aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2011-02-19 18:08:02 -0200
committerSilvio Rhatto <rhatto@riseup.net>2011-02-19 18:08:02 -0200
commit474b23271d7c4f3b82ca2e7888225e74f87ae7a8 (patch)
treeb2b58dacd66a40f5d27a381439d91006339da5b8 /manifests
parentac30247bf9d7ea57c01cc5ad743e2788f6e8ea0d (diff)
parente0d3cdbd36bf1d06984240da216b4492efc4e69d (diff)
downloadpuppet-sshd-474b23271d7c4f3b82ca2e7888225e74f87ae7a8.tar.gz
puppet-sshd-474b23271d7c4f3b82ca2e7888225e74f87ae7a8.tar.bz2
Merge branch 'master' of git://labs.riseup.net/shared-sshd
Conflicts: templates/sshd_config/Debian_squeeze.erb
Diffstat (limited to 'manifests')
-rw-r--r--manifests/client/base.pp3
-rw-r--r--manifests/debian.pp3
-rw-r--r--manifests/init.pp189
-rw-r--r--manifests/nagios.pp24
4 files changed, 45 insertions, 174 deletions
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
index 7329f55..1fe2b14 100644
--- a/manifests/client/base.pp
+++ b/manifests/client/base.pp
@@ -1,7 +1,6 @@
class sshd::client::base {
# this is needed because the gid might have changed
- file { '/etc/ssh/ssh_known_hosts':
- owner => root, group => 0, mode => 0644;
+ config_file { '/etc/ssh/ssh_known_hosts':
}
# Now collect all server keys
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 0cc4ede..43dc26c 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -9,8 +9,7 @@ class sshd::debian inherits sshd::linux {
$sshd_restartandstatus = $lsbdistcodename ? {
etch => false,
- lenny => true,
- default => false
+ default => true
}
Service[sshd]{
diff --git a/manifests/init.pp b/manifests/init.pp
index 3d2a5b9..b4e4788 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,169 +1,3 @@
-#
-# ssh module
-#
-# Copyright 2008-2009, micah@riseup.net
-# Copyright 2008, admin(at)immerda.ch
-# Copyright 2008, Puzzle ITC GmbH
-# Marcel Härry haerry+puppet(at)puzzle.ch
-# Simon Josi josi+puppet(at)puzzle.ch
-#
-# This program is free software; you can redistribute
-# it and/or modify it under the terms of the GNU
-# General Public License version 3 as published by
-# the Free Software Foundation.
-#
-# Deploy authorized_keys file with the define
-# sshd::ssh_authorized_key
-#
-# sshd-config:
-#
-# The configuration of the sshd is rather strict and might not fit all
-# needs. However there are a bunch of variables, which you might
-# consider configuring.
-#
-# To set any of the following, simply set them as variables in your manifests
-# before the class is included, for example:
-#
-# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
-# $sshd_use_pam = yes
-# include sshd
-#
-# If you need to install a version of the ssh daemon or client package other than
-# the default one that would be installed by 'ensure => installed', then you can
-# set the following variables:
-#
-# $sshd_ensure_version = "1:5.2p2-6"
-# $ssh_ensure_version = "1:5.2p2-6"
-#
-# To have nagios checks setup automatically for sshd services, simply
-# set $use_nagios = true before the class is included. If you want to
-# disable ssh nagios checking for a particular node (such as when ssh
-# is firewalled), then you can set $nagios_check_ssh to false and that
-# node will not be monitored.
-# NOTE: this requires that you are using the nagios puppet module
-# which supports the nagios native types via nagios::service
-#
-# The following is a list of the currently available variables:
-#
-# sshd_listen_address: specify the addresses sshd should listen on
-# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
-# addresses, or leave it unset to listen on all
-# Default: empty -> results in listening on 0.0.0.0
-#
-# sshd_allowed_users: list of usernames separated by spaces.
-# set this for example to "foobar root"
-# to ensure that only user foobar and root
-# might login.
-# Default: empty -> no restriction is set
-#
-# sshd_allowed_groups list of groups separated by spaces.
-# set this for example to "wheel sftponly"
-# to ensure that only users in the groups
-# wheel and sftponly might login.
-# Default: empty -> no restriction is set
-# Note: This is set after sshd_allowed_users,
-# take care of the behaviour if you use
-# these 2 options together.
-#
-# sshd_use_pam: if you want to use pam or not for authenticaton
-# Values: no or yes.
-# Default: no
-#
-# sshd_permit_root_login: If you want to allow root logins or not.
-# Valid values: yes, no, without-password, forced-commands-only
-# Default: without-password
-#
-# sshd_password_authentication: If you want to enable password authentication or not
-# Valid values: yes or no
-# Default: no
-#
-# sshd_kerberos_authentication: If you want the password that is provided by the user to be
-# validated through the Kerberos KDC. To use this option the
-# server needs a Kerberos servtab which allows the verification of
-# the KDC's identity.
