Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshd

Conflicts:
	README
	templates/sshd_config/CentOS.erb
	templates/sshd_config/CentOS_Final.erb
	templates/sshd_config/Debian_etch.erb
	templates/sshd_config/Debian_jessie.erb
	templates/sshd_config/Debian_sid.erb
	templates/sshd_config/Debian_squeeze.erb
	templates/sshd_config/Debian_wheezy.erb
	templates/sshd_config/Ubuntu_trusty.erb

11 files changed, 196 insertions, 76 deletions

diff --git a/manifests/autossh.pp b/manifests/autossh.pp
new file mode 100644
index 0000000..5650584
--- /dev/null
+++ b/manifests/autossh.pp
@@ -0,0 +1,40 @@
+class sshd::autossh($host,
+                    $port = undef, # this should be a remote->local hash
+                    $remote_user = undef,
+                    $user = 'root',
+                    $pidfile = '/var/run/autossh.pid',
+) {
+  if $port {
+    $port_ensure = $port
+  }
+  else {
+    # random port between 10000 and 20000
+    $port_ensure = fqdn_rand(10000) + 10000
+  }
+  if $remote_user {
+    $remote_user_ensure = $remote_user
+  }
+  else {
+    $remote_user_ensure = "host-$fqdn"
+  }
+  file {
+    '/etc/init.d/autossh':
+      mode   => '0555',
+      source => 'puppet:///modules/sshd/autossh.init.d';
+    '/etc/default/autossh':
+      mode    => '0444',
+      content => "USER=$user\nPIDFILE=$pidfile\nDAEMON_ARGS='-M0 -f -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n";
+  }
+  package { 'autossh':
+    ensure => present,
+  }
+  service { 'autossh':
+    ensure    => running,
+    enable    => true,
+    subscribe => [
+                  File['/etc/init.d/autossh'],
+                  File['/etc/default/autossh'],
+                  Package['autossh'],
+                  ],
+  }
+}
diff --git a/manifests/base.pp b/manifests/base.pp
index 4001985..dda9f26 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,41 +1,41 @@
+# The base class to setup the common things.
+# This is a private class and will always be used
+# throught the sshd class itself.
 class sshd::base {
+
+  $sshd_config_content = $::operatingsystem ? {
+    'CentOS'  => template("sshd/sshd_config/${::operatingsystem}_${::operatingsystemmajrelease}.erb"),
+    default   => $::lsbdistcodename ? {
+      ''      => template("sshd/sshd_config/${::operatingsystem}.erb"),
+      default => template("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb")
+    }
+  }
+
   file { 'sshd_config':
-    path => '/etc/ssh/sshd_config',
-    content => $::lsbdistcodename ? {
-      '' => template("sshd/sshd_config/${::operatingsystem}.erb"),
-      default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"),
-    },
-    notify => Service[sshd],
-    owner => root, group => 0, mode => 600;
+    ensure  => present,
+    path    => '/etc/ssh/sshd_config',
+    content => $sshd_config_content,
+    notify  => Service[sshd],
+    owner   => root,
+    group   => 0,
+    mode    => '0600';
   }
 
   # Now add the key, if we've got one
   case $::sshrsakey {
     '': { info("no sshrsakey on ${::fqdn}") }
     default: {
-      @@sshkey{$::fqdn:
-        tag    => "fqdn",
-        type   => ssh-rsa,
-        key    => $::sshrsakey,
-        ensure => present,
-      }
-      # In case the node has uses a shared network address,
-      # we don't define a sshkey resource using an IP address
-      if $sshd::shared_ip == "no" {
-        @@sshkey{$::ipaddress:
-          tag    => "ipaddress",
-          type   => ssh-rsa,
-          key    => $::sshrsakey,
-          ensure => present,
-        }
+      # only export sshkey when storedconfigs is enabled
+      if $::sshd::use_storedconfigs {
+        include ::sshd::sshkey
       }
     }
   }
   service{'sshd':
-    name => 'sshd',
-    enable => true,
-    ensure => running,
+    ensure    => running,
+    name      => 'sshd',
+    enable    => true,
     hasstatus => true,
-    require => File[sshd_config],
+    require   => File[sshd_config],
   }
 }
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
index c2580c1..4925c2d 100644
--- a/manifests/client/base.pp
+++ b/manifests/client/base.pp
@@ -1,12 +1,15 @@
 class sshd::client::base {
   # this is needed because the gid might have changed
   file { '/etc/ssh/ssh_known_hosts':
-    mode => 0644, owner => root, group => 0;
+    ensure => present,
+    mode   => '0644',
+    owner  => root,
+    group  => 0;
   }
 
   # Now collect all server keys
   case $sshd::client::shared_ip {
     no:  { Sshkey <<||>> }
-    yes: { Sshkey <<| tag == "fqdn" |>> }
+    yes: { Sshkey <<| tag == fqdn |>> }
   }
 }
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 45eb901..d827078 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,21 +1,13 @@
 class sshd::debian inherits sshd::linux {
 
-  # the templates for Debian need lsbdistcodename
-  require lsb
-
   Package[openssh]{
     name => 'openssh-server',
   }
 
-  $sshd_restartandstatus = $::lsbdistcodename ? {
-    etch => false,
-    default => true
-  }
-
   Service[sshd]{
-    name => 'ssh',
-    pattern => 'sshd',
-    hasstatus => $sshd_restartandstatus,
-    hasrestart => $sshd_restartandstatus,
+    name       => 'ssh',
+    pattern    => 'sshd',
+    hasstatus  => true,
+    hasrestart => true,
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 4d66b81..b415741 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,5 +1,6 @@
+# manage an sshd installation
 class sshd(
-  $manage_nagios = true,
+  $manage_nagios = false,
   $nagios_check_ssh_hostname = 'absent',
   $ports = [ 22 ],
   $shared_ip = 'no',
@@ -26,20 +27,46 @@ class sshd(
   $rhosts_rsa_authentication = 'no',
   $hostbased_authentication = 'no',
   $permit_empty_passwords = 'no',
-  $authorized_keys_file = '%h/.ssh/authorized_keys',
-  $hardened_ssl = 'no',
+  $authorized_keys_file = $::osfamily ? {
+    Debian => $::lsbmajdistrelease ? {
+      6       => '%h/.ssh/authorized_keys',
+      default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
+    },
+    RedHat => $::operatingsystemmajrelease ? {
+      5       => '%h/.ssh/authorized_keys',
+      6       => '%h/.ssh/authorized_keys',
+      default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
+    },
+    OpenBSD => '%h/.ssh/authorized_keys',
+    default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
+  },
+  $hardened = 'no',
   $sftp_subsystem = '',
   $head_additional_options = '',
   $tail_additional_options = '',
   $print_motd = 'yes',
   $manage_shorewall = false,
-  $shorewall_source = 'net'
+  $shorewall_source = 'net',
+  $sshkey_ipaddress = $::ipaddress,
+  $manage_client = true,
+  $hostkey_type = versioncmp($::ssh_version, '6.5') ? {
+    /(^1|0)/ => [ 'rsa', 'ed25519' ],
+    /-1/    => [ 'rsa', 'dsa' ]
+  },
+  $use_storedconfigs = true
 ) {
 
-  class{'sshd::client':
-    shared_ip => $sshd::shared_ip,
-    ensure_version => $sshd::ensure_version,
-    manage_shorewall => $manage_shorewall,
+  validate_bool($manage_shorewall)
+  validate_bool($manage_client)
+  validate_array($listen_address)
+  validate_array($ports)
+
+  if $manage_client {
+    class{'sshd::client':
+      shared_ip        => $shared_ip,
+      ensure_version   => $ensure_version,
+      manage_shorewall => $manage_shorewall,
+    }
   }
 
   case $::operatingsystem {
@@ -58,7 +85,7 @@ class sshd(
 
   if $manage_shorewall {
     class{'shorewall::rules::ssh':
-      ports => $ports,
+      ports  => $ports,
       source => $shorewall_source
     }
   }
diff --git a/manifests/linux.pp b/manifests/linux.pp
index f071ada..8628ff5 100644
--- a/manifests/linux.pp
+++ b/manifests/linux.pp
@@ -1,5 +1,5 @@
 class sshd::linux inherits sshd::base {
-  package{openssh:
+  package{'openssh':
     ensure => $sshd::ensure_version,
   }
   File[sshd_config]{
diff --git a/manifests/nagios.pp b/manifests/nagios.pp
index ef5fe10..6921de9 100644
--- a/manifests/nagios.pp
+++ b/manifests/nagios.pp
@@ -5,18 +5,18 @@ define sshd::nagios(
 ) {
   $real_port = $port ? {
     'absent' => $name,
-    default => $port,
+    default  => $port,
   }
   case $check_hostname {
     'absent': {
       nagios::service{"ssh_port_${name}":
-        ensure => $ensure,
+        ensure        => $ensure,
         check_command => "check_ssh_port!${real_port}"
       }
     }
     default: {
       nagios::service{"ssh_port_host_${name}":
-        ensure => $ensure,
+        ensure        => $ensure,
         check_command => "check_ssh_port_host!${real_port}!${check_hostname}"
       }
     }
diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp
index f1379d7..cb6dbba 100644
--- a/manifests/openbsd.pp
+++ b/manifests/openbsd.pp
@@ -1,8 +1,8 @@
 class sshd::openbsd inherits sshd::base {
   Service[sshd]{
     restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
-    stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
-    start => '/usr/sbin/sshd',
-    hasstatus => false,
+    stop    => '/bin/kill `/bin/cat /var/run/sshd.pid`',
+    start   => '/usr/sbin/sshd',
+    status  => '/usr/bin/pgrep -f /usr/sbin/sshd',
   }
 }
diff --git a/manifests/redhat.pp b/manifests/redhat.pp
index e9bf1d1..d720177 100644
--- a/manifests/redhat.pp
+++ b/manifests/redhat.pp
@@ -1,5 +1,5 @@
-class sshd::redhat inherits sshd::linux { 
-    Package[openssh]{ 
-        name => 'openssh-server', 
-    } 
+class sshd::redhat inherits sshd::linux {
+    Package[openssh]{
+        name => 'openssh-server',
+    }
 }
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp
index 40649b0..80cb3b7 100644
--- a/manifests/ssh_authorized_key.pp
+++ b/manifests/ssh_authorized_key.pp
@@ -5,7 +5,8 @@ define sshd::ssh_authorized_key(
     $key = 'absent',
     $user = '',
     $target = undef,
-    $options = 'absent'
+    $options = 'absent',
+    $override_builtin = undef
 ){
 
