aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/init.pp130
1 files changed, 123 insertions, 7 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 95682fd..2a4c449 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,6 +1,7 @@
#
# ssh module
#
+# Copyright 2008, micah@riseup.net
# Copyright 2008, admin(at)immerda.ch
# Copyright 2008, Puzzle ITC GmbH
# Marcel Härry haerry+puppet(at)puzzle.ch
@@ -16,10 +17,23 @@
#
# sshd-config:
#
-# The configuration of the sshd is rather strict and
-# might not fit all needs. However there are a bunch
-# of variables, which you might consider to configure.
-# Checkout the following:
+# The configuration of the sshd is rather strict and might not fit all
+# needs. However there are a bunch of variables, which you might
+# consider configuring.
+#
+# To set any of the following, simply set them as variables in your manifests
+# before the class is included, for example:
+#
+# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
+# $sshd_use_pam = yes
+# include sshd::debian
+#
+# The following is a list of the currently available variables:
+#
+# sshd_listen_address: specify the addresses sshd should listen on
+# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
+# addresses, or leave it unset to listen on all
+# Default: empty -> results in listening on 0.0.0.0
#
# sshd_allowed_users: list of usernames separated by spaces.
# set this for example to "foobar root"
@@ -38,11 +52,54 @@
# sshd_password_authentication: If you want to enable password authentication or not
# Valid values: yes or no
# Default: no
+#
+# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
+# When disabled, s/key passowords are disabled
+# Valid values: yes or no
+# Default: no
#
+# sshd_tcp_forwarding: If you want to enable TcpForwarding
+# Valid Values: yes or no
+# Default: no
+#
# sshd_x11_forwarding: If you want to enable x11 forwarding
# Valid Values: yes or no
# Default: no
#
+# sshd_agent_forwarding: If you want to allow ssh-agent forwarding
+# Valid Values: yes or no
+# Default: no
+#
+# sshd_pubkey_authentication: If you want to enable public key authentication
+# Valid Values: yes or no
+# Default: yes
+#
+# sshd_rsa_authentication: If you want to enable RSA Authentication
+# Valid Values: yes or no
+# Default: no
+#
+# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
+# Valid Values: yes or no
+# Default: no
+#
+# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
+# Valid Values: yes or no
+# Default: no
+#
+# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
+# Valid Values: yes or no
+# Default: yes
+#
+# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
+# Valid Values: yes or no
+# Default: no
+#
+# sshd_port: If you want to specify a different port than the default 22
+# Default: 22
+#
+# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
+# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
+#
class sshd {
include sshd::client
@@ -60,7 +117,11 @@ class sshd {
class sshd::base {
- # prepare variables to use in templates
+ # prepare variables to use in templates
+ $real_sshd_listen_address = $sshd_listen_address ? {
+ '' => [ '0.0.0.0', '::' ],
+ default => $sshd_listen_address
+ }
$real_sshd_allowed_users = $sshd_allowed_users ? {
'' => '',
default => $sshd_allowed_users
@@ -77,17 +138,68 @@ class sshd::base {
'' => 'no',
default => $sshd_password_authentication
}
+ $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
+ '' => 'no',
+ default => $sshd_tcp_forwarding
+ }
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
'' => 'no',
default => $sshd_x11_forwarding
}
-
+ $real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
+ '' => 'no',
+ default => $sshd_agent_forwarding
+ }
+ $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
+ '' => 'no',
+ default => $sshd_challenge_response_authentication
+ }
+ $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
+ '' => 'yes',
+ default => $sshd_pubkey_authentication
+ }
+ $real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
+ '' => 'no',
+ default => $sshd_rsa_authentication
+ }
+ $real_sshd_strict_modes = $sshd_strict_modes ? {
+ '' => 'yes',
+ default => $sshd_strict_modes
+ }
+ $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
+ '' => 'yes',
+ default => $sshd_ignore_rhosts
+ }
+ $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
+ '' => 'no',
+ default => $sshd_rhosts_rsa_authentication
+ }
+ $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
+ '' => 'no',
+ default => $sshd_hostbased_authentication
+ }
+ $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
+ '' => 'no',
+ default => $sshd_permit_empty_passwords
+ }
+ $real_sshd_port = $sshd_port ? {
+ '' => 22,
+ default => $sshd_port
+ }
+ $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
+ '' => "%h/.ssh/authorized_keys",
+ default => $sshd_authorized_keys_file
+ }
+
file { 'sshd_config':
path => '/etc/ssh/sshd_config',
owner => root,
group => 0,
mode => 600,
- content => template("sshd/sshd_config/${operatingsystem}_normal.erb"),
+ content => $lsbdistcodename ? {
+ '' => template("sshd/sshd_config/${operatingsystem}.erb"),
+ default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
+ },
notify => Service[sshd],
}
# Now add the key, if we've got one
@@ -127,6 +239,10 @@ class sshd::gentoo inherits sshd::linux {
}
class sshd::debian inherits sshd::linux {
+
+ # the templates for Debian need lsbdistcodename
+ include assert_lsbdistcodename
+
Package[openssh]{
name => 'openssh-server',
}