From ceeb28aa1fce1988c834047ef64ac63553148472 Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Mon, 13 Apr 2026 15:51:49 +0200
Subject: [PATCH] OP#575 add more params

---
 manifests/params.pp            | 109 +++++++++++++++++++++++++++++++++
 templates/sshd_custom_conf.erb |  21 +++++++
 2 files changed, 130 insertions(+)

diff --git a/manifests/params.pp b/manifests/params.pp
index 5c862f1..7eb6436 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -95,6 +95,95 @@
 #   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
 #   should be set to 'yes' only if you want to use PAM for authentication 
 #   together with those settings.
+# @param [String] ssh_allow_agent_forwarding setting for sshd_config. 
+#   Default is 'yes', which allows SSH agent forwarding, but can be set to 'no' 
+#   if you want to disable this feature for security reasons.
+# @param [String] ssh_allow_tcp_forwarding setting for sshd_config.
+#   Default is 'yes', which allows TCP forwarding, but can be set to 'no' 
+#   if you want to disable this feature for security reasons.
+# @param [String] ssh_gateway_ports setting for sshd_config.
+#   Default is 'no', which means that remote hosts cannot connect to 
+#   forwarded ports, but can be set to 'yes' or 'clientspecified' if you want
+#   to allow remote hosts to connect to forwarded ports. This setting should 
+#   be used with caution if enabled, as  it can introduce security risks.
+# @param [String] ssh_x11_forwarding setting for sshd_config.
+#   Default is 'no', which disables X11 forwarding, but can be set to 'yes' 
+#   if you want to allow X11 forwarding. This setting should be used with 
+#   caution if enabled.
+# @param [String] ssh_x11_display_offset setting for sshd_config.
+#   Default is '10'. This setting is only relevant if X11 forwarding is 
+#   enabled, and specifies the first display number available for X11 
+#   forwarding. The default of '10' means that the first forwarded display 
+#   will be :10, the second will be :11, and so on. This setting can be 
+#   adjusted if you want to use a different range of display numbers for 
+#   X11 forwarding.  
+# @param [String] ssh_x11_use_localhost setting for sshd_config.
+#   Default is 'yes', which means that X11 forwarding will only be 
+#   available on the loopback interface, but can be set to 'no' if you want
+#   to allow X11 forwarding on all network interfaces.
+# @param [String] ssh_permit_tty setting for sshd_config.
+#   Default is 'yes', which allows TTY allocation, but can be set to 'no' 
+#   if you want to disable TTY allocation. 
+# @param [String] ssh_print_motd setting for sshd_config.
+#   Default is 'yes', which means that the message of the day will be printed
+#   when users log in, but can be set to 'no' if you want to disable this feature.
+# @param [String] ssh_print_lastlog setting for sshd_config.
+#   Default is 'yes', which means that the last login information will be printed
+#   when users log in, but can be set to 'no' if you want to disable this feature.
+# @param [String] ssh_tcp_keepalive setting for sshd_config.
+#   Default is 'yes', which means that TCP keepalive messages will be sent, but
+#   can be set to 'no' if you want to disable this feature. This setting can 
+#   be useful to disable if you have issues with dropped connections, but in 
+#   general it is recommended to keep it enabled.
+# @param [String] ssh_permit_user_environment setting for sshd_config.
+#   Default is 'no', which means that user environment variables will not be
+#   processed, but can be set to 'yes' if you want to allow users to specify 
+#   environment variables in their ~/.ssh/environment file.
+# @param [String] ssh_compression setting for sshd_config.
+#   Default is 'delayed', which means that compression will be enabled after
+#   successful authentication, but can be set to 'yes' if you want to enable
+#   compression from the start of the connection. The 'delayed' setting is a
+#   good compromise that allows for faster authentication while still providing
+#   the benefits of compression for the rest of the session.
+# @param [String] ssh_client_alive_interval setting for sshd_config.
+#   Default is '0', which means that no keepalive messages will be sent by the
+#   server, but can be set to a positive integer to specify the interval in seconds
+#   between keepalive messages sent by the server to the client. This can be useful
+#   to detect and close stale connections, but should be used with caution as it can
+#   cause unexpected disconnections if set too aggressively.
+# @param [String] ssh_client_alive_count_max setting for sshd_config.
+#   Default is '3'. This setting is only relevant if ssh_client_alive_interval is set
+#   to a positive integer, and specifies the number of consecutive keepalive messages
+#   that can be sent without receiving a response from the client before the server
+#   considers the connection to be stale and disconnects it.
+# @param [String] ssh_use_dns setting for sshd_config.
+#   Default is 'no', which means that the server will not perform DNS lookups on
+#   connecting clients, but can be set to 'yes' if you want the server to 
+#   perform DNS lookups. Disabling DNS lookups can improve connection times 
+#   and reduce the risk of DNS  spoofing attacks, so it is generally 
+#   recommended to keep this setting disabled unless you have a specific need for it.
+# @param [String] ssh_pid_file setting for sshd_config.
+#   Default is '/var/run/sshd.pid', which is the common location for the 
+#   sshd PID file, but can be set to a different path if desired. 
+#   This setting specifies the location of the sshd PID file.
+# @param [String] ssh_max_startups setting for sshd_config.
+#   Default is '10:30:100', which means that the server will allow up to 10 
+#   concurrent unauthenticated connections, and will start dropping connections 
+#   with a probability that increases linearly.
+# @param [String] ssh_permit_tunnel setting for sshd_config.
+#   Default is 'no', which means that tunneling is not allowed, but can be
+#   set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow 
+#   only point-to-point tunneling. This setting should be used with caution if enabled.
+# @param [String] ssh_chroot_directory setting for sshd_config.
+#   Default is 'none', which means that no chroot directory will be used, but
+#   can be set to a valid directory path if you want to use chroot for SSH
+#   sessions. 
+# @param [String] ssh_version_addendum setting for sshd_config.
+#   Default is 'none', which means that no version addendum will be included in
+#   the SSH banner, but can be set to a custom string if you want to include
+#   additional information in the SSH version banner. This can be used for
+#   branding purposes, but should be used with caution as it can potentially
+#   leak information about the server that could be useful to attackers.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -140,6 +229,26 @@ class confdroid_ssh::params (
   String  $ssh_gssapi_key_exchange          = 'no',
   String  $ssh_gssapi_enablek5users         = 'no',
   String  $ssh_use_pam                      = 'no',
+  String  $ssh_allow_agent_forwarding       = 'yes',
+  String  $ssh_allow_tcp_forwarding         = 'yes',
+  String  $ssh_gateway_ports                = 'no',
+  String  $ssh_x11_forwarding               = 'no',
+  String  $ssh_x11_display_offset           = '10',
+  String  $ssh_x11_use_localhost            = 'yes',
+  String  $ssh_permit_tty                   = 'yes',
+  String  $ssh_print_motd                   = 'yes',
+  String  $ssh_print_lastlog                = 'yes',
+  String  $ssh_tcp_keepalive                = 'yes',
+  String  $ssh_permit_user_environment      = 'no',
+  String  $ssh_compression                  = 'delayed',
+  String  $ssh_client_alive_interval        = '0',
+  String  $ssh_client_alive_count_max       = '3',
+  String  $ssh_use_dns                      = 'no',
+  String  $ssh_pid_file                     = '/var/run/sshd.pid',
+  String  $ssh_max_startups                 = '10:30:100',
+  String  $ssh_permit_tunnel                = 'no',
+  String  $ssh_chroot_directory             = 'none',
+  String  $ssh_version_addendum             = 'none',
 
