2007-12-21 18:52:01 +01:00
|
|
|
#
|
2008-06-13 23:01:39 +02:00
|
|
|
# ssh module
|
|
|
|
#
|
|
|
|
# Copyright 2008, admin(at)immerda.ch
|
|
|
|
# Copyright 2008, Puzzle ITC GmbH
|
|
|
|
# Marcel Härry haerry+puppet(at)puzzle.ch
|
|
|
|
# Simon Josi josi+puppet(at)puzzle.ch
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute
|
|
|
|
# it and/or modify it under the terms of the GNU
|
|
|
|
# General Public License version 3 as published by
|
|
|
|
# the Free Software Foundation.
|
|
|
|
#
|
|
|
|
# Deploy authorized_keys file with the define
|
|
|
|
# sshd::deploy_auth_key
|
|
|
|
#
|
2008-07-17 20:17:52 +02:00
|
|
|
# sshd-config:
|
2008-06-13 23:01:39 +02:00
|
|
|
#
|
|
|
|
# The configuration of the sshd is rather strict and
|
|
|
|
# might not fit all needs. However there are a bunch
|
|
|
|
# of variables, which you might consider to configure.
|
|
|
|
# Checkout the following:
|
|
|
|
#
|
|
|
|
# sshd_allowed_users: list of usernames separated by spaces.
|
|
|
|
# set this for example to "foobar root"
|
|
|
|
# to ensure that only user foobar and root
|
|
|
|
# might login.
|
|
|
|
# Default: empty -> no restriction is set
|
|
|
|
#
|
|
|
|
# sshd_use_pam: if you want to use pam or not for authenticaton
|
|
|
|
# Values: no or yes.
|
|
|
|
# Default: no
|
|
|
|
#
|
|
|
|
# sshd_permit_root_login: If you want to allow root logins or not.
|
|
|
|
# Valid values: yes, no, without-password, forced-commands-only
|
|
|
|
# Default: without-password
|
|
|
|
#
|
|
|
|
# sshd_password_authentication: If you want to enable password authentication or not
|
|
|
|
# Valid values: yes or no
|
|
|
|
# Default: no
|
|
|
|
#
|
|
|
|
# sshd_x11_forwarding: If you want to enable x11 forwarding
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
|
|
|
#
|
2007-12-21 18:52:01 +01:00
|
|
|
|
|
|
|
class sshd {
|
2008-07-17 20:17:52 +02:00
|
|
|
include sshd::client
|
|
|
|
|
2008-04-04 17:30:26 +02:00
|
|
|
case $operatingsystem {
|
|
|
|
gentoo: { include sshd::gentoo }
|
|
|
|
redhat: { include sshd::redhat }
|
|
|
|
centos: { include sshd::centos }
|
|
|
|
openbsd: { include sshd::openbsd }
|
2008-04-11 15:14:47 +02:00
|
|
|
debian: { include sshd::debian }
|
|
|
|
ubuntu: { include sshd::ubuntu }
|
2008-04-04 17:30:26 +02:00
|
|
|
default: { include sshd::default }
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-12-21 18:52:01 +01:00
|
|
|
|
2008-04-04 17:30:26 +02:00
|
|
|
class sshd::base {
|
2008-06-13 23:01:39 +02:00
|
|
|
# prepare variables to use in templates
|
2008-02-29 11:41:44 +01:00
|
|
|
$real_sshd_allowed_users = $sshd_allowed_users ? {
|
2008-06-13 23:01:39 +02:00
|
|
|
'' => '',
|
|
|
|
default => $sshd_allowed_users
|
|
|
|
}
|
|
|
|
$real_sshd_use_pam = $sshd_use_pam ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_use_pam
|
|
|
|
}
|
|
|
|
$real_sshd_permit_root_login = $sshd_permit_root_login ? {
|
|
|
|
'' => 'without-password',
|
|
|
|
default => $sshd_permit_root_login
|
|
|
|
}
|
|
|
|
$real_sshd_password_authentication = $sshd_password_authentication ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_password_authentication
|
|
|
|
}
|
|
|
|
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_x11_forwarding
|
2008-02-29 11:41:44 +01:00
|
|
|
}
|
2008-02-17 20:46:11 +01:00
|
|
|
|
2008-02-29 13:09:18 +01:00
|
|
|
file { 'sshd_config':
|
2008-01-31 00:27:37 +01:00
|
|
|
path => '/etc/ssh/sshd_config',
|
|
|
|
owner => root,
|
|
|
|
group => 0,
|
|
|
|
mode => 600,
|
2008-06-13 23:01:39 +02:00
|
|
|
content => template("sshd/sshd_config/${operatingsystem}_normal.erb"),
|
|
|
|
notify => Service[sshd],
|
