aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/base.pp60
-rw-r--r--manifests/client/base.pp12
-rw-r--r--manifests/client/debian.pp6
-rw-r--r--manifests/client/linux.pp7
-rw-r--r--manifests/debian.pp13
-rw-r--r--manifests/gentoo.pp6
-rw-r--r--manifests/init.pp187
-rw-r--r--manifests/linux.pp10
-rw-r--r--manifests/ssh_authorized_key.pp52
-rw-r--r--templates/sshd_config/CentOS.erb23
-rw-r--r--templates/sshd_config/Debian_etch.erb16
-rw-r--r--templates/sshd_config/Debian_lenny.erb15
-rw-r--r--templates/sshd_config/Gentoo.erb20
-rw-r--r--templates/sshd_config/OpenBSD.erb20
14 files changed, 260 insertions, 187 deletions
diff --git a/manifests/base.pp b/manifests/base.pp
index b249974..2ac2385 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,31 +1,35 @@
class sshd::base {
- file { 'sshd_config':
- path => '/etc/ssh/sshd_config',
- owner => root,
- group => 0,
- mode => 600,
- content => $lsbdistcodename ? {
- '' => template("sshd/sshd_config/${operatingsystem}.erb"),
- default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
- },
- notify => Service[sshd],
- }
- # Now add the key, if we've got one
- case $sshrsakey_key {
- '': { info("no sshrsakey on $fqdn") }
- default: {
- @@sshkey{"$hostname.$domain":
- type => ssh-rsa,
- key => $sshrsakey_key,
- ensure => present,
- }
- }
- }
- service{'sshd':
- name => 'sshd',
- enable => true,
- ensure => running,
- hasstatus => true,
- require => File[sshd_config],
+ file { 'sshd_config':
+ path => '/etc/ssh/sshd_config',
+ content => $lsbdistcodename ? {
+ '' => template("sshd/sshd_config/${operatingsystem}.erb"),
+ default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
+ },
+ notify => Service[sshd],
+ owner => root, group => 0, mode => 600;
+ }
+
+ # Now add the key, if we've got one
+ case $sshrsakey_key {
+ '': { info("no sshrsakey on $fqdn") }
+ default: {
+ @@sshkey{"$hostname.$domain":
+ type => ssh-rsa,
+ key => $sshrsakey_key,
+ ensure => present,
+ }
+ @@sshkey{"$ipaddress":
+ type => ssh-rsa,
+ key => $sshrsakey,
+ ensure => present,
+ }
}
+ }
+ service{'sshd':
+ name => 'sshd',
+ enable => true,
+ ensure => running,
+ hasstatus => true,
+ require => File[sshd_config],
+ }
}
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
index 2c3e31f..33d9f9e 100644
--- a/manifests/client/base.pp
+++ b/manifests/client/base.pp
@@ -1,9 +1,9 @@
class sshd::client::base {
- # this is needed because the gid might have changed
- file { '/etc/ssh/ssh_known_hosts':
- mode => 0644, owner => root, group => 0;
- }
+ # this is needed because the gid might have changed
+ file { '/etc/ssh/ssh_known_hosts':
+ owner => root, group => 0, mode => 0644;
+ }
- # Now collect all server keys
- Sshkey <<||>>
+ # Now collect all server keys
+ Sshkey <<||>>
}
diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp
index 9ca6da9..2aaf3fb 100644
--- a/manifests/client/debian.pp
+++ b/manifests/client/debian.pp
@@ -1,5 +1,5 @@
class sshd::client::debian inherits sshd::client::linux {
- Package['openssh-clients']{
- name => 'openssh-client',
- }
+ Package['openssh-clients']{
+ name => 'openssh-client',
+ }
}
diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp
index 522fa50..8c58ca8 100644
--- a/manifests/client/linux.pp
+++ b/manifests/client/linux.pp
@@ -1,5 +1,6 @@
class sshd::client::linux inherits sshd::client::base {
- package {'openssh-clients':
- ensure => installed,
- }
+ if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' }
+ package {'openssh-clients':
+ ensure => $ssh_ensure_version,
+ }
}
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 528779c..849d9f4 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -3,14 +3,23 @@ class sshd::debian inherits sshd::linux {
# the templates for Debian need lsbdistcodename
include lsb
File['sshd_config']{
- require => Package['lsb']
+ require +> Package['lsb']
}
Package[openssh]{
name => 'openssh-server',
}
+
+ $sshd_restartandstatus = $lsbdistcodename ? {
+ etch => false,
+ lenny => true,
+ default => false
+ }
+
Service[sshd]{
name => 'ssh',
- hasstatus => false,
+ pattern => 'sshd',
+ hasstatus => $sshd_restartandstatus,
+ hasrestart => $sshd_restartandstatus,
