forked from Controls/gitea-pages
add howto for sshd config - removed some old files
This commit is contained in:
@@ -1,37 +0,0 @@
|
||||
``profile::ssh_client``
|
||||
=======================
|
||||
|
||||
This profile configures '/etc/ssh/ssh_known_hosts' :manpage:`sshd(8)`.
|
||||
PSI CA key is added to the 'ssh_known_hosts', in this manner we allow
|
||||
PSI servers to SSH to this host.
|
||||
|
||||
|
||||
Parameters
|
||||
----------
|
||||
|
||||
====================== ======== =============================================
|
||||
**Name** **Type** **Default**
|
||||
---------------------- -------- ---------------------------------------------
|
||||
canonicalize_hostname bool hiera('ssh_client::canonicalize_hostname')
|
||||
forward_x11 bool hiera('ssh_client::forward_x11')
|
||||
try_host_trust bool hiera('ssh_client::try_host_trust', false)
|
||||
====================== ======== =============================================
|
||||
|
||||
|
||||
``canonicalize_hostname``
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Determines whether or not hostnames are canonicalized for ``psi.ch``. See
|
||||
:manpage:`ssh_config(5)` for details.
|
||||
|
||||
|
||||
``foward_x11``
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
Determines whether ``ForwardX11`` and ``ForwardX11Trusted`` should be enabled.
|
||||
|
||||
|
||||
``try_host_trust``
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Determines whether the ssh client attemps to authenticate using `HostbasedAuthentication``
|
||||
@@ -1,63 +0,0 @@
|
||||
``profile::ssh_server``
|
||||
=======================
|
||||
|
||||
This profile configures :manpage:`sshd(8)`.
|
||||
|
||||
|
||||
Parameters
|
||||
----------
|
||||
|
||||
==================== ======== =============================================
|
||||
**Name** **Type** **Default**
|
||||
-------------------- -------- ---------------------------------------------
|
||||
enable_public_key bool hiera('ssh_server::enable_public_key', true)
|
||||
enable_gssapi bool hiera('ssh_server::enable_gssapi')
|
||||
permit_root_login string hiera('ssh_server::permit_root_login')
|
||||
trusted_user_ca_keys list hiera('ssh_server::trusted_user_ca_keys', [])
|
||||
user_ca_keys hash hiera('ssh_server::user_ca_keys', {})
|
||||
banner_file string hiera('ssh_server::banner_file', undef),
|
||||
aliases list hiera_array('ssh_server::aliases', []),
|
||||
==================== ======== =============================================
|
||||
|
||||
``enable_public_key``
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
A boolean determining whether public key authentication is enabled or not for normal users.
|
||||
|
||||
Note that ``root`` is still allowed to connect using public key authentication. Here you may block root login with ``ssh_server::permit_root_login`` or restrict from where to allow root login (see bastion hosts ``aaa::bastions`` and ``aaa::use_bastions``).
|
||||
|
||||
|
||||
``enable_gssapi``
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
A boolean determining whether GSSAPI authentication is enabled or not.
|
||||
|
||||
|
||||
``permit_root_login``
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Sets ``PermitRootLogin`` in the sshd configuration file.
|
||||
|
||||
|
||||
``trusted_user_ca_keys``
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
An array containing the user CA keys that will be accepted (as understood by the
|
||||
``TrustedUserCAKeys`` directive in :manpage:`sshd_config(5)`).
|
||||
|
||||
|
||||
``user_ca_keys``
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
A hash containing the actual keys to be referenced by `trusted_user_ca_keys`_.
|
||||
|
||||
``banner_file``
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
Where to find a custom banner file on the system.
|
||||
|
||||
``aliases``
|
||||
~~~~~~~~~~~
|
||||
|
||||
Adds alternative names/aliases under which this system can be reached too to the principal list of the SSH server host key certificate.
|
||||
|
||||
Reference in New Issue
Block a user