2007-12-21 18:52:01 +01:00
|
|
|
#
|
2008-06-13 23:01:39 +02:00
|
|
|
# ssh module
|
|
|
|
#
|
2008-09-26 23:55:02 +02:00
|
|
|
# Copyright 2008, micah@riseup.net
|
2008-06-13 23:01:39 +02:00
|
|
|
# Copyright 2008, admin(at)immerda.ch
|
|
|
|
# Copyright 2008, Puzzle ITC GmbH
|
|
|
|
# Marcel Härry haerry+puppet(at)puzzle.ch
|
|
|
|
# Simon Josi josi+puppet(at)puzzle.ch
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute
|
|
|
|
# it and/or modify it under the terms of the GNU
|
|
|
|
# General Public License version 3 as published by
|
|
|
|
# the Free Software Foundation.
|
|
|
|
#
|
|
|
|
# Deploy authorized_keys file with the define
|
|
|
|
# sshd::deploy_auth_key
|
|
|
|
#
|
2008-07-17 20:17:52 +02:00
|
|
|
# sshd-config:
|
2008-06-13 23:01:39 +02:00
|
|
|
#
|
2008-09-28 18:38:18 +02:00
|
|
|
# The configuration of the sshd is rather strict and might not fit all
|
|
|
|
# needs. However there are a bunch of variables, which you might
|
|
|
|
# consider configuring.
|
|
|
|
#
|
|
|
|
# To set any of the following, simply set them as variables in your manifests
|
|
|
|
# before the class is included, for example:
|
|
|
|
#
|
|
|
|
# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
|
|
|
|
# $sshd_use_pam = yes
|
|
|
|
# include sshd::debian
|
|
|
|
#
|
|
|
|
# The following is a list of the currently available variables:
|
2008-06-13 23:01:39 +02:00
|
|
|
#
|
2008-09-27 19:30:52 +02:00
|
|
|
# sshd_listen_address: specify the addresses sshd should listen on
|
2008-09-27 23:45:57 +02:00
|
|
|
# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
|
2008-09-27 19:30:52 +02:00
|
|
|
# addresses, or leave it unset to listen on all
|
|
|
|
# Default: empty -> results in listening on 0.0.0.0
|
|
|
|
#
|
2008-06-13 23:01:39 +02:00
|
|
|
# sshd_allowed_users: list of usernames separated by spaces.
|
|
|
|
# set this for example to "foobar root"
|
|
|
|
# to ensure that only user foobar and root
|
|
|
|
# might login.
|
|
|
|
# Default: empty -> no restriction is set
|
|
|
|
#
|
|
|
|
# sshd_use_pam: if you want to use pam or not for authenticaton
|
|
|
|
# Values: no or yes.
|
|
|
|
# Default: no
|
|
|
|
#
|
|
|
|
# sshd_permit_root_login: If you want to allow root logins or not.
|
|
|
|
# Valid values: yes, no, without-password, forced-commands-only
|
|
|
|
# Default: without-password
|
|
|
|
#
|
|
|
|
# sshd_password_authentication: If you want to enable password authentication or not
|
|
|
|
# Valid values: yes or no
|
|
|
|
# Default: no
|
2008-09-26 23:05:49 +02:00
|
|
|
#
|
|
|
|
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
|
|
|
|
# When disabled, s/key passowords are disabled
|
|
|
|
# Valid values: yes or no
|
|
|
|
# Default: no
|
2008-06-13 23:01:39 +02:00
|
|
|
#
|
2008-09-26 23:55:02 +02:00
|
|
|
# sshd_tcp_forwarding: If you want to enable TcpForwarding
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
|
|
|
#
|
2008-06-13 23:01:39 +02:00
|
|
|
# sshd_x11_forwarding: If you want to enable x11 forwarding
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
|
|
|
#
|
2008-09-26 22:57:59 +02:00