2008-01-31 00:27:37 +01:00
|
|
|
}
|
2008-06-13 23:01:39 +02:00
|
|
|
service{'sshd':
|
|
|
|
name => 'sshd',
|
|
|
|
enable => true,
|
|
|
|
ensure => running,
|
|
|
|
hasstatus => true,
|
|
|
|
require => File[sshd_config],
|
2008-07-17 20:17:52 +02:00
|
|
|
}
|
|
|
|
# Now add the key, if we've got one
|
|
|
|
case $sshrsakey_key {
|
|
|
|
'': { info("no sshrsakey on $fqdn") }
|
|
|
|
default: {
|
|
|
|
@@sshkey{"$hostname.$domain":
|
|
|
|
type => ssh-rsa,
|
|
|
|
key => $sshrsakey_key,
|
|
|
|
ensure => present,
|
2008-07-25 13:17:06 +02:00
|
|
|
require => Package["openssh-clients"],
|
2008-07-17 20:17:52 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2007-12-21 18:52:01 +01:00
|
|
|
}
|
2008-02-17 20:46:11 +01:00
|
|
|
|
2008-04-04 17:30:26 +02:00
|
|
|
class sshd::linux inherits sshd::base {
|
|
|
|
package{openssh:
|
|
|
|
ensure => present,
|
|
|
|
}
|
|
|
|
File[sshd_config]{
|
2008-06-13 23:01:39 +02:00
|
|
|
require +> Package[openssh],
|
2008-04-04 17:30:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
class sshd::gentoo inherits sshd::linux {
|
|
|
|
Package[openssh]{
|
|
|
|
category => 'net-misc',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
class sshd::debian inherits sshd::linux {
|
|
|
|
Package[openssh]{
|
|
|
|
name => 'openssh-server',
|
|
|
|
}
|
2008-06-13 23:01:39 +02:00
|
|
|
Service[sshd]{
|
|
|
|
name => 'ssh',
|
|
|
|
hasstatus => false,
|
|
|
|
}
|
2008-04-04 17:30:26 +02:00
|
|
|
}
|
|
|
|
class sshd::ubuntu inherits sshd::debian {}
|
|
|
|
|
|
|
|
class sshd::redhat inherits sshd::linux {
|
|
|
|
Package[openssh]{
|
|
|
|
name => 'openssh-server',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
class sshd::centos inherits sshd::redhat {}
|
|
|
|
|
|
|
|
class sshd::openbsd inherits sshd::base {
|
|
|
|
Service[sshd]{
|
2008-06-13 23:01:39 +02:00
|
|
|
restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
|
|
|
|
stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
|
|
|
|
start => '/usr/sbin/sshd',
|
2008-04-11 15:17:27 +02:00
|
|
|
hasstatus => false,
|
2008-04-04 17:30:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
### defines
|
2008-02-17 20:46:11 +01:00
|
|
|
define sshd::deploy_auth_key(
|
2008-06-17 09:57:46 +02:00
|
|
|
$source = 'present',
|
2008-02-17 20:46:11 +01:00
|
|
|
$user = 'root',
|
|
|
|
$target_dir = '/root/.ssh/',
|
2008-06-13 23:01:39 +02:00
|
|
|
$group = 0 ) {
|
2008-02-17 20:46:11 +01:00
|
|
|
|
|
|
|
$real_target = $target_dir ? {
|
|
|
|
'' => "/home/$user/.ssh/",
|
|
|
|
default => $target_dir,
|
|
|
|
}
|
|
|
|
|
|
|
|
file {$real_target:
|
|
|
|
ensure => directory,
|
|
|
|
owner => $user,
|
2008-06-13 23:01:39 +02:00
|
|
|
group => $group,
|
2008-02-17 20:46:11 +01:00
|
|
|
mode => 700,
|
|
|
|
}
|
|
|
|
|
2008-06-17 09:57:46 +02:00
|
|
|
case $source {
|
|
|
|
'present': { $keysource = $name }
|
|
|
|
default: { $keysource = $source }
|
|
|
|
}
|
|
|
|
|
2008-02-17 20:46:11 +01:00
|
|
|
file {"authorized_keys_${user}":
|
|
|
|
path => "$real_target/authorized_keys",
|
|
|
|
owner => $user,
|
2008-06-13 23:01:39 +02:00
|
|
|
group => $group,
|
2008-02-17 20:46:11 +01:00
|
|
|
mode => 600,
|
2008-06-17 09:57:46 +02:00
|
|
|
source => [ "puppet://$server/files/sshd/authorized_keys/${keysource}",
|
2008-06-13 23:01:39 +02:00
|
|
|
"puppet://$server/files/sshd/authorized_keys/${fqdn}",
|
|
|
|
"puppet://$server/files/sshd/authorized_keys/default",
|
|
|
|
"puppet://$server/sshd/authorized_keys/${name}",
|
|
|
|
"puppet://$server/sshd/authorized_keys/${fqdn}",
|
|
|
|
"puppet://$server/sshd/authorized_keys/default" ],
|
2008-02-17 20:46:11 +01:00
|
|
|
}
|
|
|
|
}
|