aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorduritong <peter.meier+github@immerda.ch>2014-01-25 06:19:05 -0800
committerduritong <peter.meier+github@immerda.ch>2014-01-25 06:19:05 -0800
commit5486852c9e7a829209a640f031b6ee6f10bee239 (patch)
tree5c4d1a39a227c124a7cc2bc6b036b4de238bdcf8
parente2c0b37c7ec9aa730c3a219707b9bc00529dbd91 (diff)
parentcb8721ad5feda1a0552c30fc87fc634a3f132eb7 (diff)
downloadpuppet-sshd-5486852c9e7a829209a640f031b6ee6f10bee239.tar.gz
puppet-sshd-5486852c9e7a829209a640f031b6ee6f10bee239.tar.bz2
Merge pull request #5 from deric/master
removed global variables from readme
-rw-r--r--README246
-rw-r--r--README.md227
2 files changed, 227 insertions, 246 deletions
diff --git a/README b/README
deleted file mode 100644
index 44ca1f0..0000000
--- a/README
+++ /dev/null
@@ -1,246 +0,0 @@
-Introduction
-============
-
-This puppet module manages OpenSSH configuration and services.
-
-!! Upgrade Notice (01/2013) !!
-
-This module now uses parameterized classes, where it used global variables
-before. So please whatch out before pulling, you need to change the
-class declarations in your manifest !
-
-
-Dependencies
-------------
-
-This module requires puppet => 2.6, and the following modules are required
-pre-dependencies:
-
-- shared-common: git://labs.riseup.net/shared-common
-- shared-lsb: git://labs.riseup.net/shared-lsb
-
-OpenSSH Server
-==============
-
-On a node where you wish to have an openssh server installed, you should
-'include sshd' on that node. If you need to configure any aspects of
-sshd_config, set the variables before the include. See 'Configurable Variables'
-below for what you can set.
-
-Nagios
-------
-
-To have nagios checks setup automatically for sshd services, simply set
-manage_nagios to true for that class. If you want to disable ssh
-nagios checking for a particular node (such as when ssh is firewalled), then you
-can set the class parameter nagios_check_ssh to false and that node will not bei
-monitored.
-
-Nagios will automatically check the ports defined in $sshd::ports, and the
-hostname specified by $nagios_check_ssh_hostname.
-
-NOTE: this requires that you are using the shared-nagios puppet module which
-supports the nagios native types via nagios::service:
-git://labs.riseup.net/shared-nagios
-
-Firewall
---------
-
-If you wish to have firewall rules setup automatically for you, using shorewall,
-you will need to set: $use_shorewall = true. The $sshd_ports that you have
-specified will automatically be used.
-
-NOTE: This requires that you are using the shared-shorewall puppet module:
-git://labs.riseup.net/shared-shorewall
-
-
-Configurable variables
-----------------------
-
-Configuration of sshd is strict, and may not fit all needs, however there are a
-number of variables that you can consider configuring. The defaults are set to
-the distribution shipped sshd_config file defaults.
-
-To set any of these variables, simply set them as variables in your manifests,
-before the class is included, for example:
-
- $sshd_listen_address = ['10.0.0.1 192.168.0.1']
- $sshd_use_pam = yes
- include sshd
-
-If you need to install a version of the ssh daemon or client package other than
-the default one that would be installed by 'ensure => installed', then you can
-set the following variables:
-
- $sshd_ensure_version = "1:5.2p2-6"
- $ssh_ensure_version = "1:5.2p2-6"
-
-The following is a list of the currently available variables:
-
- $sshd_listen_address
- specify the addresses sshd should listen on set this to ['10.0.0.1
- 192.168.0.1'] to have it listen on both addresses, or leave it unset to
- listen on all Default: empty -> results in listening on 0.0.0.0
-
- $sshd_allowed_users
- list of usernames separated by spaces. set this for example to "foobar
- root" to ensure that only user foobar and root might login. Default: empty
- -> no restriction is set
-
- $sshd_allowed_groups
- list of groups separated by spaces. set this for example to "wheel sftponly"
- to ensure that only users in the groups wheel and sftponly might login.
- Default: empty -> no restriction is set Note: This is set after
- sshd_allowed_users, take care of the behaviour if you use these 2 options
- together.
-
- $sshd_use_pam
- if you want to use pam or not for authenticaton. Values: no or yes; Default:
- no
-
- $sshd_permit_root_login
- If you want to allow root logins or not. Valid values: yes, no,
- without-password, forced-commands-only; Default: without-password
-
- $sshd_password_authentication
- If you want to enable password authentication or not. Valid values: yes or
- no; Default: no
-
- $sshd_kerberos_authentication
- If you want the password that is provided by the user to be validated
- through the Kerberos KDC. To use this option the server needs a Kerberos
- servtab which allows the verification of the KDC's identity. Valid values:
- yes or no; Default: no
-
- $sshd_kerberos_orlocalpasswd
- If password authentication through Kerberos fails, then the password will be
- validated via any additional local mechanism. Valid values: yes or no;
- Default: yes
-
- $sshd_kerberos_ticketcleanup
- Destroy the user's ticket cache file on logout? Valid values: yes or no;
- Default: yes
-
- $sshd_gssapi_authentication
- Authenticate users based on GSSAPI? Valid values: yes or no; Default: no
-
- $sshd_gssapi_cleanupcredentials
- Destroy user's credential cache on logout? Valid values: yes or no; Default:
- yes
-
- $sshd_challenge_response_authentication
- If you want to enable ChallengeResponseAuthentication or not When disabled,
- s/key passowords are disabled Valid values: yes or no; Default: no
-
- $sshd_tcp_forwarding
- If you want to enable TcpForwarding. Valid Values: yes or no; Default: no
-
- $sshd_x11_forwarding
- If you want to enable x11 forwarding. Valid Values: yes or no; Default: no
-
- $sshd_agent_forwarding
- If you want to allow ssh-agent forwarding. Valid Values: yes or no; Default:
- no
-
- $sshd_pubkey_authentication
- If you want to enable public key authentication. Valid Values: yes or no;
- Default: yes
-
- $sshd_rsa_authentication
- If you want to enable RSA Authentication. Valid Values: yes or no; Default:
- no
-
- $sshd_rhosts_rsa_authentication
- If you want to enable rhosts RSA Authentication. Valid Values: yes or no;
- Default: no
-
- $sshd_hostbased_authentication
- If you want to enable HostbasedAuthentication. Valid Values: yes or no;
- Default: no
-
- $sshd_strict_modes
- If you want to set StrictModes (check file modes/ownership before accepting
- login). Valid Values: yes or no; Default: yes
-
- $sshd_permit_empty_passwords
- If you want enable PermitEmptyPasswords to allow empty passwords. Valid
- Values: yes or no; Default: no
-
- $sshd_port
- Deprecated, use sshd_ports instead.
-
- $sshd_ports
- If you want to specify a list of ports other than the default 22; Default:
- [22]
-
- $sshd_authorized_keys_file
- Set this to the location of the AuthorizedKeysFile
- (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile
- %h/.ssh/authorized_keys
-
- $sshd_hardened_ssl
- Use only strong SSL ciphers and MAC.
- Values: no or yes; Default: no.
-
- $sshd_print_motd
- Show the Message of the day when a user logs in.
-
- $sshd_sftp_subsystem
- Set a different sftp-subystem than the default one. Might be interesting for
- sftponly usage. Default: empty -> no change of the default
-
- $sshd_head_additional_options
- Set this to any additional sshd_options which aren't listed above. Anything
- set here will be added to the beginning of the sshd_config file. This option
- might be useful to define complicated Match Blocks. This string is going to
- be included, like it is defined. So take care! Default: empty -> not added.
-
- $sshd_tail_additional_options
-
- Set this to any additional sshd_options which aren't listed above. Anything
- set here will be added to the end of the sshd_config file. This option might
- be useful to define complicated Match Blocks. This string is going to be
- included, like it is defined. So take care! Default: empty -> not added.
-
- $sshd_shared_ip
- Whether the server uses a shared network IP address. If it does, then we
- don't want it to export an rsa key for its IP address.
- Values: no or yes; Default: no
-
-
-Defines and functions
----------------------
-
-Deploy authorized_keys file with the define sshd::ssh_authorized_key.
-
-Generate a public/private keypair with the ssh_keygen function. For example, the
-following will generate ssh keys and put the different parts of the key into
-variables:
-
-$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}")
-$public_key = split($ssh_keys[1],' ')
-$sshkey_type => $public_key[0]
-$sshkey => $public_key[1]
-
-
-Client
-======
-
-On a node where you wish to have the ssh client managed, you can do 'include
-sshd::client' in the node definition. This will install the appropriate package.
