aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
authormh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279>2008-10-20 22:46:50 +0000
committermh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279>2008-10-20 22:46:50 +0000
commit96bbe0adb8323ecb8e95e6be8900e6dd1b57b419 (patch)
tree78b5078714c569a9d2d51af7fd1437a3b2131ca6 /manifests
parent68b72b545bba4e1dfdfff8977955de9b0291cf87 (diff)
downloadpuppet-sshd-96bbe0adb8323ecb8e95e6be8900e6dd1b57b419.tar.gz
puppet-sshd-96bbe0adb8323ecb8e95e6be8900e6dd1b57b419.tar.bz2
new options, cleaned up real_ hack
git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2527 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
Diffstat (limited to 'manifests')
-rw-r--r--manifests/init.pp116
1 files changed, 62 insertions, 54 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 21c21c6..1c7a3e8 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -40,6 +40,15 @@
# to ensure that only user foobar and root
# might login.
# Default: empty -> no restriction is set
+#
+# sshd_allowed_groups list of groups separated by spaces.
+# set this for example to "wheel sftponly"
+# to ensure that only users in the groups
+# wheel and sftponly might login.
+# Default: empty -> no restriction is set
+# Note: This is set after sshd_allowed_users,
+# take care of the behaviour if you use
+# these 2 options together.
#
# sshd_use_pam: if you want to use pam or not for authenticaton
# Values: no or yes.
@@ -100,6 +109,14 @@
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
#
+# sshd_sftp_subsystem: Set a different sftp-subystem than the default one.
+# Might be interesting for sftponly usage
+# Default: empty -> no change of the default
+#
+# sshd_additional_options: Set this to any additional sshd_options which aren't listed above.
+# As well this option might be usefull to define complexer Match Blocks
+# This string is going to be included, like it is defined. So take care!
+# Default: empty -> not added.
class sshd {
include sshd::client
@@ -118,77 +135,68 @@ class sshd {
class sshd::base {
# prepare variables to use in templates
- $real_sshd_listen_address = $sshd_listen_address ? {
- '' => [ '0.0.0.0', '::' ],
- default => $sshd_listen_address
+ case $sshd_listen_address {
+ '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
+ }
+ case $sshd_allowed_users {
+ '': { $sshd_allowed_users = '' }
+ }
+ case $sshd_allowed_groups {
+ '': { $sshd_allowed_groups = '' }
+ }
+ case $sshd_use_pam {
+ '': { $sshd_use_pam = 'no' }
}
- $real_sshd_allowed_users = $sshd_allowed_users ? {
- '' => '',
- default => $sshd_allowed_users
+ case $sshd_permit_root_login {
+ '': { $sshd_permit_root_login = 'without-password' }
}
- $real_sshd_use_pam = $sshd_use_pam ? {
- '' => 'no',
- default => $sshd_use_pam
+ case $sshd_password_authentication {
+ '': { $sshd_password_authentication = 'no' }
}
- $real_sshd_permit_root_login = $sshd_permit_root_login ? {
- '' => 'without-password',
- default => $sshd_permit_root_login
+ case $sshd_tcp_forwarding {
+ '': { $sshd_tcp_forwarding = 'no' }
}
- $real_sshd_password_authentication = $sshd_password_authentication ? {
- '' => 'no',
- default => $sshd_password_authentication
+ case $sshd_x11_forwarding {
+ '': { $sshd_x11_forwarding = 'no' }
}
- $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
- '' => 'no',
- default => $sshd_tcp_forwarding
+ case $sshd_agent_forwarding {
+ '': { $sshd_agent_forwarding = 'no' }
}
- $real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
- '' => 'no',
- default => $sshd_x11_forwarding
+ case $sshd_challenge_response_authentication {
+ '': { $sshd_challenge_response_authentication = 'no' }
}
- $real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
- '' => 'no',
- default => $sshd_agent_forwarding
+ case $sshd_pubkey_authentication {
+ '': { $sshd_pubkey_authentication = 'yes' }
}
- $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
- '' => 'no',
- default => $sshd_challenge_response_authentication
+ case $sshd_rsa_authentication {
+ '': { $sshd_rsa_authentication = 'no' }
}
- $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
- '' => 'yes',
- default => $sshd_pubkey_authentication
+ case $sshd_strict_modes {
+ '': { $sshd_strict_modes = 'yes' }
}
- $real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
- '' => 'no',
- default => $sshd_rsa_authentication
+ case $sshd_ignore_rhosts {
+ '': { $sshd_ignore_rhosts = 'yes' }
}
- $real_sshd_strict_modes = $sshd_strict_modes ? {
- '' => 'yes',
- default => $sshd_strict_modes
+ case $sshd_rhosts_rsa_authentication {
+ '': { $sshd_rhosts_rsa_authentication = 'no' }
}
- $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
- '' => 'yes',
- default => $sshd_ignore_rhosts
+ case $sshd_hostbased_authentication {
+ '': { $sshd_hostbased_authentication = 'no' }
}
- $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
- '' => 'no',
- default => $sshd_rhosts_rsa_authentication
+ case $sshd_permit_empty_passwords {
+ '': { $sshd_permit_empty_passwords = 'no' }
}
- $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
- '' => 'no',
- default => $sshd_hostbased_authentication
+ case $sshd_port {
+ '': { $sshd_port = 22 }
}
- $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
- '' => 'no',
- default => $sshd_permit_empty_passwords
+ case $sshd_authorized_keys_file {
+ '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
}
- $real_sshd_port = $sshd_port ? {
- '' => 22,
- default => $sshd_port
+ case $sshd_sftp_subsystem {
+ '': { $sshd_sftp_subsystem = '' }
}
- $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
- '' => "%h/.ssh/authorized_keys",
- default => $sshd_authorized_keys_file
+ case $sshd_additional_options {
+ '': { $sshd_additional_options = '' }
}
file { 'sshd_config':