsa_size: 4096
# Will remove the old key if it is to short and generate a new one.
enforce_rsa_size: false
absent_rsa_keys: false
provide_rsa_keys: false
rsa:
private_key: |
-----BEGIN RSA PRIVATE KEY-----
NOT_DEFINED
-----END RSA PRIVATE KEY-----
public_key: |
ssh-rsa NOT_DEFINED
generate_ed25519_keys: false
absent_ed25519_keys: false
provide_ed25519_keys: false
ed25519:
private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
NOT_DEFINED
-----END OPENSSH PRIVATE KEY-----
public_key: |
ssh-ed25519 NOT_DEFINED
known_hosts:
# The next 2 settings restrict the set of minions that will be added in
# the generated ssh_known_hosts files (the default is to match all minions)
target: '*'
tgt_type: 'glob'
# Name of mining functions used to gather public keys and hostnames
# (the default values are shown here)
mine_keys_function: public_ssh_host_keys
mine_hostname_function: public_ssh_hostname
# List of DNS entries also pointing to our managed machines and that we want
# to inject in our generated ssh_known_hosts file
aliases:
- cname-to-minion.example.org
- alias.example.org
# Includes short hostnames derived from the FQDN
# (host.example.test -> host)
# (Deactivated by default, because there can be collisions!)
hostnames: false
# hostnames:
# Restrict wich hosts you want to use via their hostname
# (i.e. ssh user@host instead of ssh [email protected])
# target: '*' # Defaults to "*.{{ grains['domain']}}"
# tgt_type: 'glob'
# To activate the defaults you can just set an empty dict.
# hostnames: {}
# Include localhost, 127.0.0.1 and ::1 (default: false)
include_localhost: false
# Host keys fetched via salt-ssh
salt_ssh:
# The salt-ssh user
user: salt-master
# specify public host names of a minion
public_ssh_host_names:
minion.id:
- minion.id
- alias.of.minion.id
# specify public host keys of a minion
public_ssh_host_keys:
minion.id: |
ssh-rsa [...]
ssh-ed25519 [...]
# Here you can list keys for hosts which are not among your minions:
static:
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
# Prevent an ever-changing ssh_known_hosts file caused by a domain which
# is served from multiple IP addresses.
# To disable completely:
# omit_ip_address: true
# Or to disable by specific hosts:
omit_ip_address:
- github.com
# yamllint disable rule:line-length
# specify DH parameters (see /etc/ssh/moduli)
moduli: |
# Time Type Tests Tries Size Generator Modulus
20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
# yamllint enable rule:line-length
# ALTERNATIVELY, specify the location of the moduli file. Examples:
# moduli_source: http://some.server.somewhere/salt/moduli
# moduli_source: salt://files/ssh/moduli
# If moduli is specified, moduli_source will be ignored.
# Also, a proper hash file *must* be included in the same path. E.g.:
# http://some.server.somewhere/salt/moduli.hash
# salt://files/ssh/moduli.hash
# These will be automatically referenced to by the ssh_moduli state.
tofs:
# The files_switch key serves as a selector for alternative
# directories under the formula files directory. See TOFS pattern
# doc for more info.
# Note: Any value not evaluated by `config.get` will be used literally.
# This can be used to set custom paths, as many levels deep as required.
# files_switch:
# - any/path/can/be/used/here
# - id
# - role
# - osfinger
# - os
# - os_family
# All aspects of path/file resolution are customisable using the options below.
# This is unnecessary in most cases; there are sensible defaults.
# path_prefix: template_alt
# dirs:
# files: files_alt
# default: default_alt
source_files:
manage ssh_known_hosts file:
- alt_ssh_known_hosts
sshd_config:
- alt_sshd_config
ssh_config:
- alt_ssh_config
sshd_banner:
- fire_banner
# Required for openssh.known_hosts
mine_functions:
public_ssh_host_keys:
mine_function: cmd.run
cmd: cat /etc/ssh/ssh_host_*_key.pub
python_shell: true
public_ssh_hostname:
mine_function: grains.get
key: id