}
}
diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp
index f56a96d..631f3d1 100644
--- a/manifests/gentoo.pp
+++ b/manifests/gentoo.pp
@@ -1,5 +1,5 @@
class sshd::gentoo inherits sshd::linux {
- Package[openssh]{
- category => 'net-misc',
- }
+ Package[openssh]{
+ category => 'net-misc',
+ }
}
diff --git a/manifests/init.pp b/manifests/init.pp
index 8489a6a..83b26c1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -28,6 +28,13 @@
# $sshd_use_pam = yes
# include sshd::debian
#
+# If you need to install a version of the ssh daemon or client package other than
+# the default one that would be installed by 'ensure => installed', then you can
+# set the following variables:
+#
+# $sshd_ensure_version = "1:5.2p2-6"
+# $ssh_ensure_version = "1:5.2p2-6"
+#
# The following is a list of the currently available variables:
#
# sshd_listen_address: specify the addresses sshd should listen on
@@ -113,95 +120,105 @@
# Might be interesting for sftponly usage
# Default: empty -> no change of the default
#
-# sshd_additional_options: Set this to any additional sshd_options which aren't listed above.
-# As well this option might be usefull to define complexer Match Blocks
-# This string is going to be included, like it is defined. So take care!
-# Default: empty -> not added.
+# sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above.
+# Anything set here will be added to the beginning of the sshd_config file.
+# This option might be useful to define complicated Match Blocks
+# This string is going to be included, like it is defined. So take care!
+# Default: empty -> not added.
+#
+# sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above.
+# Anything set here will be added to the end of the sshd_config file.
+# This option might be useful to define complicated Match Blocks
+# This string is going to be included, like it is defined. So take care!
+# Default: empty -> not added.
class sshd {
- # prepare variables to use in templates
- case $sshd_listen_address {
- '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
- }
- case $sshd_allowed_users {
- '': { $sshd_allowed_users = '' }
- }
- case $sshd_allowed_groups {
- '': { $sshd_allowed_groups = '' }
- }
- case $sshd_use_pam {
- '': { $sshd_use_pam = 'no' }
- }
- case $sshd_permit_root_login {
- '': { $sshd_permit_root_login = 'without-password' }
- }
- case $sshd_password_authentication {
- '': { $sshd_password_authentication = 'no' }
- }
- case $sshd_tcp_forwarding {
- '': { $sshd_tcp_forwarding = 'no' }
- }
- case $sshd_x11_forwarding {
- '': { $sshd_x11_forwarding = 'no' }
- }
- case $sshd_agent_forwarding {
- '': { $sshd_agent_forwarding = 'no' }
- }
- case $sshd_challenge_response_authentication {
- '': { $sshd_challenge_response_authentication = 'no' }
- }
- case $sshd_pubkey_authentication {
- '': { $sshd_pubkey_authentication = 'yes' }
- }
- case $sshd_rsa_authentication {
- '': { $sshd_rsa_authentication = 'no' }
- }
- case $sshd_strict_modes {
- '': { $sshd_strict_modes = 'yes' }
- }
- case $sshd_ignore_rhosts {
- '': { $sshd_ignore_rhosts = 'yes' }
- }
- case $sshd_rhosts_rsa_authentication {
- '': { $sshd_rhosts_rsa_authentication = 'no' }
- }
- case $sshd_hostbased_authentication {
- '': { $sshd_hostbased_authentication = 'no' }
- }
- case $sshd_permit_empty_passwords {
- '': { $sshd_permit_empty_passwords = 'no' }
- }
- case $sshd_port {
- '': { $sshd_port = 22 }
- }
- case $sshd_authorized_keys_file {
- '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
- }
- case $sshd_sftp_subsystem {
- '': { $sshd_sftp_subsystem = '' }
- }
- case $sshd_additional_options {
- '': { $sshd_additional_options = '' }
- }
-
- include sshd::client
+ # prepare variables to use in templates
+ case $sshd_listen_address {
+ '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
+ }
+ case $sshd_allowed_users {
+ '': { $sshd_allowed_users = '' }
+ }
+ case $sshd_allowed_groups {
+ '': { $sshd_allowed_groups = '' }
+ }
+ case $sshd_use_pam {
+ '': { $sshd_use_pam = 'no' }
+ }
+ case $sshd_permit_root_login {
+ '': { $sshd_permit_root_login = 'without-password' }
+ }
+ case $sshd_password_authentication {