 ) {
 # default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index 4781f08..453bc98 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -47,3 +47,24 @@ GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
 GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
 GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
 <% end -%>
+
+AllowAgentForwarding <%= @ssh_allow_agent_forwarding %>
+AllowTcpForwarding <%= @ssh_allow_tcp_forwarding %>
+GatewayPorts <%= @ssh_gateway_ports %>
+X11Forwarding <%= @ssh_x11_forwarding %>
+X11DisplayOffset <%= @ssh_x11_display_offset %>
+X11UseLocalhost <%= @ssh_x11_use_localhost %>
+PermitTTY <%= @ssh_permit_tty %>
+PrintMotd <%= @ssh_print_motd %>
+PrintLastLog <%= @ssh_print_lastlog %>
+TCPKeepAlive <%= @ssh_tcp_keepalive %>
+PermitUserEnvironment <%= @ssh_permit_user_environment %>
+Compression <%= @ssh_compression %>
+ClientAliveInterval <%= @ssh_client_alive_interval %>
+ClientAliveCountMax <%= @ssh_client_alive_count_max %>
+UseDNS <%= @ssh_use_dns %>
+PidFile <%= @ssh_pid_file %>
+MaxStartups <%= @ssh_max_startups %>
+PermitTunnel <%= @ssh_permit_tunnel %>
+ChrootDirectory <%= @ssh_chroot_directory %>
+VersionAddendum <%= @ssh_version_addendum %>
\ No newline at end of file