51 lines
1.6 KiB
ReStructuredText
51 lines
1.6 KiB
ReStructuredText
``profile::ssh_server``
|
|
=======================
|
|
|
|
This profile configures :manpage:`sshd(8)`.
|
|
|
|
|
|
Parameters
|
|
----------
|
|
|
|
==================== ======== =============================================
|
|
**Name** **Type** **Default**
|
|
-------------------- -------- ---------------------------------------------
|
|
enable_public_key bool hiera('ssh_server::enable_public_key', true)
|
|
enable_gssapi bool hiera('ssh_server::enable_gssapi')
|
|
permit_root_login string hiera('ssh_server::permit_root_login')
|
|
trusted_user_ca_keys list hiera('ssh_server::trusted_user_ca_keys', [])
|
|
user_ca_keys hash hiera('ssh_server::user_ca_keys', {})
|
|
==================== ======== =============================================
|
|
|
|
``enable_gssapi``
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
A boolean determining whether public key authentication is enabled or not for normal users.
|
|
|
|
Note that ``root`` is still allowed to connect using public key authentication. Here you may block root login with ``ssh_server::permit_root_login`` or restrict from where to allow root login (see bastion hosts ``aaa::bastions`` and ``aaa::use_bastions``).
|
|
|
|
|
|
``enable_gssapi``
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
A boolean determining whether GSSAPI authentication is enabled or not.
|
|
|
|
|
|
``permit_root_login``
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Sets ``PermitRootLogin`` in the sshd configuration file.
|
|
|
|
|
|
``trusted_user_ca_keys``
|
|
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
An array containing the user CA keys that will be accepted (as understood by the
|
|
``TrustedUserCAKeys`` directive in :manpage:`sshd_config(5)`).
|
|
|
|
|
|
``user_ca_keys``
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
A hash containing the actual keys to be referenced by `trusted_user_ca_keys`_.
|