+ '': { $sshd_password_authentication = 'no' }
+ }
+ case $sshd_tcp_forwarding {
+ '': { $sshd_tcp_forwarding = 'no' }
+ }
+ case $sshd_x11_forwarding {
+ '': { $sshd_x11_forwarding = 'no' }
+ }
+ case $sshd_agent_forwarding {
+ '': { $sshd_agent_forwarding = 'no' }
+ }
+ case $sshd_challenge_response_authentication {
+ '': { $sshd_challenge_response_authentication = 'no' }
+ }
+ case $sshd_pubkey_authentication {
+ '': { $sshd_pubkey_authentication = 'yes' }
+ }
+ case $sshd_rsa_authentication {
+ '': { $sshd_rsa_authentication = 'no' }
+ }
+ case $sshd_strict_modes {
+ '': { $sshd_strict_modes = 'yes' }
+ }
+ case $sshd_ignore_rhosts {
+ '': { $sshd_ignore_rhosts = 'yes' }
+ }
+ case $sshd_rhosts_rsa_authentication {
+ '': { $sshd_rhosts_rsa_authentication = 'no' }
+ }
+ case $sshd_hostbased_authentication {
+ '': { $sshd_hostbased_authentication = 'no' }
+ }
+ case $sshd_permit_empty_passwords {
+ '': { $sshd_permit_empty_passwords = 'no' }
+ }
+ case $sshd_port {
+ '': { $sshd_port = 22 }
+ }
+ case $sshd_authorized_keys_file {
+ '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
+ }
+ case $sshd_sftp_subsystem {
+ '': { $sshd_sftp_subsystem = '' }
+ }
+ case $sshd_head_additional_options {
+ '': { $sshd_head_additional_options = '' }
+ }
+ case $sshd_tail_additional_options {
+ '': { $sshd_tail_additional_options = '' }
+ }
+ case $sshd_ensure_version {
+ '': { $sshd_ensure_version = "present" }
+ }
- case $operatingsystem {
- gentoo: { include sshd::gentoo }
- redhat,centos: { include sshd::redhat }
- centos: { include sshd::centos }
- openbsd: { include sshd::openbsd }
- debian,ubuntu: { include sshd::debian }
- default: { include sshd::default }
- }
+ include sshd::client
- if $use_nagios {
- if $nagios_check_ssh {
- nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" }
- }
- }
+ case $operatingsystem {
+ gentoo: { include sshd::gentoo }
+ redhat,centos: { include sshd::redhat }
+ centos: { include sshd::centos }
+ openbsd: { include sshd::openbsd }
+ debian,ubuntu: { include sshd::debian }
+ default: { include sshd::default }
+ }
- if $use_shorewall{
- include shorewall::rules::ssh
+ if $use_nagios {
+ case $nagios_check_ssh {
+ 'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
+ default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } }
}
+ }
}
diff --git a/manifests/linux.pp b/manifests/linux.pp
index f659808..a1f4e2a 100644
--- a/manifests/linux.pp
+++ b/manifests/linux.pp
@@ -1,8 +1,8 @@
class sshd::linux inherits sshd::base {
- package{openssh:
- ensure => present,
+ package{openssh:
+ ensure => $sshd_ensure_version,
+ }
+ File[sshd_config]{
+ require +> Package[openssh],
}
- File[sshd_config]{
- require +> Package[openssh],
- }
}
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp
index 2d528da..9374e15 100644
--- a/manifests/ssh_authorized_key.pp
+++ b/manifests/ssh_authorized_key.pp
@@ -3,34 +3,40 @@ define sshd::ssh_authorized_key(
$type = 'ssh-dss',
$key,
$user = 'root',
- $target = 'absent',
+ $target = undef,
$options = 'absent'
){
- case $target {
- 'absent': {
- case $user {
- 'root': { $real_target = '/root/.ssh/authorized_keys' }
- default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
- }
- }
- default: {
- $real_target = $target
- }
+ $real_user = $user ? {
+ false => $name,
+ "" => $name,
+ default => $user,
+ }
+
+ case $target {
+ undef: {
+ case $user {
+ 'root': { $real_target = '/root/.ssh/authorized_keys' }
+ default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
+ }
}
- ssh_authorized_key{$name:
- type => $type,
- key => $key,
- user => $user,
- target => $real_target,
+ default: {
+ $real_target = $target
}
+ }
+ ssh_authorized_key{$name:
+ type => $type,
+ key => $key,
+ user => $real_user,
+ target => $real_target,
+ }
- case $options {
- 'absent': { info("not setting any option for ssh_authorized_key: $name") }
- default: {
- Ssh_authorized_key[$name]{
- options => $options,
- }
- }
+ case $options {
+ 'absent': { info("not setting any option for ssh_authorized_key: $name") }
+ default: {
+ Ssh_authorized_key[$name]{
+ options => $options,
+ }
}
+ }
}
