aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--files/.git_placeholder1
-rw-r--r--manifests/init.pp150
-rw-r--r--templates/sshd_config/CentOS_normal.erb18
-rw-r--r--templates/sshd_config/Debian_normal.erb21
-rw-r--r--templates/sshd_config/Gentoo_normal.erb21
-rw-r--r--templates/sshd_config/OpenBSD_normal.erb21
6 files changed, 164 insertions, 68 deletions
diff --git a/files/.git_placeholder b/files/.git_placeholder
new file mode 100644
index 0000000..89cb1fe
--- /dev/null
+++ b/files/.git_placeholder
@@ -0,0 +1 @@
+# file needed for git - don't remove it
diff --git a/manifests/init.pp b/manifests/init.pp
index b040e75..4539dd6 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,8 +1,48 @@
-# modules/ssh/manifests/init.pp - manage ssh stuff
-# Copyright (C) 2007 admin@immerda.ch
#
-
-#modules_dir { "sshd": }
+# ssh module
+#
+# Copyright 2008, admin(at)immerda.ch
+# Copyright 2008, Puzzle ITC GmbH
+# Marcel Härry haerry+puppet(at)puzzle.ch
+# Simon Josi josi+puppet(at)puzzle.ch
+#
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of the GNU
+# General Public License version 3 as published by
+# the Free Software Foundation.
+#
+# Deploy authorized_keys file with the define
+# sshd::deploy_auth_key
+#
+# shdd-config:
+#
+# The configuration of the sshd is rather strict and
+# might not fit all needs. However there are a bunch
+# of variables, which you might consider to configure.
+# Checkout the following:
+#
+# sshd_allowed_users: list of usernames separated by spaces.
+# set this for example to "foobar root"
+# to ensure that only user foobar and root
+# might login.
+# Default: empty -> no restriction is set
+#
+# sshd_use_pam: if you want to use pam or not for authenticaton
+# Values: no or yes.
+# Default: no
+#
+# sshd_permit_root_login: If you want to allow root logins or not.
+# Valid values: yes, no, without-password, forced-commands-only
+# Default: without-password
+#
+# sshd_password_authentication: If you want to enable password authentication or not
+# Valid values: yes or no
+# Default: no
+#
+# sshd_x11_forwarding: If you want to enable x11 forwarding
+# Valid Values: yes or no
+# Default: no
+#
class sshd {
case $operatingsystem {
@@ -18,14 +58,26 @@ class sshd {
class sshd::base {
- $real_sshd_config_source = $sshd_config_source ? {
- '' => "sshd/sshd_config/${operatingsystem}_normal.erb",
- default => $source,
- }
-
+ # prepare variables to use in templates
$real_sshd_allowed_users = $sshd_allowed_users ? {
- '' => 'root',
- default => $sshd_allowed_users,
+ '' => '',
+ default => $sshd_allowed_users
+ }
+ $real_sshd_use_pam = $sshd_use_pam ? {
+ '' => 'no',
+ default => $sshd_use_pam
+ }
+ $real_sshd_permit_root_login = $sshd_permit_root_login ? {
+ '' => 'without-password',
+ default => $sshd_permit_root_login
+ }
+ $real_sshd_password_authentication = $sshd_password_authentication ? {
+ '' => 'no',
+ default => $sshd_password_authentication
+ }
+ $real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
+ '' => 'no',
+ default => $sshd_x11_forwarding
}
file { 'sshd_config':
@@ -33,17 +85,24 @@ class sshd::base {
owner => root,
group => 0,
mode => 600,
- content => template("${real_sshd_config_source}"),
+ content => template("sshd/sshd_config/${operatingsystem}_normal.erb"),
+ notify => Service[sshd],
}
+ service{'sshd':
+ name => 'sshd',
+ enable => true,
+ ensure => running,
+ hasstatus => true,
+ require => File[sshd_config],
+ }
}
class sshd::linux inherits sshd::base {
package{openssh:
ensure => present,
}
- include sshd::service
File[sshd_config]{
- notify => Service[sshd],
+ require +> Package[openssh],
}
}
@@ -57,6 +116,10 @@ class sshd::debian inherits sshd::linux {
Package[openssh]{
name => 'openssh-server',
}
+ Service[sshd]{
+ name => 'ssh',
+ hasstatus => false,
+ }
}
class sshd::ubuntu inherits sshd::debian {}
@@ -68,77 +131,42 @@ class sshd::redhat inherits sshd::linux {
class sshd::centos inherits sshd::redhat {}
class sshd::openbsd inherits sshd::base {
- exec{sshd_refresh:
- command => "/bin/kill -HUP `/bin/cat /var/run/sshd.pid`",
- refreshonly => true,
- }
- File[sshd_config]{
- notify => Exec[sshd_refresh],
- }
-}
-
-### service stuff
-class sshd::service {
- case $operatingsystem {
- debian: { include sshd::service::debian }
- ubuntu: { include sshd::service::ubuntu }
- default: { include sshd::service::base }
- }
-}
-
-class sshd::service::base {
- service{'sshd':
- name => 'sshd',
- enable => true,
- ensure => running,
- hasstatus => true,
- require => Package[openssh],
- }
-}
-
-class sshd::service::debian inherits sshd::service::base {
Service[sshd]{
- name => 'ssh',
+ restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
+ stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
+ start => '/usr/sbin/sshd',
hasstatus => false,
}
}
-class sshd::service::ubuntu inherits sshd::service::debian {}
### defines
define sshd::deploy_auth_key(
- $source = '',
$user = 'root',
$target_dir = '/root/.ssh/',
- $group = '' ) {
+ $group = 0 ) {
$real_target = $target_dir ? {
'' => "/home/$user/.ssh/",
default => $target_dir,
}
- $real_group = $group ? {
- '' => 0,
- default => $group,
- }
-
- $real_source = $source ? {
- '' => [ "puppet://$server/files/sshd/authorized_keys/${name}",
