diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/autossh.pp | 40 | ||||
| -rw-r--r-- | manifests/base.pp | 52 | ||||
| -rw-r--r-- | manifests/client/base.pp | 7 | ||||
| -rw-r--r-- | manifests/debian.pp | 16 | ||||
| -rw-r--r-- | manifests/init.pp | 45 | ||||
| -rw-r--r-- | manifests/linux.pp | 2 | ||||
| -rw-r--r-- | manifests/nagios.pp | 6 | ||||
| -rw-r--r-- | manifests/openbsd.pp | 6 | ||||
| -rw-r--r-- | manifests/redhat.pp | 8 | ||||
| -rw-r--r-- | manifests/ssh_authorized_key.pp | 69 | ||||
| -rw-r--r-- | manifests/sshkey.pp | 21 |
11 files changed, 196 insertions, 76 deletions
diff --git a/manifests/autossh.pp b/manifests/autossh.pp new file mode 100644 index 0000000..5650584 --- /dev/null +++ b/manifests/autossh.pp @@ -0,0 +1,40 @@ +class sshd::autossh($host, + $port = undef, # this should be a remote->local hash + $remote_user = undef, + $user = 'root', + $pidfile = '/var/run/autossh.pid', +) { + if $port { + $port_ensure = $port + } + else { + # random port between 10000 and 20000 + $port_ensure = fqdn_rand(10000) + 10000 + } + if $remote_user { + $remote_user_ensure = $remote_user + } + else { + $remote_user_ensure = "host-$fqdn" + } + file { + '/etc/init.d/autossh': + mode => '0555', + source => 'puppet:///modules/sshd/autossh.init.d'; + '/etc/default/autossh': + mode => '0444', + content => "USER=$user\nPIDFILE=$pidfile\nDAEMON_ARGS='-M0 -f -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n"; + } + package { 'autossh': + ensure => present, + } + service { 'autossh': + ensure => running, + enable => true, + subscribe => [ + File['/etc/init.d/autossh'], + File['/etc/default/autossh'], + Package['autossh'], + ], + } +} diff --git a/manifests/base.pp b/manifests/base.pp index 4001985..dda9f26 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,41 +1,41 @@ +# The base class to setup the common things. +# This is a private class and will always be used +# throught the sshd class itself. class sshd::base { + + $sshd_config_content = $::operatingsystem ? { + 'CentOS' => template("sshd/sshd_config/${::operatingsystem}_${::operatingsystemmajrelease}.erb"), + default => $::lsbdistcodename ? { + '' => template("sshd/sshd_config/${::operatingsystem}.erb"), + default => template("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb") + } + } + file { 'sshd_config': - path => '/etc/ssh/sshd_config', - content => $::lsbdistcodename ? { - '' => template("sshd/sshd_config/${::operatingsystem}.erb"), - default => template ("sshd/sshd_config/${::operatingsystem}_${::lsbdistcodename}.erb"), - }, - notify => Service[sshd], - owner => root, group => 0, mode => 600; + ensure => present, + path => '/etc/ssh/sshd_config', + content => $sshd_config_content, + notify => Service[sshd], + owner => root, + group => 0, + mode => '0600'; } # Now add the key, if we've got one case $::sshrsakey { '': { info("no sshrsakey on ${::fqdn}") } default: { - @@sshkey{$::fqdn: - tag => "fqdn", - type => ssh-rsa, - key => $::sshrsakey, - ensure => present, - } - # In case the node has uses a shared network address, - # we don't define a sshkey resource using an IP address - if $sshd::shared_ip == "no" { - @@sshkey{$::ipaddress: - tag => "ipaddress", - type => ssh-rsa, - key => $::sshrsakey, - ensure => present, - } + # only export sshkey when storedconfigs is enabled + if $::sshd::use_storedconfigs { + include ::sshd::sshkey } } } service{'sshd': - name => 'sshd', - enable => true, - ensure => running, + ensure => running, + name => 'sshd', + enable => true, hasstatus => true, - require => File[sshd_config], + require => File[sshd_config], } } diff --git a/manifests/client/base.pp b/manifests/client/base.pp index c2580c1..4925c2d 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,12 +1,15 @@ class sshd::client::base { # this is needed because the gid might have changed file { '/etc/ssh/ssh_known_hosts': - mode => 0644, owner => root, group => 0; + ensure => present, + mode => '0644', + owner => root, + group => 0; } # Now collect all server keys case $sshd::client::shared_ip { no: { Sshkey <<||>> } - yes: { Sshkey <<| tag == "fqdn" |>> } + yes: { Sshkey <<| tag == fqdn |>> } } } diff --git a/manifests/debian.pp b/manifests/debian.pp index 45eb901..d827078 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,21 +1,13 @@ class sshd::debian inherits sshd::linux { - # the templates for Debian need lsbdistcodename - require lsb - Package[openssh]{ name => 'openssh-server', } - $sshd_restartandstatus = $::lsbdistcodename ? { - etch => false, - default => true - } - Service[sshd]{ - name => 'ssh', - pattern => 'sshd', - hasstatus => $sshd_restartandstatus, - hasrestart => $sshd_restartandstatus, + name => 'ssh', + pattern => 'sshd', + hasstatus => true, + hasrestart => true, } } diff --git a/manifests/init.pp b/manifests/init.pp index 4d66b81..b415741 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,6 @@ +# manage an sshd installation class sshd( - $manage_nagios = true, + $manage_nagios = false, $nagios_check_ssh_hostname = 'absent', $ports = [ 22 ], $shared_ip = 'no', @@ -26,20 +27,46 @@ class sshd( $rhosts_rsa_authentication = 'no', $hostbased_authentication = 'no', $permit_empty_passwords = 'no', - $authorized_keys_file = '%h/.ssh/authorized_keys', - $hardened_ssl = 'no', + $authorized_keys_file = $::osfamily ? { + Debian => $::lsbmajdistrelease ? { + 6 => '%h/.ssh/authorized_keys', + default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2', + }, + RedHat => $::operatingsystemmajrelease ? { + 5 => '%h/.ssh/authorized_keys', + 6 => '%h/.ssh/authorized_keys', + default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2', + }, + OpenBSD => '%h/.ssh/authorized_keys', + default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2', + }, + $hardened = 'no', $sftp_subsystem = '', $head_additional_options = '', $tail_additional_options = '', $print_motd = 'yes', $manage_shorewall = false, - $shorewall_source = 'net' + $shorewall_source = 'net', + $sshkey_ipaddress = $::ipaddress, + $manage_client = true, + $hostkey_type = versioncmp($::ssh_version, '6.5') ? { + /(^1|0)/ => [ 'rsa', 'ed25519' ], + /-1/ => [ 'rsa', 'dsa' ] + }, + $use_storedconfigs = true ) { - class{'sshd::client': - shared_ip => $sshd::shared_ip, - ensure_version => $sshd::ensure_version, - manage_shorewall => $manage_shorewall, + validate_bool($manage_shorewall) + validate_bool($manage_client) + validate_array($listen_address) + validate_array($ports) + + if $manage_client { + class{'sshd::client': + shared_ip => $shared_ip, + ensure_version => $ensure_version, + manage_shorewall => $manage_shorewall, + } } case $::operatingsystem { @@ -58,7 +85,7 @@ class sshd( if $manage_shorewall { class{'shorewall::rules::ssh': - ports => $ports, + ports => $ports, source => $shorewall_source } } diff --git a/manifests/linux.pp b/manifests/linux.pp index f071ada..8628ff5 100644 --- a/manifests/linux.pp +++ b/manifests/linux.pp @@ -1,5 +1,5 @@ class sshd::linux inherits sshd::base { - package{openssh: + package{'openssh': ensure => $sshd::ensure_version, } File[sshd_config]{ diff --git a/manifests/nagios.pp b/manifests/nagios.pp index ef5fe10..6921de9 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -5,18 +5,18 @@ define sshd::nagios( ) { $real_port = $port ? { 'absent' => $name, - default => $port, + default => $port, } case $check_hostname { 'absent': { nagios::service{"ssh_port_${name}": - ensure => $ensure, + ensure => $ensure, check_command => "check_ssh_port!${real_port}" } } default: { nagios::service{"ssh_port_host_${name}": - ensure => $ensure, + ensure => $ensure, check_command => "check_ssh_port_host!