diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 246 |
1 files changed, 0 insertions, 246 deletions
@@ -1,246 +0,0 @@ -Introduction -============ - -This puppet module manages OpenSSH configuration and services. - -!! Upgrade Notice (01/2013) !! - -This module now uses parameterized classes, where it used global variables -before. So please whatch out before pulling, you need to change the -class declarations in your manifest ! - - -Dependencies ------------- - -This module requires puppet => 2.6, and the following modules are required -pre-dependencies: - -- shared-common: git://labs.riseup.net/shared-common -- shared-lsb: git://labs.riseup.net/shared-lsb - -OpenSSH Server -============== - -On a node where you wish to have an openssh server installed, you should -'include sshd' on that node. If you need to configure any aspects of -sshd_config, set the variables before the include. See 'Configurable Variables' -below for what you can set. - -Nagios ------- - -To have nagios checks setup automatically for sshd services, simply set -manage_nagios to true for that class. If you want to disable ssh -nagios checking for a particular node (such as when ssh is firewalled), then you -can set the class parameter nagios_check_ssh to false and that node will not bei -monitored. - -Nagios will automatically check the ports defined in $sshd::ports, and the -hostname specified by $nagios_check_ssh_hostname. - -NOTE: this requires that you are using the shared-nagios puppet module which -supports the nagios native types via nagios::service: -git://labs.riseup.net/shared-nagios - -Firewall --------- - -If you wish to have firewall rules setup automatically for you, using shorewall, -you will need to set: $use_shorewall = true. The $sshd_ports that you have -specified will automatically be used. - -NOTE: This requires that you are using the shared-shorewall puppet module: -git://labs.riseup.net/shared-shorewall - - -Configurable variables ----------------------- - -Configuration of sshd is strict, and may not fit all needs, however there are a -number of variables that you can consider configuring. The defaults are set to -the distribution shipped sshd_config file defaults. - -To set any of these variables, simply set them as variables in your manifests, -before the class is included, for example: - - $sshd_listen_address = ['10.0.0.1 192.168.0.1'] - $sshd_use_pam = yes - include sshd - -If you need to install a version of the ssh daemon or client package other than -the default one that would be installed by 'ensure => installed', then you can -set the following variables: - - $sshd_ensure_version = "1:5.2p2-6" - $ssh_ensure_version = "1:5.2p2-6" - -The following is a list of the currently available variables: - - $sshd_listen_address - specify the addresses sshd should listen on set this to ['10.0.0.1 - 192.168.0.1'] to have it listen on both addresses, or leave it unset to - listen on all Default: empty -> results in listening on 0.0.0.0 - - $sshd_allowed_users - list of usernames separated by spaces. set this for example to "foobar - root" to ensure that only user foobar and root might login. Default: empty - -> no restriction is set - - $sshd_allowed_groups - list of groups separated by spaces. set this for example to "wheel sftponly" - to ensure that only users in the groups wheel and sftponly might login. - Default: empty -> no restriction is set Note: This is set after - sshd_allowed_users, take care of the behaviour if you use these 2 options - together. - - $sshd_use_pam - if you want to use pam or not for authenticaton. Values: no or yes; Default: - no - - $sshd_permit_root_login - If you want to allow root logins or not. Valid values: yes, no, - without-password, forced-commands-only; Default: without-password - - $sshd_password_authentication - If you want to enable password authentication or not. Valid values: yes or - no; Default: no - - $sshd_kerberos_authentication - If you want the password that is provided by the user to be validated - through the Kerberos KDC. To use this option the server needs a Kerberos - servtab which allows the verification of the KDC's identity. Valid values: - yes or no; Default: no - - $sshd_kerberos_orlocalpasswd - If password authentication through Kerberos fails, then the password will be - validated via any additional local mechanism. Valid values: yes or no; - Default: yes - - $sshd_kerberos_ticketcleanup - Destroy the user's ticket cache file on logout? Valid values: yes or no; - Default: yes - - $sshd_gssapi_authentication - Authenticate users based on GSSAPI? Valid values: yes or no; Default: no - - $sshd_gssapi_cleanupcredentials - Destroy user's credential cache on logout? Valid values: yes or no; Default: - yes - - $sshd_challenge_response_authentication - If you want to enable ChallengeResponseAuthentication or not When disabled, - s/key passowords are disabled Valid values: yes or no; Default: no - - $sshd_tcp_forwarding - If you want to enable TcpForwarding. Valid Values: yes or no; Default: no - - $sshd_x11_forwarding - If you want to enable x11 forwarding. Valid Values: yes or no; Default: no - - $sshd_agent_forwarding - If you want to allow ssh-agent forwarding. Valid Values: yes or no; Default: - no - - $sshd_pubkey_authentication - If you want to enable public key authentication. Valid Values: yes or no; - Default: yes - - $sshd_rsa_authentication - If you want to enable RSA Authentication. Valid Values: yes or no; Default: - no - - $sshd_rhosts_rsa_authentication - If you want to enable rhosts RSA Authentication. Valid Values: yes or no; - Default: no - - $sshd_hostbased_authentication - If you want to enable HostbasedAuthentication. Valid Values: yes or no; - Default: no - - $sshd_strict_modes - If you want to set StrictModes (check file modes/ownership before accepting - login). Valid Values: yes or no; Default: yes - - $sshd_permit_empty_passwords - If you want enable PermitEmptyPasswords to allow empty passwords. Valid - Values: yes or no; Default: no - - $sshd_port - Deprecated, use sshd_ports instead. - - $sshd_ports - If you want to specify a list of ports other than the default 22; Default: - [22] - - $sshd_authorized_keys_file - Set this to the location of the AuthorizedKeysFile - (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile - %h/.ssh/authorized_keys - - $sshd_hardened_ssl - Use only strong SSL ciphers and MAC. - Values: no or yes; Default: no. - - $sshd_print_motd - Show the Message of the day when a user logs in. - - $sshd_sftp_subsystem - Set a different sftp-subystem than the default one. Might be interesting for - sftponly usage. Default: empty -> no change of the default - - $sshd_head_additional_options - Set this to any additional sshd_options which aren't listed above. Anything - set here will be added to the beginning of the sshd_config file. This option - might be useful to define complicated Match Blocks. This string is going to - be included, like it is defined. So take care! Default: empty -> not added. - - $sshd_tail_additional_options - - Set this to any additional sshd_options which aren't listed above. Anything - set here will be added to the end of the sshd_config file. This option might - be useful to define complicated Match Blocks. This string is going to be - included, like it is defined. So take care! Default: empty -> not added. - - $sshd_shared_ip - Whether the server uses a shared network IP address. If it does, then we - don't want it to export an rsa key for its IP address. - Values: no or yes; Default: no - - -Defines and functions ---------------------- - -Deploy authorized_keys file with the define sshd::ssh_authorized_key. - -Generate a public/private keypair with the ssh_keygen function. For example, the -following will generate ssh keys and put the different parts of the key into -variables: - -$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}") -$public_key = split($ssh_keys[1],' ') -$sshkey_type => $public_key[0] -$sshkey => $public_key[1] - - -Client -====== - -On a node where you wish to have the ssh client managed, you can do 'include -sshd::client' in the node definition. This will install the appropriate package. - - -License -======= - -# Copyright 2008-2011, Riseup Labs micah@riseup.net -# Copyright 2008, admin(at)immerda.ch -# Copyright 2008, Puzzle ITC GmbH -# Marcel Härry haerry+puppet(at)puzzle.ch -# Simon Josi josi+puppet(at)puzzle.ch -# -# This program is free software; you can redistribute -# it and/or modify it under the terms of the GNU -# General Public License version 3 as published by -# the Free Software Foundation. -# |