- "puppet://$server/sshd/authorized_keys/${name}" ],
- default => "puppet://$server/$source",
- }
-
file {$real_target:
ensure => directory,
owner => $user,
- group => $real_group,
+ group => $group,
mode => 700,
}
file {"authorized_keys_${user}":
path => "$real_target/authorized_keys",
owner => $user,
- group => $real_group,
+ group => $group,
mode => 600,
- source => $real_source,
+ source => [ "puppet://$server/files/sshd/authorized_keys/${name}",
+ "puppet://$server/files/sshd/authorized_keys/${fqdn}",
+ "puppet://$server/files/sshd/authorized_keys/default",
+ "puppet://$server/sshd/authorized_keys/${name}",
+ "puppet://$server/sshd/authorized_keys/${fqdn}",
+ "puppet://$server/sshd/authorized_keys/default" ],
}
}
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index 739d43b..a14120f 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -36,7 +36,11 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
PermitRootLogin without-password
+<%- end %>
#StrictModes yes
#MaxAuthTries 6
@@ -55,7 +59,11 @@ PermitRootLogin without-password
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
PasswordAuthentication no
+<%- end %>
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -83,7 +91,11 @@ GSSAPICleanupCredentials yes
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
+<%- if real_sshd_use_pam.to_s == 'yes' then %>
+UsePAM yes
+<%- else %>
UsePAM no
+<%- end %>
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -92,7 +104,11 @@ AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
X11Forwarding no
+<%- end %>
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
@@ -115,4 +131,6 @@ X11Forwarding no
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 746cc0b..c969836 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -2,7 +2,7 @@
# See the sshd(8) manpage for defails
# What ports, IPs and protocols we listen for
-Port 22
+# Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
@@ -27,7 +27,11 @@ LogLevel INFO
# Authentication:
LoginGraceTime 600
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
PermitRootLogin without-password
+<%- end %>
StrictModes yes
RSAAuthentication yes
@@ -52,8 +56,11 @@ PermitEmptyPasswords no
#ChallengeResponseAuthentication no
# To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
PasswordAuthentication no
-
+<%- end %>
# To change Kerberos options
#KerberosAuthentication no
@@ -64,7 +71,11 @@ PasswordAuthentication no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
X11Forwarding no
+<%- end %>
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
@@ -77,11 +88,17 @@ KeepAlive yes
#Subsystem sftp /usr/lib/sftp-server
+<%- if real_sshd_use_pam.to_s == 'yes' then %>
+UsePAM yes
+<%- else %>
UsePAM no
+<%- end %>
HostbasedUsesNameFromPacketOnly yes
AllowTcpForwarding yes
ChallengeResponseAuthentication no
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index be78eb9..aa98ae8 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -40,6 +40,11 @@ Protocol 2
#LoginGraceTime 2m
PermitRootLogin without-password
#StrictModes yes
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
+PermitRootLogin without-password
+<%- end %>
#MaxAuthTries 6
#RSAAuthentication yes
@@ -57,7 +62,11 @@ PermitRootLogin without-password
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
PasswordAuthentication no
+<%- end %>
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -84,11 +93,19 @@ PasswordAuthentication no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
+<%- if real_sshd_use_pam.to_s == 'yes' then %>
+UsePAM yes
+<%- else %>
UsePAM no
+<%- end %>
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
+X11Forwarding no
+<%- end %>
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
@@ -117,4 +134,6 @@ Subsystem sftp /usr/lib/misc/sftp-server
# AllowTcpForwarding no
# ForceCommand cvs server
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index dbf18c8..0b84d25 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -8,8 +8,7 @@
# possible, but leave them commented. Uncommented options change a
# default value.
-Port 22
-Port 2222
+#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -33,7 +32,11 @@ Port 2222
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin yes
+<%- unless real_sshd_permit_root_login.to_s.empty? then %>
+PermitRootLogin <%= real_sshd_permit_root_login %>
+<%- else %>
+PermitRootLogin without-password
+<%- end %>
#StrictModes yes
#MaxAuthTries 6
@@ -52,7 +55,11 @@ Port 2222
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
+<%- if real_sshd_password_authentication.to_s == 'yes' then %>
+PasswordAuthentication yes
+<%- else %>
PasswordAuthentication no
+<%- end %>
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -70,7 +77,11 @@ PasswordAuthentication no
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+<%- if real_sshd_x11_forwarding.to_s == 'yes' then %>
+X11Forwarding yes
+<%- else %>
+X11Forwarding no
+<%- end %>
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
@@ -93,7 +104,9 @@ PasswordAuthentication no
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+<%- unless real_sshd_allowed_users.to_s.empty? then %>
AllowUsers <%= real_sshd_allowed_users %>
+<%- end %>
# Example of overriding settings on a per-user basis
#Match User anoncvs