diff options
Diffstat (limited to 'manifests/init.pp')
| -rw-r--r-- | manifests/init.pp | 186 |
1 files changed, 4 insertions, 182 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 04484ca..cece69e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -123,198 +123,20 @@ class sshd { case $operatingsystem { gentoo: { include sshd::gentoo } - redhat: { include sshd::redhat } + redhat,centos: { include sshd::redhat } centos: { include sshd::centos } openbsd: { include sshd::openbsd } - debian: { include sshd::debian } - ubuntu: { include sshd::ubuntu } + debian,ubuntu: { include sshd::debian } default: { include sshd::default } } -} - -class sshd::base { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - case $sshd_port { - '': { $sshd_port = 22 } - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } - } - - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey_key { - '': { info("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], - } if $use_nagios { if $nagios_check_ssh { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } } } -} - -class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, - } - File[sshd_config]{ - require +> Package[openssh], - } -} - -class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } -} - -class sshd::debian inherits sshd::linux { - - # the templates for Debian need lsbdistcodename - include assert_lsbdistcodename - - Package[openssh]{ - name => 'openssh-server', - } - Service[sshd]{ - name => 'ssh', - hasstatus => false, - } -} -class sshd::ubuntu inherits sshd::debian {} - -class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } -} -class sshd::centos inherits sshd::redhat {} - -class sshd::openbsd inherits sshd::base { - Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, - } -} - -### defines -# wrapper to have some defaults. -define sshd::ssh_authorized_key( - $type = 'ssh-dss', - $key, - $user = 'root', - $target = 'absent', - $options = 'absent' -){ - - case $target { - 'absent': { - case $user { - 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } - } - } - default: { - $real_target = $target - } - } - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $user, - target => $real_target, - } - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } + if $use_shorewall{ + include shorewall::rules::ssh } } |