-
-
-License
-=======
-
-# Copyright 2008-2011, Riseup Labs micah@riseup.net
-# Copyright 2008, admin(at)immerda.ch
-# Copyright 2008, Puzzle ITC GmbH
-# Marcel Härry haerry+puppet(at)puzzle.ch
-# Simon Josi josi+puppet(at)puzzle.ch
-#
-# This program is free software; you can redistribute
-# it and/or modify it under the terms of the GNU
-# General Public License version 3 as published by
-# the Free Software Foundation.
-#
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f722857
--- /dev/null
+++ b/README.md
@@ -0,0 +1,227 @@
+# puppet-sshd
+
+This puppet module manages OpenSSH configuration and services.
+
+**!! Upgrade Notice (01/2013) !!**
+
+This module now uses parameterized classes, where it used global variables
+before. So please whatch out before pulling, you need to change the
+class declarations in your manifest !
+
+
+### Dependencies
+
+This module requires puppet => 2.6, and the following modules are required
+pre-dependencies:
+
+- shared-common: `git://labs.riseup.net/shared-common`
+- shared-lsb: `git://labs.riseup.net/shared-lsb`
+
+## OpenSSH Server
+
+On a node where you wish to have an openssh server installed, you should
+include
+
+```puppet
+class { 'sshd': }
+```
+
+on that node. If you need to configure any aspects of
+sshd_config, set the variables before the include. See Configurable Variables
+below for what you can set.
+
+### Nagios
+
+To have nagios checks setup automatically for sshd services, simply set
+`manage_nagios` to `true` for that class. If you want to disable ssh
+nagios checking for a particular node (such as when ssh is firewalled), then you
+can set the class parameter `nagios_check_ssh` to `false` and that node will not be
+monitored.
+
+Nagios will automatically check the ports defined in `ports`, and the
+hostname specified by `nagios_check_ssh_hostname`.
+
+NOTE: this requires that you are using the shared-nagios puppet module which
+supports the nagios native types via `nagios::service`:
+git://labs.riseup.net/shared-nagios
+
+### Firewall
+
+If you wish to have firewall rules setup automatically for you, using shorewall,
+you will need to set: `use_shorewall => true`. The `ports` that you have
+specified will automatically be used.
+
+NOTE: This requires that you are using the shared-shorewall puppet module:
+git://labs.riseup.net/shared-shorewall
+
+
+### Configurable variables
+
+Configuration of sshd is strict, and may not fit all needs, however there are a
+number of variables that you can consider configuring. The defaults are set to
+the distribution shipped sshd_config file defaults.
+
+To set any of these variables, simply set them as variables in your manifests,
+before the class is included, for example:
+
+```puppet
+class {'sshd':
+ listen_address => ['10.0.0.1', '192.168.0.1'],
+ use_pam => yes
+}
+```
+
+If you need to install a version of the ssh daemon or client package other than
+the default one that would be installed by `ensure => installed`, then you can
+set the following variables:
+
+```puppet
+class {'sshd':
+ ensure_version => "1:5.2p2-6"
+}
+```
+
+The following is a list of the currently available variables:
+
+ - `listen_address`
+ specify the addresses sshd should listen on set this to `['10.0.0.1', '192.168.0.1']` to have it listen on both addresses, or leave it unset to listen on all Default: empty -> results in listening on `0.0.0.0`
+ - `allowed_users`
+ list of usernames separated by spaces. set this for example to `"foobar
+ root"` to ensure that only user foobar and root might login. Default: empty
+ -> no restriction is set
+ - `allowed_groups`
+ list of groups separated by spaces. set this for example to `"wheel sftponly"`
+ to ensure that only users in the groups wheel and sftponly might login.
+ Default: empty -> no restriction is set Note: This is set after
+ `allowed_users`, take care of the behaviour if you use these 2 options
+ together.