   if ($ensure=='present') and ($key=='absent') {
@@ -13,8 +14,8 @@ define sshd::ssh_authorized_key(
   }
 
   $real_user = $user ? {
-    false => $name,
-    '' => $name,
+    false   => $name,
+    ''      => $name,
     default => $user,
   }
 
@@ -29,20 +30,56 @@ define sshd::ssh_authorized_key(
       $real_target = $target
     }
   }
-  ssh_authorized_key{$name:
-    ensure => $ensure,
-    type => $type,
-    key => $key,
-    user => $real_user,
-    target => $real_target,
-  }
 
-  case $options {
-    'absent': { info("not setting any option for ssh_authorized_key: $name") }
-    default: {
-      Ssh_authorized_key[$name]{
-        options => $options,
-      }
+  # The ssh_authorized_key built-in function (in 2.7.23 at least)
+  # will not write an authorized_keys file for a mortal user to
+  # a directory they don't have write permission to, puppet attempts to
+  # create the file as the user specified with the user parameter and fails.
+  # Since ssh will refuse to use authorized_keys files not owned by the
+  # user, or in files/directories that allow other users to write, this
+  # behavior is deliberate in order to prevent typical non-working
+  # configurations. However, it also prevents the case of puppet, running
+  # as root, writing a file owned by a mortal user to a common
+  # authorized_keys directory such as one might specify in sshd_config with
+  # something like
+  #  'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
+  # So we provide a way to override the built-in and instead just install
+  # via a file resource. There is no additional security risk here, it's
+  # nothing a user can't already do by writing their own file resources,
+  # we still depend on the filesystem permissions to keep things safe.
+  if $override_builtin {
+    $header = "# HEADER: This file is managed by Puppet.\n"
+
+    if $options == 'absent' {
+      info("not setting any option for ssh_authorized_key: ${name}")
+      $content = "${header}${type} ${key}\n"
+    } else {
+      $content = "${header}${options} ${type} ${key}\n"
+    }
+
+    file { $real_target:
+      ensure  => $ensure,
+      content => $content,
+      owner   => $real_user,
+      mode    => '0600',
+    }
+
+  } else {
+
+    if $options == 'absent' {
+      info("not setting any option for ssh_authorized_key: ${name}")
+    } else {
+      $real_options = $options
+    }
+
+    ssh_authorized_key{$name:
+      ensure  => $ensure,
+      type    => $type,
+      key     => $key,
+      user    => $real_user,
+      target  => $real_target,
+      options => $real_options,
     }
   }
+
 }
diff --git a/manifests/sshkey.pp b/manifests/sshkey.pp
new file mode 100644
index 0000000..df37a66
--- /dev/null
+++ b/manifests/sshkey.pp
@@ -0,0 +1,21 @@
+# deploys the
+class sshd::sshkey {
+
+  @@sshkey{$::fqdn:
+    ensure => present,
+    tag    => 'fqdn',
+    type   => 'ssh-rsa',
+    key    => $::sshrsakey,
+  }
+
+  # In case the node has uses a shared network address,
+  # we don't define a sshkey resource using an IP address
+  if $sshd::shared_ip == 'no' {
+    @@sshkey{$::sshd::sshkey_ipaddress:
+      ensure => present,
+      tag    => 'ipaddress',
+      type   => 'ssh-rsa',
+      key    => $::sshrsakey,
+    }
+  }
+}