|
|
|
# sshd_agent_forwarding: If you want to allow ssh-agent forwarding
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
2008-09-26 23:10:33 +02:00
|
|
|
#
|
|
|
|
# sshd_pubkey_authentication: If you want to enable public key authentication
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: yes
|
2008-09-26 23:21:01 +02:00
|
|
|
#
|
2008-09-26 23:28:05 +02:00
|
|
|
# sshd_rsa_authentication: If you want to enable RSA Authentication
|
2008-09-26 23:21:01 +02:00
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
2008-09-26 23:28:05 +02:00
|
|
|
#
|
2008-09-26 23:34:09 +02:00
|
|
|
# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
|
|
|
#
|
|
|
|
# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
|
|
|
#
|
2008-09-26 23:28:05 +02:00
|
|
|
# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: yes
|
2008-09-26 23:51:12 +02:00
|
|
|
#
|
|
|
|
# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
|
|
|
|
# Valid Values: yes or no
|
|
|
|
# Default: no
|
2008-09-27 00:23:25 +02:00
|
|
|
#
|
|
|
|
# sshd_port: If you want to specify a different port than the default 22
|
|
|
|
# Default: 22
|
2008-09-27 02:03:10 +02:00
|
|
|
#
|
|
|
|
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
|
|
|
|
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
|
|
|
|
#
|
2007-12-21 18:52:01 +01:00
|
|
|
|
|
|
|
class sshd {
|
2008-07-17 20:17:52 +02:00
|
|
|
include sshd::client
|
|
|
|
|
2008-04-04 17:30:26 +02:00
|
|
|
case $operatingsystem {
|
|
|
|
gentoo: { include sshd::gentoo }
|
|
|
|
redhat: { include sshd::redhat }
|
|
|
|
centos: { include sshd::centos }
|
|
|
|
openbsd: { include sshd::openbsd }
|
2008-04-11 15:14:47 +02:00
|
|
|
debian: { include sshd::debian }
|
|
|
|
ubuntu: { include sshd::ubuntu }
|
2008-04-04 17:30:26 +02:00
|
|
|
default: { include sshd::default }
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-12-21 18:52:01 +01:00
|
|
|
|
2008-04-04 17:30:26 +02:00
|
|
|
class sshd::base {
|
2008-09-27 19:30:52 +02:00
|
|
|
# prepare variables to use in templates
|
2008-09-27 19:39:28 +02:00
|
|
|
$real_sshd_listen_address = $sshd_listen_address ? {
|
2008-09-27 23:45:57 +02:00
|
|
|
'' => [ '0.0.0.0', '::' ],
|
2008-09-27 19:39:28 +02:00
|
|
|
default => $sshd_listen_address
|
2008-09-27 19:30:52 +02:00
|
|
|
}
|
2008-02-29 11:41:44 +01:00
|
|
|
$real_sshd_allowed_users = $sshd_allowed_users ? {
|
2008-06-13 23:01:39 +02:00
|
|
|
'' => '',
|
|
|
|
default => $sshd_allowed_users
|
|
|
|
}
|
|
|
|
$real_sshd_use_pam = $sshd_use_pam ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_use_pam
|
|
|
|
}
|
|
|
|
$real_sshd_permit_root_login = $sshd_permit_root_login ? {
|
|
|
|
'' => 'without-password',
|
|
|
|
default => $sshd_permit_root_login
|
|
|
|
}
|
|
|
|
$real_sshd_password_authentication = $sshd_password_authentication ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_password_authentication
|
|
|
|
}
|
2008-09-26 23:55:02 +02:00
|
|
|
$real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_tcp_forwarding
|
|
|
|
}
|
2008-06-13 23:01:39 +02:00
|
|
|
