diff options
-rw-r--r-- | manifests/base.pp | 60 | ||||
-rw-r--r-- | manifests/client/base.pp | 12 | ||||
-rw-r--r-- | manifests/client/debian.pp | 6 | ||||
-rw-r--r-- | manifests/client/linux.pp | 7 | ||||
-rw-r--r-- | manifests/debian.pp | 13 | ||||
-rw-r--r-- | manifests/gentoo.pp | 6 | ||||
-rw-r--r-- | manifests/init.pp | 187 | ||||
-rw-r--r-- | manifests/linux.pp | 10 | ||||
-rw-r--r-- | manifests/ssh_authorized_key.pp | 52 | ||||
-rw-r--r-- | templates/sshd_config/CentOS.erb | 23 | ||||
-rw-r--r-- | templates/sshd_config/Debian_etch.erb | 16 | ||||
-rw-r--r-- | templates/sshd_config/Debian_lenny.erb | 15 | ||||
-rw-r--r-- | templates/sshd_config/Gentoo.erb | 20 | ||||
-rw-r--r-- | templates/sshd_config/OpenBSD.erb | 20 |
14 files changed, 260 insertions, 187 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index b249974..2ac2385 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,31 +1,35 @@ class sshd::base { - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey_key { - '': { info("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], + file { 'sshd_config': + path => '/etc/ssh/sshd_config', + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, + notify => Service[sshd], + owner => root, group => 0, mode => 600; + } + + # Now add the key, if we've got one + case $sshrsakey_key { + '': { info("no sshrsakey on $fqdn") } + default: { + @@sshkey{"$hostname.$domain": + type => ssh-rsa, + key => $sshrsakey_key, + ensure => present, + } + @@sshkey{"$ipaddress": + type => ssh-rsa, + key => $sshrsakey, + ensure => present, + } } + } + service{'sshd': + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], + } } diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 2c3e31f..33d9f9e 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,9 +1,9 @@ class sshd::client::base { - # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - mode => 0644, owner => root, group => 0; - } + # this is needed because the gid might have changed + file { '/etc/ssh/ssh_known_hosts': + owner => root, group => 0, mode => 0644; + } - # Now collect all server keys - Sshkey <<||>> + # Now collect all server keys + Sshkey <<||>> } diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp index 9ca6da9..2aaf3fb 100644 --- a/manifests/client/debian.pp +++ b/manifests/client/debian.pp @@ -1,5 +1,5 @@ class sshd::client::debian inherits sshd::client::linux { - Package['openssh-clients']{ - name => 'openssh-client', - } + Package['openssh-clients']{ + name => 'openssh-client', + } } diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp index 522fa50..8c58ca8 100644 --- a/manifests/client/linux.pp +++ b/manifests/client/linux.pp @@ -1,5 +1,6 @@ class sshd::client::linux inherits sshd::client::base { - package {'openssh-clients': - ensure => installed, - } + if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } + package {'openssh-clients': + ensure => $ssh_ensure_version, + } } diff --git a/manifests/debian.pp b/manifests/debian.pp index 528779c..849d9f4 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,14 +3,23 @@ class sshd::debian inherits sshd::linux { # the templates for Debian need lsbdistcodename include lsb File['sshd_config']{ - require => Package['lsb'] + require +> Package['lsb'] } Package[openssh]{ name => 'openssh-server', } + + $sshd_restartandstatus = $lsbdistcodename ? { + etch => false, + lenny => true, + default => false + } + Service[sshd]{ name => 'ssh', - hasstatus => false, + pattern => 'sshd', + hasstatus => $sshd_restartandstatus, + hasrestart => $sshd_restartandstatus, } } diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index f56a96d..631f3d1 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -1,5 +1,5 @@ class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } + Package[openssh]{ + category => 'net-misc', + } } diff --git a/manifests/init.pp b/manifests/init.pp index 8489a6a..83b26c1 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,6 +28,13 @@ # $sshd_use_pam = yes # include sshd::debian # +# If you need to install a version of the ssh daemon or client package other than +# the default one that would be installed by 'ensure => installed', then you can +# set the following variables: +# +# $sshd_ensure_version = "1:5.2p2-6" +# $ssh_ensure_version = "1:5.2p2-6" +# # The following is a list of the currently available variables: # # sshd_listen_address: specify the addresses sshd should listen on @@ -113,95 +120,105 @@ # Might be interesting for sftponly usage # Default: empty -> no change of the default # -# sshd_additional_options: Set this to any additional sshd_options which aren't listed above. -# As well this option might be usefull to define complexer Match Blocks -# This string is going to be included, like it is defined. So take care! -# Default: empty -> not added. +# sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the beginning of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. +# +# sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the end of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. class sshd { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - case $sshd_port { - '': { $sshd_port = 22 } - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } - } - - include sshd::client + # prepare variables to use in templates + case $sshd_listen_address { + '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } + } + case $sshd_allowed_users { + '': { $sshd_allowed_users = '' } + } + case $sshd_allowed_groups { + '': { $sshd_allowed_groups = '' } + } + case $sshd_use_pam { + '': { $sshd_use_pam = 'no' } + } + case $sshd_permit_root_login { + '': { $sshd_permit_root_login = 'without-password' } + } + case $sshd_password_authentication { + '': { $sshd_password_authentication = 'no' } + } + case $sshd_tcp_forwarding { + '': { $sshd_tcp_forwarding = 'no' } + } + case $sshd_x11_forwarding { + '': { $sshd_x11_forwarding = 'no' } + } + case $sshd_agent_forwarding { + '': { $sshd_agent_forwarding = 'no' } + } + case $sshd_challenge_response_authentication { + '': { $sshd_challenge_response_authentication = 'no' } + } + case $sshd_pubkey_authentication { + '': { $sshd_pubkey_authentication = 'yes' } + } + case $sshd_rsa_authentication { + '': { $sshd_rsa_authentication = 'no' } + } + case $sshd_strict_modes { + '': { $sshd_strict_modes = 'yes' } + } + case $sshd_ignore_rhosts { + '': { $sshd_ignore_rhosts = 'yes' } + } + case $sshd_rhosts_rsa_authentication { + '': { $sshd_rhosts_rsa_authentication = 'no' } + } + case $sshd_hostbased_authentication { + '': { $sshd_hostbased_authentication = 'no' } + } + case $sshd_permit_empty_passwords { + '': { $sshd_permit_empty_passwords = 'no' } + } + case $sshd_port { + '': { $sshd_port = 22 } + } + case $sshd_authorized_keys_file { + '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } + } + case $sshd_sftp_subsystem { + '': { $sshd_sftp_subsystem = '' } + } + case $sshd_head_additional_options { + '': { $sshd_head_additional_options = '' } + } + case $sshd_tail_additional_options { + '': { $sshd_tail_additional_options = '' } + } + case $sshd_ensure_version { + '': { $sshd_ensure_version = "present" } + } - case $operatingsystem { - gentoo: { include sshd::gentoo } - redhat,centos: { include sshd::redhat } - centos: { include sshd::centos } - openbsd: { include sshd::openbsd } - debian,ubuntu: { include sshd::debian } - default: { include sshd::default } - } + include sshd::client - if $use_nagios { - if $nagios_check_ssh { - nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } - } - } + case $operatingsystem { + gentoo: { include sshd::gentoo } + redhat,centos: { include sshd::redhat } + centos: { include sshd::centos } + openbsd: { include sshd::openbsd } + debian,ubuntu: { include sshd::debian } + default: { include sshd::default } + } - if $use_shorewall{ - include shorewall::rules::ssh + if $use_nagios { + case $nagios_check_ssh { + 'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) } + default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } } } + } } diff --git a/manifests/linux.pp b/manifests/linux.pp index f659808..a1f4e2a 100644 --- a/manifests/linux.pp +++ b/manifests/linux.pp @@ -1,8 +1,8 @@ class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, + package{openssh: + ensure => $sshd_ensure_version, + } + File[sshd_config]{ + require +> Package[openssh], } - File[sshd_config]{ - require +> Package[openssh], - } } diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 2d528da..9374e15 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -3,34 +3,40 @@ define sshd::ssh_authorized_key( $type = 'ssh-dss', $key, $user = 'root', - $target = 'absent', + $target = undef, $options = 'absent' ){ - case $target { - 'absent': { - case $user { - 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } - } - } - default: { - $real_target = $target - } + $real_user = $user ? { + false => $name, + "" => $name, + default => $user, + } + + case $target { + undef: { + case $user { + 'root': { $real_target = '/root/.ssh/authorized_keys' } + default: { $real_target = "/home/${user}/.ssh/authorized_keys" } + } } - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $user, - target => $real_target, + default: { + $real_target = $target } + } + ssh_authorized_key{$name: + type => $type, + key => $key, + user => $real_user, + target => $real_target, + } - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } + case $options { + 'absent': { info("not setting any option for ssh_authorized_key: $name") } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } } + } } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index fcaf4d6..a253029 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -10,15 +10,20 @@ # possible, but leave them commented. Uncommented options change a # default value. +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + <%- unless sshd_port.to_s.empty? then -%> -Port <%= sshd_port %> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> <%- else -%> -#Port 22 +Port 22 <%- end -%> -#Protocol 2,1 -Protocol 2 -#AddressFamily any # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> @@ -199,8 +204,6 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end -%> - -<%- unless sshd_additional_options.to_s.empty? then -%> -<%= sshd_additional_options %> -<%- end -%> - +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 28aa52c..746a447 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -1,9 +1,17 @@ # Package generated configuration file # See the sshd(8) manpage for details +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> Port <%= sshd_port -%> +<% end -%> <%- else -%> Port 22 <%- end -%> @@ -131,7 +139,7 @@ KeepAlive yes #ReverseMappingCheck yes <%- if sshd_sftp_subsystem.to_s.empty? then %> -#Subsystem sftp /usr/lib/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> Subsystem sftp <%= sshd_sftp_subsystem %> <%- end %> @@ -168,9 +176,9 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +PrintMotd no -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> - diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 8d68808..18f3e4d 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -1,9 +1,17 @@ # Package generated configuration file # See the sshd(8) manpage for details +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + # What ports, IPs and protocols we listen for <%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> Port <%= sshd_port -%> +<% end -%> <%- else -%> Port 22 <%- end -%> @@ -131,7 +139,7 @@ KeepAlive yes #ReverseMappingCheck yes <%- if sshd_sftp_subsystem.to_s.empty? then %> -#Subsystem sftp /usr/lib/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> Subsystem sftp <%= sshd_sftp_subsystem %> <%- end %> @@ -174,8 +182,9 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +PrintMotd no -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 77ed378..2112f0d 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -10,12 +10,20 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> @@ -203,8 +211,8 @@ AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index a6e0763..69e8afa 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -8,12 +8,20 @@ # possible, but leave them commented. Uncommented options change a # default value. -<%- unless sshd_port.to_s.empty? then %> -Port <%= sshd_port %> -<%- else %> -Port 22 +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> <%- end %> +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> @@ -178,6 +186,6 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server -<%- unless sshd_additional_options.to_s.empty? then %> -<%= sshd_additional_options %> +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> <%- end %> |