-# Valid values: yes or no
-# Default: no
-#
-# sshd_kerberos_orlocalpasswd: If password authentication through Kerberos fails, then the password
-# will be validated via any additional local mechanism.
-# Valid values: yes or no
-# Default: yes
-#
-# sshd_kerberos_ticketcleanup: Destroy the user's ticket cache file on logout?
-# Valid values: yes or no
-# Default: yes
-#
-# sshd_gssapi_authentication: Authenticate users based on GSSAPI?
-# Valid values: yes or no
-# Default: no
-#
-# sshd_gssapi_cleanupcredentials: Destroy user's credential cache on logout?
-# Valid values: yes or no
-# Default: yes
-#
-# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
-# When disabled, s/key passowords are disabled
-# Valid values: yes or no
-# Default: no
-#
-# sshd_tcp_forwarding: If you want to enable TcpForwarding
-# Valid Values: yes or no
-# Default: no
-#
-# sshd_x11_forwarding: If you want to enable x11 forwarding
-# Valid Values: yes or no
-# Default: no
-#
-# sshd_agent_forwarding: If you want to allow ssh-agent forwarding
-# Valid Values: yes or no
-# Default: no
-#
-# sshd_pubkey_authentication: If you want to enable public key authentication
-# Valid Values: yes or no
-# Default: yes
-#
-# sshd_rsa_authentication: If you want to enable RSA Authentication
-# Valid Values: yes or no
-# Default: no
-#
-# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
-# Valid Values: yes or no
-# Default: no
-#
-# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
-# Valid Values: yes or no
-# Default: no
-#
-# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
-# Valid Values: yes or no
-# Default: yes
-#
-# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
-# Valid Values: yes or no
-# Default: no
-#
-# sshd_port: If you want to specify a different port than the default 22
-# Default: 22
-#
-# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
-# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
-#
-# sshd_sftp_subsystem: Set a different sftp-subystem than the default one.
-# Might be interesting for sftponly usage
-# Default: empty -> no change of the default
-#
-# sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above.
-# Anything set here will be added to the beginning of the sshd_config file.
-# This option might be useful to define complicated Match Blocks
-# This string is going to be included, like it is defined. So take care!
-# Default: empty -> not added.
-#
-# sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above.
-# Anything set here will be added to the end of the sshd_config file.
-# This option might be useful to define complicated Match Blocks
-# This string is going to be included, like it is defined. So take care!
-# Default: empty -> not added.
-
class sshd {
# prepare variables to use in templates
case $sshd_listen_address {
@@ -232,8 +66,13 @@ class sshd {
case $sshd_permit_empty_passwords {
'': { $sshd_permit_empty_passwords = 'no' }
}
- case $sshd_port {
- '': { $sshd_port = 22 }
+ if ( $sshd_port != '' ) and ( $sshd_ports != []) {
+ err("Cannot use sshd_port and sshd_ports at the same time.")
+ }
+ if $sshd_port != '' {
+ $sshd_ports = [ $sshd_port ]
+ } elsif ! $sshd_ports {
+ $sshd_ports = [ 22 ]
}
case $sshd_authorized_keys_file {
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
@@ -274,11 +113,21 @@ class sshd {
if $use_nagios {
case $nagios_check_ssh {
false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
- default: { nagios::service{ "ssh_port_${sshd_port}": check_command => "check_ssh_port!$sshd_port" } }
+ default: {
+ sshd::nagios{$sshd_ports:
+ check_hostname => $nagios_check_ssh_hostname ? {
+ '' => 'absent',
+ undef => 'absent',
+ default => $nagios_check_ssh_hostname
+ }
+ }
+ }
}
}
if $use_shorewall{
- include shorewall::rules::ssh
+ class{'shorewall::rules::ssh':
+ ports => $sshd_ports,
+ }
}
}
diff --git a/manifests/nagios.pp b/manifests/nagios.pp
new file mode 100644
index 0000000..7742cdb
--- /dev/null
+++ b/manifests/nagios.pp
@@ -0,0 +1,24 @@
+define sshd::nagios(
+ $port = 'absent',
+ $ensure = 'present',
+ $check_hostname = 'absent'
+) {
+ $real_port = $port ? {
+ 'absent' => $name,
+ default => $port,
+ }
+ case $check_hostname {
+ 'absent': {
+ nagios::service{"ssh_port_${name}":
+ ensure => $ensure,
+ check_command => "check_ssh_port!$real_port"
+ }
+ }
+ default: {
+ nagios::service{"ssh_port_host_${name}":
+ ensure => $ensure,
+ check_command => "check_ssh_port_host!${real_port}!${check_hostname}"
+ }
+ }
+ }
+}