OP#575 fix params

2026-04-14 11:48:37 +02:00
parent 738a0efbc7
commit 2f7d9cc812
3 changed files with 12 additions and 4 deletions
--- a/manifests/main/dirs.pp
+++ b/manifests/main/dirs.pp
@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
    path     => $ssh_etc_path,
    owner    => $sshd_user,
    group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
    selrange => s0,
    selrole  => object_r,
    seltype  => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
    ensure   => directory,
    owner    => $sshd_user,
    group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
    selrange => s0,
    selrole  => object_r,
    seltype  => etc_t,
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -190,6 +190,12 @@
 #   display a custom banner message to users when they connect. This can be used
 #   to display legal notices, security warnings, or other information to users when
 #   they connect to the SSH server.
+# @param [String] ssh_login_grace_time setting for sshd_config.
+#   Default is '2m', which means that users have 2 minutes to successfully
+#   authenticate before the server disconnects them, but can be set to a different
+#   time interval if desired. This setting can be used to limit the amount of time
+#   that attackers have to attempt to brute-force authentication, but should be set
+#   to a reasonable value to avoid disconnecting legitimate users who may need more time to log
 ##############################################################################
 class confdroid_ssh::params (

@@ -206,6 +212,7 @@ class confdroid_ssh::params (
  Boolean $ssh_manage_config                = true,
  String  $ssh_address_family               = 'any',
  String  $ssh_listen_address               = '0.0.0.0',
+  String  $ssh_login_grace_time             = '2m',
  String  $ssh_root_login                   = 'prohibit-password',
  String  $ssh_strict_modes                 = 'yes',
  String  $ssh_max_auth_tries               = '6',
@@ -220,9 +227,9 @@ class confdroid_ssh::params (
  String  $ssh_rekeylimit                   = 'default none',
  String  $ssh_syslog_facility              = 'AUTH',
  String  $ssh_log_level                    = 'INFO',
-  String  $ssh_password_authentication      = 'no',
+  String  $ssh_password_authentication      = 'yes',
  String  $ssh_permit_empty_passwords       = 'no',
-  String  $ssh_kbd_interactive_auth         = 'no',
+  String  $ssh_kbd_interactive_auth         = 'yes',
  Boolean $ssh_use_kerberos                 = false,
  String  $ssh_kerberos_authentication      = 'yes',
  String  $ssh_kerberos_or_local_passwd     = 'yes',
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -16,6 +16,7 @@ RekeyLimit <%= @ssh_rekeylimit %>
 SyslogFacility <%= @ssh_syslog_facility %>
 LogLevel <%= @ssh_log_level %>

+LoginGraceTime <%= @ssh_login_grace_time %>
 PermitRootLogin <%= @ssh_root_login %>
 StrictModes <%= @ssh_strict_modes %>
 MaxAuthTries <%= @ssh_max_auth_tries %>