${real_port}!${check_hostname}" } } diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp index f1379d7..cb6dbba 100644 --- a/manifests/openbsd.pp +++ b/manifests/openbsd.pp @@ -1,8 +1,8 @@ class sshd::openbsd inherits sshd::base { Service[sshd]{ restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', + status => '/usr/bin/pgrep -f /usr/sbin/sshd', } } diff --git a/manifests/redhat.pp b/manifests/redhat.pp index e9bf1d1..d720177 100644 --- a/manifests/redhat.pp +++ b/manifests/redhat.pp @@ -1,5 +1,5 @@ -class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } +class sshd::redhat inherits sshd::linux { + Package[openssh]{ + name => 'openssh-server', + } } diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 40649b0..80cb3b7 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -5,7 +5,8 @@ define sshd::ssh_authorized_key( $key = 'absent', $user = '', $target = undef, - $options = 'absent' + $options = 'absent', + $override_builtin = undef ){ if ($ensure=='present') and ($key=='absent') { @@ -13,8 +14,8 @@ define sshd::ssh_authorized_key( } $real_user = $user ? { - false => $name, - '' => $name, + false => $name, + '' => $name, default => $user, } @@ -29,20 +30,56 @@ define sshd::ssh_authorized_key( $real_target = $target } } - ssh_authorized_key{$name: - ensure => $ensure, - type => $type, - key => $key, - user => $real_user, - target => $real_target, - } - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } + # The ssh_authorized_key built-in function (in 2.7.23 at least) + # will not write an authorized_keys file for a mortal user to + # a directory they don't have write permission to, puppet attempts to + # create the file as the user specified with the user parameter and fails. + # Since ssh will refuse to use authorized_keys files not owned by the + # user, or in files/directories that allow other users to write, this + # behavior is deliberate in order to prevent typical non-working + # configurations. However, it also prevents the case of puppet, running + # as root, writing a file owned by a mortal user to a common + # authorized_keys directory such as one might specify in sshd_config with + # something like + # 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u' + # So we provide a way to override the built-in and instead just install + # via a file resource. There is no additional security risk here, it's + # nothing a user can't already do by writing their own file resources, + # we still depend on the filesystem permissions to keep things safe. + if $override_builtin { + $header = "# HEADER: This file is managed by Puppet.\n" + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + $content = "${header}${type} ${key}\n" + } else { + $content = "${header}${options} ${type} ${key}\n" + } + + file { $real_target: + ensure => $ensure, + content => $content, + owner => $real_user, + mode => '0600', + } + + } else { + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + } else { + $real_options = $options + } + + ssh_authorized_key{$name: + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, + options => $real_options, } } + } diff --git a/manifests/sshkey.pp b/manifests/sshkey.pp new file mode 100644 index 0000000..df37a66 --- /dev/null +++ b/manifests/sshkey.pp @@ -0,0 +1,21 @@ +# deploys the +class sshd::sshkey { + + @@sshkey{$::fqdn: + ensure => present, + tag => 'fqdn', + type => 'ssh-rsa', + key => $::sshrsakey, + } + + # In case the node has uses a shared network address, + # we don't define a sshkey resource using an IP address + if $sshd::shared_ip == 'no' { + @@sshkey{$::sshd::sshkey_ipaddress: + ensure => present, + tag => 'ipaddress', + type => 'ssh-rsa', + key => $::sshrsakey, + } + } +} |