+ - `use_pam` if you want to use pam or not for authenticaton. Values:
+ - `no` (default)
+ - `yes`
+ - `permit_root_login` If you want to allow root logins or not. Valid values:
+ - `yes`
+ - `no`
+ - `without-password` (default)
+ - `forced-commands-only`
+ - `password_authentication`
+ If you want to enable password authentication or not. Valid values:
+ - `yes`
+ - `no` (default)
+ - `kerberos_authentication`
+ If you want the password that is provided by the user to be validated
+ through the Kerberos KDC. To use this option the server needs a Kerberos
+ servtab which allows the verification of the KDC's identity. Valid values:
+ - `yes`
+ - `no` (default)
+ - `kerberos_orlocalpasswd` If password authentication through Kerberos fails, then the password will be validated via any additional local mechanism. Valid values:
+ - `yes` (default)
+ - `no`
+ - `kerberos_ticketcleanup` Destroy the user's ticket cache file on logout? Valid values:
+ - `yes` (default)
+ - `no`
+ - `gssapi_authentication` Authenticate users based on GSSAPI? Valid values:
+ - `yes`
+ - `no` (default)
+ - `gssapi_cleanupcredentials` Destroy user's credential cache on logout? Valid values:
+ - `yes` (default)
+ - `no`
+ - `challenge_response_authentication` If you want to enable ChallengeResponseAuthentication or not When disabled, s/key passwords are disabled. Valid values:
+ - `yes`
+ - `no` (default)
+ - `tcp_forwarding` If you want to enable TcpForwarding. Valid values:
+ - `yes`
+ - `no` (default)
+ - `x11_forwarding` If you want to enable x11 forwarding. Valid values:
+ - `yes`
+ - `no` (default)
+ - `agent_forwarding` If you want to allow ssh-agent forwarding. Valid values:
+ - `yes`
+ - `no` (default)
+ - `pubkey_authentication` If you want to enable public key authentication. Valid values:
+ - `yes` (default)
+ - `no`
+ - `rsa_authentication` If you want to enable RSA Authentication. Valid values:
+ - `yes`
+ - `no` (default)
+ - `rhosts_rsa_authentication`
+ If you want to enable rhosts RSA Authentication. Valid values:
+ - `yes`
+ - `no` (default)
+ - `hostbased_authentication` If you want to enable `HostbasedAuthentication`. Valid values:
+ - `yes`
+ - `no` (default)
+ - `strict_modes` If you want to set `StrictModes` (check file modes/ownership before accepting login). Valid values:
+ - `yes` (default)
+ - `no`
+ - `permit_empty_passwords`
+ If you want enable PermitEmptyPasswords to allow empty passwords. Valid
+ Values:
+ - `yes`
+ - `no` (default)
+ - `ports` If you want to specify a list of ports other than the default `22`; Default: `[22]`
+ - `authorized_keys_file`
+ Set this to the location of the AuthorizedKeysFile
+ (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile
+ %h/.ssh/authorized_keys`
+ - `hardened_ssl`
+ Use only strong SSL ciphers and MAC.
+ Values:
+ - `no` (default)
+ - `yes`
+ - `print_motd`
+ Show the Message of the day when a user logs in.
+ - `sftp_subsystem`
+ Set a different sftp-subystem than the default one. Might be interesting for
+ sftponly usage. Default: empty -> no change of the default
+ - `head_additional_options`
+ Set this to any additional sshd_options which aren't listed above. Anything
+ set here will be added to the beginning of the sshd_config file. This option
+ might be useful to define complicated Match Blocks. This string is going to
+ be included, like it is defined. So take care! Default: empty -> not added.
+ - `tail_additional_options` Set this to any additional sshd_options which aren't listed above. Anything set here will be added to the end of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added.
+ - `shared_ip` Whether the server uses a shared network IP address. If it does, then we don't want it to export an rsa key for its IP address. Values:
+ - `no` (default)
+ - `yes`
+
+
+### Defines and functions
+
+Deploy authorized_keys file with the define `authorized_key`.
+
+Generate a public/private keypair with the ssh_keygen function. For example, the
+following will generate ssh keys and put the different parts of the key into
+variables:
+
+```puppet
+$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}")
+$public_key = split($ssh_keys[1],' ')
+$sshkey_type => $public_key[0]
+$sshkey => $public_key[1]
+```
+
+## Client
+
+
+On a node where you wish to have the ssh client managed, you can do:
+
+```puppet
+class{'sshd::client':
+
+}
+```
+
+in the node definition. This will install the appropriate package.
+
+## License
+
+ - Copyright 2008-2011, Riseup Labs micah@riseup.net
+ - Copyright 2008, admin(at)immerda.ch
+ - Copyright 2008, Puzzle ITC GmbH
+ - Marcel Härry haerry+puppet(at)puzzle.ch
+ - Simon Josi josi+puppet(at)puzzle.ch
+
+This program is free software; you can redistribute
+it and/or modify it under the terms of the GNU
+General Public License version 3 as published by
+the Free Software Foundation.
+