Introduction ============ This puppet module manages OpenSSH configuration and services. !! Upgrade Notice (01/2013) !! This module now uses parameterized classes, where it used global variables before. So please whatch out before pulling, you need to change the class declarations in your manifest ! Dependencies ------------ This module requires puppet => 2.6, and the following modules are required pre-dependencies: - shared-common: git://labs.riseup.net/shared-common - shared-lsb: git://labs.riseup.net/shared-lsb OpenSSH Server ============== On a node where you wish to have an openssh server installed, you should 'include sshd' on that node. If you need to configure any aspects of sshd_config, set the variables before the include. See 'Configurable Variables' below for what you can set. Nagios ------ To have nagios checks setup automatically for sshd services, simply set manage_nagios to true for that class. If you want to disable ssh nagios checking for a particular node (such as when ssh is firewalled), then you can set the class parameter nagios_check_ssh to false and that node will not bei monitored. Nagios will automatically check the ports defined in $sshd::ports, and the hostname specified by $nagios_check_ssh_hostname. NOTE: this requires that you are using the shared-nagios puppet module which supports the nagios native types via nagios::service: git://labs.riseup.net/shared-nagios Firewall -------- If you wish to have firewall rules setup automatically for you, using shorewall, you will need to set: $use_shorewall = true. The $sshd_ports that you have specified will automatically be used. NOTE: This requires that you are using the shared-shorewall puppet module: git://labs.riseup.net/shared-shorewall Configurable variables ---------------------- Configuration of sshd is strict, and may not fit all needs, however there are a number of variables that you can consider configuring. The defaults are set to the distribution shipped sshd_config file defaults. To set any of these variables, simply set them as variables in your manifests, before the class is included, for example: $sshd_listen_address = ['10.0.0.1 192.168.0.1'] $sshd_use_pam = yes include sshd If you need to install a version of the ssh daemon or client package other than the default one that would be installed by 'ensure => installed', then you can set the following variables: $sshd_ensure_version = "1:5.2p2-6" $ssh_ensure_version = "1:5.2p2-6" The following is a list of the currently available variables: $sshd_listen_address specify the addresses sshd should listen on set this to ['10.0.0.1 192.168.0.1'] to have it listen on both addresses, or leave it unset to listen on all Default: empty -> results in listening on 0.0.0.0 $sshd_allowed_users list of usernames separated by spaces. set this for example to "foobar root" to ensure that only user foobar and root might login. Default: empty -> no restriction is set $sshd_allowed_groups list of groups separated by spaces. set this for example to "wheel sftponly" to ensure that only users in the groups wheel and sftponly might login. Default: empty -> no restriction is set Note: This is set after sshd_allowed_users, take care of the behaviour if you use these 2 options together. $sshd_use_pam if you want to use pam or not for authenticaton. Values: no or yes; Default: no $sshd_permit_root_login If you want to allow root logins or not. Valid values: yes, no, without-password, forced-commands-only; Default: without-password $sshd_password_authentication If you want to enable password authentication or not. Valid values: yes or no; Default: no $sshd_kerberos_authentication If you want the password that is provided by the user to be validated through the Kerberos KDC. To use this option the server needs a Kerberos servtab which allows the verification of the KDC's identity. Valid values: yes or no; Default: no $sshd_kerberos_orlocalpasswd If password authentication through Kerberos fails, then the password will be validated via any additional local mechanism. Valid values: yes or no; Default: yes $sshd_kerberos_ticketcleanup Destroy the user's ticket cache file on logout? Valid values: yes or no; Default: yes $sshd_gssapi_authentication Authenticate users based on GSSAPI? Valid values: yes or no; Default: no $sshd_gssapi_cleanupcredentials Destroy user's credential cache on logout? Valid values: yes or no; Default: yes $sshd_challenge_response_authentication If you want to enable ChallengeResponseAuthentication or not When disabled, s/key passowords are disabled Valid values: yes or no; Default: no $sshd_tcp_forwarding If you want to enable TcpForwarding. Valid Values: yes or no; Default: no $sshd_x11_forwarding If you want to enable x11 forwarding. Valid Values: yes or no; Default: no $sshd_agent_forwarding If you want to allow ssh-agent forwarding. Valid Values: yes or no; Default: no $sshd_pubkey_authentication If you want to enable public key authentication. Valid Values: yes or no; Default: yes $sshd_rsa_authentication If you want to enable RSA Authentication. Valid Values: yes or no; Default: no $sshd_rhosts_rsa_authentication If you want to enable rhosts RSA Authentication. Valid Values: yes or no; Default: no $sshd_hostbased_authentication If you want to enable HostbasedAuthentication. Valid Values: yes or no; Default: no $sshd_strict_modes If you want to set StrictModes (check file modes/ownership before accepting login). Valid Values: yes or no; Default: yes $sshd_permit_empty_passwords If you want enable PermitEmptyPasswords to allow empty passwords. Valid Values: yes or no; Default: no $sshd_port Deprecated, use sshd_ports instead. $sshd_ports If you want to specify a list of ports other than the default 22; Default: [22] $sshd_authorized_keys_file Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile %h/.ssh/authorized_keys $sshd_hardened_ssl Use only strong SSL ciphers and MAC. Values: no or yes; Default: no. $sshd_print_motd Show the Message of the day when a user logs in. $sshd_sftp_subsystem Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default $sshd_head_additional_options Set this to any additional sshd_options which aren't listed above. Anything set here will be added to the beginning of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added. $sshd_tail_additional_options Set this to any additional sshd_options which aren't listed above. Anything set here will be added to the end of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added. $sshd_shared_ip Whether the server uses a shared network IP address. If it does, then we don't want it to export an rsa key for its IP address. Values: no or yes; Default: no Defines and functions --------------------- Deploy authorized_keys file with the define sshd::ssh_authorized_key. Generate a public/private keypair with the ssh_keygen function. For example, the following will generate ssh keys and put the different parts of the key into variables: $ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}") $public_key = split($ssh_keys[1],' ') $sshkey_type => $public_key[0] $sshkey => $public_key[1] Client ====== On a node where you wish to have the ssh client managed, you can do 'include sshd::client' in the node definition. This will install the appropriate package. License ======= # Copyright 2008-2011, Riseup Labs micah@riseup.net # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH # Marcel Haerry haerry+puppet(at)puzzle.ch # Simon Josi josi+puppet(at)puzzle.ch # # This program is free software; you can redistribute # it and/or modify it under the terms of the GNU # General Public License version 3 as published by # the Free Software Foundation. #