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_x11_forwarding
|
2008-02-29 11:41:44 +01:00
|
|
|
}
|
2008-09-26 22:57:59 +02:00
|
|
|
$real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_agent_forwarding
|
|
|
|
}
|
2008-09-26 23:05:49 +02:00
|
|
|
$real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_challenge_response_authentication
|
|
|
|
}
|
2008-09-26 23:10:33 +02:00
|
|
|
$real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
|
2008-09-27 21:19:43 +02:00
|
|
|
'' => 'yes',
|
2008-09-26 23:10:33 +02:00
|
|
|
default => $sshd_pubkey_authentication
|
|
|
|
}
|
2008-09-26 23:21:01 +02:00
|
|
|
$real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_rsa_authentication
|
|
|
|
}
|
2008-09-26 23:28:05 +02:00
|
|
|
$real_sshd_strict_modes = $sshd_strict_modes ? {
|
|
|
|
'' => 'yes',
|
|
|
|
default => $sshd_strict_modes
|
|
|
|
}
|
2008-09-26 23:30:28 +02:00
|
|
|
$real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
|
|
|
|
'' => 'yes',
|
|
|
|
default => $sshd_ignore_rhosts
|
|
|
|
}
|
2008-09-26 23:34:09 +02:00
|
|
|
$real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_rhosts_rsa_authentication
|
|
|
|
}
|
|
|
|
$real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_hostbased_authentication
|
|
|
|
}
|
2008-09-26 23:51:12 +02:00
|
|
|
$real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
|
|
|
|
'' => 'no',
|
|
|
|
default => $sshd_permit_empty_passwords
|
|
|
|
}
|
2008-09-27 00:23:25 +02:00
|
|
|
$real_sshd_port = $sshd_port ? {
|
|
|
|
'' => 22,
|
|
|
|
default => $sshd_port
|
|
|
|
}
|
2008-09-27 02:03:10 +02:00
|
|
|
$real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
|
|
|
|
'' => "%h/.ssh/authorized_keys",
|
|
|
|
default => $sshd_authorized_keys_file
|
|
|
|
}
|
|
|
|
|
2008-02-29 13:09:18 +01:00
|
|
|
file { 'sshd_config':
|
2008-01-31 00:27:37 +01:00
|
|
|
path => '/etc/ssh/sshd_config',
|
|
|
|
owner => root,
|
|
|
|
group => 0,
|
|
|
|
mode => 600,
|
2008-09-27 22:42:08 +02:00
|
|
|
content => $lsbdistcodename ? {
|
|
|
|
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
|
|
|
|
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
|
2008-09-27 22:51:32 +02:00
|
|
|
},
|
2008-06-13 23:01:39 +02:00
|
|
|
notify => Service[sshd],
|
2008-01-31 00:27:37 +01:00
|
|
|
}
|
2008-07-30 01:30:05 +02:00
|
|
|
# Now add the key, if we've got one
|
|
|
|
case $sshrsakey_key {
|
|
|
|
'': { info("no sshrsakey on $fqdn") }
|
|
|
|
default: {
|
|
|
|
@@sshkey{"$hostname.$domain":
|
|
|
|
type => ssh-rsa,
|
|
|
|
key => $sshrsakey_key,
|
|
|
|
ensure => present,
|
|
|
|
require => Package["openssh-clients"],
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2008-06-13 23:01:39 +02:00
|
|
|
service{'sshd':
|
2008-09-27 00:16:58 +02:00
|
|
|
name => 'sshd',
|
|
|
|
enable => true,
|
|
|
|
ensure => running,
|
|
|
|
hasstatus => true,
|
|
|
|
require => File[sshd_config],
|
2008-07-17 20:17:52 +02:00
|
|
|
}
|
2007-12-21 18:52:01 +01:00
|
|
|
}
|
2008-02-17 20:46:11 +01:00
|
|
|
|
2008-04-04 17:30:26 +02:00
|
|
|
class sshd::linux inherits sshd::base {
|
|
|
|
package{openssh:
|
|
|
|
ensure => present,
|
|
|
|
}
|
|
|
|
File[sshd_config]{
|
2008-06-13 23:01:39 +02:00
|
|
|
require +> Package[openssh],
|
2008-04-04 17:30:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
class sshd::gentoo inherits sshd::linux {
|
|
|
|
Package[openssh]{
|
|
|
|
category => 'net-misc',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
class sshd::debian inherits sshd::linux {
|
|
|
|
Package[openssh]{
|
|
|
|
name => 'openssh-server',
|
|
|
|
}
|
2008-06-13 23:01:39 +02:00
|
|
|
Service[sshd]{
|
|
|
|
name => 'ssh',
|
|
|
|
hasstatus => false,
|
|
|
|
}
|
2008-04-04 17:30:26 +02:00
|
|
|
}
|
|
|
|
class sshd::ubuntu inherits sshd::debian {}
|
|
|
|
|
|
|
|
class sshd::redhat inherits sshd::linux {
|
|
|
|
Package[openssh]{
|
|
|
|
name => 'openssh-server',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
class sshd::centos inherits sshd::redhat {}
|
|
|
|
|
|
|
|
class sshd::openbsd inherits sshd::base {
|
|
|
|
Service[sshd]{
|
2008-06-13 23:01:39 +02:00
|
|
|
restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
|
|
|
|
stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
|
|
|
|
start => '/usr/sbin/sshd',
|
2008-04-11 15:17:27 +02:00
|
|
|
hasstatus => false,
|
2008-04-04 17:30:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
### defines
|
2008-07-30 01:30:05 +02:00
|
|
|
# wrapper to have some defaults.
|
|
|
|
define sshd::ssh_authorized_key(
|
|
|
|
$type = 'ssh-dss',
|
|
|
|
$key,
|
|
|
|
$user = 'root',
|
|
|
|
$target = undef,
|
|
|
|
$options = 'absent'
|
|
|
|
){
|
|
|
|
ssh_authorized_key{$name:
|
|
|
|
type => $type,
|
|
|
|
key => $key,
|
2008-09-10 01:19:00 +02:00
|
|
|
user => $user,
|
2008-07-30 01:30:05 +02:00
|
|
|
target => $target,
|
|
|
|
}
|
|
|
|
|
|
|
|
case $options {
|
|
|
|
'absent': { info("not setting any option for ssh_authorized_key: $name") }
|
|
|
|
default: {
|
|
|
|
Ssh_authorized_key[$name]{
|
|
|
|
options => $options,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# deprecated!
|
2008-02-17 20:46:11 +01:00
|
|
|
define sshd::deploy_auth_key(
|
2008-06-17 09:57:46 +02:00
|
|
|
$source = 'present',
|
2008-02-17 20:46:11 +01:00
|
|
|
$user = 'root',
|
|
|
|
$target_dir = '/root/.ssh/',
|
2008-06-13 23:01:39 +02:00
|
|
|
$group = 0 ) {
|
2008-02-17 20:46:11 +01:00
|
|
|
|
2008-07-30 01:30:05 +02:00
|
|
|
notice("this way of deploying authorized keys is deprecated. use the native ssh_authorized_key instead")
|
|
|
|
|
2008-02-17 20:46:11 +01:00
|
|
|
$real_target = $target_dir ? {
|
|
|
|
'' => "/home/$user/.ssh/",
|
|
|
|
default => $target_dir,
|
|
|
|
}
|
|
|
|
|
|
|
|
file {$real_target:
|
|
|
|
ensure => directory,
|
|
|
|
owner => $user,
|
2008-06-13 23:01:39 +02:00
|
|
|
group => $group,
|
2008-02-17 20:46:11 +01:00
|
|
|
mode => 700,
|
|
|
|
}
|
|
|
|
|
2008-06-17 09:57:46 +02:00
|
|
|
case $source {
|
|
|
|
'present': { $keysource = $name }
|
|
|
|
default: { $keysource = $source }
|
|
|
|
}
|
|
|
|
|
2008-02-17 20:46:11 +01:00
|
|
|
file {"authorized_keys_${user}":
|
|
|
|
path => "$real_target/authorized_keys",
|
|
|
|
owner => $user,
|
2008-06-13 23:01:39 +02:00
|
|
|
group => $group,
|
2008-02-17 20:46:11 +01:00
|
|
|
mode => 600,
|
2008-06-17 09:57:46 +02:00
|
|
|
source => [ "puppet://$server/files/sshd/authorized_keys/${keysource}",
|
2008-06-13 23:01:39 +02:00
|
|
|
"puppet://$server/files/sshd/authorized_keys/${fqdn}",
|
|
|
|
"puppet://$server/files/sshd/authorized_keys/default",
|
|
|
|
"puppet://$server/sshd/authorized_keys/${name}",
|
|
|
|
"puppet://$server/sshd/authorized_keys/${fqdn}",
|
|
|
|
"puppet://$server/sshd/authorized_keys/default" ],
|
2008-02-17 20:46:11 +01:00
|
|
|
}
|
|
|
|
}
|