From 7224e085a3c362de66364748ea3117e16f03fbcb Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 16:41:18 -0500 Subject: Fix inclusion for default os When the os of a client is not one of those that use a specialized class, (e.g. FreeBSD) the inclusion is currently broken: it tries to include sshd::default which does not exist. Change this to include sshd::base instead. Signed-off-by: Gabriel Filion --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 90b7c64..f37a051 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -251,7 +251,7 @@ class sshd { '': { $sshd_ensure_version = "present" } } - include sshd::client + include sshd::client case $operatingsystem { gentoo: { include sshd::gentoo } @@ -259,7 +259,7 @@ class sshd { centos: { include sshd::centos } openbsd: { include sshd::openbsd } debian,ubuntu: { include sshd::debian } - default: { include sshd::default } + default: { include sshd::base } } if $use_nagios { -- cgit v1.2.3 From 5bb61c2761210cff97b95c315fcc93c9c87e1c71 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Wed, 19 Jan 2011 20:45:59 -0500 Subject: Fix ssh_authorized_key When one uses the $name to define the user that should receive an SSH key, setting $user to a negative value, ssh_authorized_key currently creates the authorized_keys file under /home/.ssh/authorized_keys Fix this by changing ${user} to ${real_user} in the key's path. Signed-off-by: Gabriel Filion --- manifests/ssh_authorized_key.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index bf188d8..575b654 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -22,7 +22,7 @@ define sshd::ssh_authorized_key( undef,'': { case $real_user { 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } + default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" } } } default: { -- cgit v1.2.3 From 5dd814871a25ee2ba3ecb4e4a880c368212631b9 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Thu, 20 Jan 2011 02:25:32 -0500 Subject: ssh_authorized_key: use $name for user by default Currently ssh_authorized_key has some logic about $user being false or '', but it sets its value to default to 'root'. So, in order to use the name as the user's name, one has to clear the user parameter, which is totally redundant. Since it is sometimes useful to publish multiple keys for a user, the $user parameter is useful. To make using ssh_authorized_key for one-key normal users simpler, make $user default to being empty (which will use $name as the user name). 'root' can always be specified either via the name or by the $user paramter. Signed-off-by: Gabriel Filion --- manifests/ssh_authorized_key.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 575b654..40649b0 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -3,7 +3,7 @@ define sshd::ssh_authorized_key( $ensure = 'present', $type = 'ssh-dss', $key = 'absent', - $user = 'root', + $user = '', $target = undef, $options = 'absent' ){ -- cgit v1.2.3 From 5654d69add11c3eb15fc061949af2e406cf5b500 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Mon, 27 Dec 2010 18:24:43 -0500 Subject: Enable support for Ubuntu The sshd class currently has a mechanism to make resources for Ubuntu similar to the ones for Debian, but the sshd::client class doesn't. Also, There are no templates for sshd_config on Ubuntu so provide for them. Since Ubuntu releases almost all use ssh versions that are as recent as the Debian squeeze one, and the default sshd_config file is usually the same as on Debian, add a default (Ubuntu.erb) template so that it fits all Ubuntu releases. Signed-off-by: Gabriel Filion --- manifests/client.pp | 2 +- templates/sshd_config/Ubuntu.erb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 120000 templates/sshd_config/Ubuntu.erb (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index b650244..31785e9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -2,7 +2,7 @@ class sshd::client { case $operatingsystem { - debian: { include sshd::client::debian } + debian,ubuntu: { include sshd::client::debian } default: { case $kernel { linux: { include sshd::client::linux } diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb new file mode 120000 index 0000000..11b0acc --- /dev/null +++ b/templates/sshd_config/Ubuntu.erb @@ -0,0 +1 @@ +Debian_squeeze.erb \ No newline at end of file -- cgit v1.2.3 From 34863e959fcd05dd325a658561f14580d49b6764 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 6 Mar 2011 09:10:44 +0100 Subject: New opt-in support to only use strong SSL ciphers and MACs. The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git. --- README | 4 ++++ manifests/init.pp | 3 +++ templates/sshd_config/CentOS.erb | 5 +++++ templates/sshd_config/Debian_etch.erb | 5 +++++ templates/sshd_config/Debian_lenny.erb | 5 +++++ templates/sshd_config/Debian_sid.erb | 5 +++++ templates/sshd_config/Debian_squeeze.erb | 5 +++++ templates/sshd_config/Gentoo.erb | 4 ++++ templates/sshd_config/OpenBSD.erb | 5 +++++ 9 files changed, 41 insertions(+) (limited to 'manifests') diff --git a/README b/README index fa4214d..9cf253f 100644 --- a/README +++ b/README @@ -170,6 +170,10 @@ The following is a list of the currently available variables: (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile %h/.ssh/authorized_keys + $sshd_hardened_ssl + Use only strong SSL ciphers and MAC. + Values: no or yes; Default: no. + $sshd_sftp_subsystem Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default diff --git a/manifests/init.pp b/manifests/init.pp index 991fbba..cc5f10e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,6 +77,9 @@ class sshd { case $sshd_authorized_keys_file { '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } } + case $sshd_hardened_ssl { + '': { $sshd_hardened_ssl = 'no' } + } case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 544effe..859759a 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end -%> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index c90a5fe..23559fc 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -172,6 +172,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 14e32bf..65befdc 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -181,6 +181,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 6dc9333..0213342 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index cf50ddb..dfebcc3 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 768d3f5..f9f5b23 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -208,6 +208,10 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 51662d3..7a20cd9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3