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index fcaf4d6..a253029 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -10,15 +10,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
+<%- end %>
+
<%- unless sshd_port.to_s.empty? then -%>
-Port <%= sshd_port %>
+<%- if sshd_port.to_s == 'off' then -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= sshd_port -%>
+<% end -%>
<%- else -%>
-#Port 22
+Port 22
<%- end -%>
-#Protocol 2,1
-Protocol 2
-#AddressFamily any
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
@@ -199,8 +204,6 @@ AllowUsers <%= sshd_allowed_users %>
AllowGroups <%= sshd_allowed_groups %>
<%- end -%>
-
-<%- unless sshd_additional_options.to_s.empty? then -%>
-<%= sshd_additional_options %>
-<%- end -%>
-
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
+<%- end %>
diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb
index 28aa52c..746a447 100644
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_etch.erb
@@ -1,9 +1,17 @@
# Package generated configuration file
# See the sshd(8) manpage for details
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
+<%- end %>
+
# What ports, IPs and protocols we listen for
<%- unless sshd_port.to_s.empty? then -%>
+<%- if sshd_port.to_s == 'off' then -%>
+#Port -- disabled by puppet
+<% else -%>
Port <%= sshd_port -%>
+<% end -%>
<%- else -%>
Port 22
<%- end -%>
@@ -131,7 +139,7 @@ KeepAlive yes
#ReverseMappingCheck yes
<%- if sshd_sftp_subsystem.to_s.empty? then %>
-#Subsystem sftp /usr/lib/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
@@ -168,9 +176,9 @@ AllowUsers <%= sshd_allowed_users -%>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
+PrintMotd no
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
<%- end %>
-
diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index 8d68808..18f3e4d 100644
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -1,9 +1,17 @@
# Package generated configuration file
# See the sshd(8) manpage for details
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
+<%- end %>
+
# What ports, IPs and protocols we listen for
<%- unless sshd_port.to_s.empty? then -%>
+<%- if sshd_port.to_s == 'off' then -%>
+#Port -- disabled by puppet
+<% else -%>
Port <%= sshd_port -%>
+<% end -%>
<%- else -%>
Port 22
<%- end -%>
@@ -131,7 +139,7 @@ KeepAlive yes
#ReverseMappingCheck yes
<%- if sshd_sftp_subsystem.to_s.empty? then %>
-#Subsystem sftp /usr/lib/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
@@ -174,8 +182,9 @@ AllowUsers <%= sshd_allowed_users -%>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
+PrintMotd no
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
<%- end %>
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 77ed378..2112f0d 100644
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -10,12 +10,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless sshd_port.to_s.empty? then %>
-Port <%= sshd_port %>
-<%- else %>
-Port 22
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
<%- end %>
+<%- unless sshd_port.to_s.empty? then -%>
+<%- if sshd_port.to_s == 'off' then -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= sshd_port -%>
+<% end -%>
+<%- else -%>
+Port 22
+<%- end -%>
+
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
@@ -203,8 +211,8 @@ AllowGroups <%= sshd_allowed_groups %>
<%- end %>
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
<%- end %>
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index a6e0763..69e8afa 100644
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -8,12 +8,20 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-<%- unless sshd_port.to_s.empty? then %>
-Port <%= sshd_port %>
-<%- else %>
-Port 22
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
<%- end %>
+<%- unless sshd_port.to_s.empty? then -%>
+<%- if sshd_port.to_s == 'off' then -%>
+#Port -- disabled by puppet
+<% else -%>
+Port <%= sshd_port -%>
+<% end -%>
+<%- else -%>
+Port 22
+<%- end -%>
+
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
@@ -178,6 +186,6 @@ AllowGroups <%= sshd_allowed_groups %>
# AllowTcpForwarding no
# ForceCommand cvs server
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
<%- end %>