diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/init.pp | 338 |
1 files changed, 181 insertions, 157 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 43e007c..0f0cb19 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -119,191 +119,215 @@ # Default: empty -> not added. class sshd { - include sshd::client - - case $operatingsystem { - gentoo: { include sshd::gentoo } - redhat: { include sshd::redhat } - centos: { include sshd::centos } - openbsd: { include sshd::openbsd } - debian: { include sshd::debian } - ubuntu: { include sshd::ubuntu } - default: { include sshd::default } - } + include sshd::client + + case $operatingsystem { + gentoo: { include sshd::gentoo } + redhat: { include sshd::redhat } + centos: { include sshd::centos } + openbsd: { include sshd::openbsd } + debian: { include sshd::debian } + ubuntu: { include sshd::ubuntu } + default: { include sshd::default } + } } class sshd::base { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - case $sshd_port { - '': { $sshd_port = 22 } - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } - } - - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey_key { - '': { info("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], - } - if $use_nagios { - case $nagios_check_ssh { - 'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } } - } + # prepare variables to use in templates + case $sshd_listen_address { + '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } + } + case $sshd_allowed_users { + '': { $sshd_allowed_users = '' } + } + case $sshd_allowed_groups { + '': { $sshd_allowed_groups = '' } + } + case $sshd_use_pam { + '': { $sshd_use_pam = 'no' } + } + case $sshd_permit_root_login { + '': { $sshd_permit_root_login = 'without-password' } + } + case $sshd_password_authentication { + '': { $sshd_password_authentication = 'no' } + } + case $sshd_tcp_forwarding { + '': { $sshd_tcp_forwarding = 'no' } + } + case $sshd_x11_forwarding { + '': { $sshd_x11_forwarding = 'no' } + } + case $sshd_agent_forwarding { + '': { $sshd_agent_forwarding = 'no' } + } + case $sshd_challenge_response_authentication { + '': { $sshd_challenge_response_authentication = 'no' } + } + case $sshd_pubkey_authentication { + '': { $sshd_pubkey_authentication = 'yes' } + } + case $sshd_rsa_authentication { + '': { $sshd_rsa_authentication = 'no' } + } + case $sshd_strict_modes { + '': { $sshd_strict_modes = 'yes' } + } + case $sshd_ignore_rhosts { + '': { $sshd_ignore_rhosts = 'yes' } + } + case $sshd_rhosts_rsa_authentication { + '': { $sshd_rhosts_rsa_authentication = 'no' } + } + case $sshd_hostbased_authentication { + '': { $sshd_hostbased_authentication = 'no' } + } + case $sshd_permit_empty_passwords { + '': { $sshd_permit_empty_passwords = 'no' } + } + case $sshd_port { + '': { $sshd_port = 22 } + } + case $sshd_authorized_keys_file { + '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } + } + case $sshd_sftp_subsystem { + '': { $sshd_sftp_subsystem = '' } + } + case $sshd_additional_options { + '': { $sshd_additional_options = '' } + } + + file { 'sshd_config': + path => '/etc/ssh/sshd_config', + owner => root, + group => 0, + mode => 600, + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, + notify => Service[sshd], + } + # Now add the key, if we've got one + case $sshrsakey_key { + '': { info("no sshrsakey on $fqdn") } + default: { + @@sshkey{"$hostname.$domain": + type => ssh-rsa, + key => $sshrsakey_key, + ensure => present, + } + } + } + service{'sshd': + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], + } + + if $use_nagios { + case $nagios_check_ssh { + 'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) } + default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } } } + } } class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, - } - File[sshd_config]{ - require +> Package[openssh], - } + package{openssh: + ensure => present, + } + File[sshd_config]{ + require +> Package[openssh], + } } class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } + Package[openssh]{ + category => 'net-misc', + } } class sshd::debian inherits sshd::linux { - + # the templates for Debian need lsbdistcodename include assert_lsbdistcodename - Package[openssh]{ - name => 'openssh-server', - } - Service[sshd]{ - name => 'ssh', - hasstatus => false, - } + Package[openssh]{ + name => 'openssh-server', + } + + $sshd_restartandstatus = $lsbdistcodename ? { + etch => false, + lenny => true, + default => false + } + + Service[sshd]{ + name => 'ssh', + pattern => 'sshd', + hasstatus => $sshd_restartandstatus, + hasrestart => $sshd_restartandstatus, + } } class sshd::ubuntu inherits sshd::debian {} class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } + Package[openssh]{ + name => 'openssh-server', + } } class sshd::centos inherits sshd::redhat {} class sshd::openbsd inherits sshd::base { - Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, - } + Service[sshd]{ + restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', + hasstatus => false, + } } ### defines # wrapper to have some defaults. define sshd::ssh_authorized_key( - $type = 'ssh-dss', - $key, - $user = 'root', - $target = undef, - $options = 'absent' -){ - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $user, - target => $target, - } - - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } - } + $type = 'ssh-dss', + $key, + $user = '', + $target = undef, + $options = 'absent' + ) +{ + $real_user = $user ? { + false => $name, + "" => $name, + default => $user, + } + case $target { + undef: { + $real_target = "/home/$real_user/.ssh/authorized_keys" + } + default: { + $real_target = $target + } + } + ssh_authorized_key{$name: + type => $type, + key => $key, + user => $real_user, + target => $real_target, + } + + case $options { + 'absent': { info("not setting any option for ssh_authorized_key: $name") } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } + } + } } |