module-sshd/manifests/init.pp

#
# ssh module
#
# Copyright 2008, micah@riseup.net
# Copyright 2008, admin(at)immerda.ch
# Copyright 2008, Puzzle ITC GmbH
# Marcel Härry haerry+puppet(at)puzzle.ch
# Simon Josi josi+puppet(at)puzzle.ch
#
# This program is free software; you can redistribute 
# it and/or modify it under the terms of the GNU 
# General Public License version 3 as published by 
# the Free Software Foundation.
#
# Deploy authorized_keys file with the define
#     sshd::ssh_authorized_key
# 
# sshd-config:
#
# The configuration of the sshd is rather strict and might not fit all
# needs. However there are a bunch of variables, which you might
# consider configuring.
#
# To set any of the following, simply set them as variables in your manifests
# before the class is included, for example:
#
# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
# $sshd_use_pam = yes
# include sshd::debian
#
# The following is a list of the currently available variables:
#
# sshd_listen_address:          specify the addresses sshd should listen on
#                               set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
#                               addresses, or leave it unset to listen on all
#                               Default: empty -> results in listening on 0.0.0.0
#
# sshd_allowed_users:           list of usernames separated by spaces. 
#                               set this for example to "foobar root"
#                               to ensure that only user foobar and root
#                               might login. 
#                               Default: empty -> no restriction is set
#
# sshd_allowed_groups           list of groups separated by spaces.
#                               set this for example to "wheel sftponly"
#                               to ensure that only users in the groups
#                               wheel and sftponly might login.
#                               Default: empty -> no restriction is set
#                               Note: This is set after sshd_allowed_users,
#                                     take care of the behaviour if you use
#                                     these 2 options together.
# 
# sshd_use_pam:                 if you want to use pam or not for authenticaton
#                               Values: no or yes. 
#                               Default: no
#
# sshd_permit_root_login:       If you want to allow root logins or not.
#                               Valid values: yes, no, without-password, forced-commands-only
#                               Default: without-password
#
# sshd_password_authentication: If you want to enable password authentication or not
#                               Valid values: yes or no
#                               Default: no
#				
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
# 				When disabled, s/key passowords are disabled
# 				Valid values: yes or no
#				Default: no
# 
# sshd_tcp_forwarding:		If you want to enable TcpForwarding
# 				Valid Values: yes or no
#				Default: no
#
# sshd_x11_forwarding:          If you want to enable x11 forwarding 
#                               Valid Values: yes or no
#                               Default: no
#
# sshd_agent_forwarding:	If you want to allow ssh-agent forwarding
# 				Valid Values: yes or no
#				Default: no
#
# sshd_pubkey_authentication:	If you want to enable public key authentication
# 				Valid Values: yes or no
#				Default: yes
#
# sshd_rsa_authentication:	If you want to enable RSA Authentication
# 				Valid Values: yes or no
#				Default: no
#				
# sshd_rhosts_rsa_authentication:	If you want to enable rhosts RSA Authentication
# 				Valid Values: yes or no
#				Default: no
#
# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
# 				 Valid Values: yes or no
#				 Default: no
#				
# sshd_strict_modes:		If you want to set StrictModes (check file modes/ownership before accepting login)
# 				Valid Values: yes or no
#				Default: yes
#
# sshd_permit_empty_passwords:	If you want enable PermitEmptyPasswords to allow empty passwords
# 				Valid Values: yes or no
#				Default: no
#
# sshd_port:                    If you want to specify a different port than the default 22
#                               Default: 22
#
# sshd_authorized_keys_file:    Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
#                               Default: AuthorizedKeysFile	%h/.ssh/authorized_keys
#
# sshd_sftp_subsystem:  Set a different sftp-subystem than the default one.
#                       Might be interesting for sftponly usage
#                       Default: empty -> no change of the default
#
# sshd_head_additional_options:  Set this to any additional sshd_options which aren't listed above.
#                                Anything set here will be added to the beginning of the sshd_config file.
#                                This option might be useful to define complicated Match Blocks
#                                This string is going to be included, like it is defined. So take care!
#                                Default: empty -> not added.
#
# sshd_tail_additional_options:  Set this to any additional sshd_options which aren't listed above.
#                                Anything set here will be added to the end of the sshd_config file.
#                                This option might be useful to define complicated Match Blocks
#                                This string is going to be included, like it is defined. So take care!
#                                Default: empty -> not added.

class sshd {
  include sshd::client 
  
  case $operatingsystem {
    gentoo: { include sshd::gentoo }
    redhat: { include sshd::redhat }
    centos: { include sshd::centos }
    openbsd: { include sshd::openbsd }
    debian: { include sshd::debian }
    ubuntu: { include sshd::ubuntu }
    default: { include sshd::default }
  }
}


class sshd::base {
  # prepare variables to use in templates
  case $sshd_listen_address {
    '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
  }
  case $sshd_allowed_users {
    '': { $sshd_allowed_users = '' }
  }
  case $sshd_allowed_groups {
    '': { $sshd_allowed_groups = '' }
  }
  case $sshd_use_pam {
    '': { $sshd_use_pam = 'no' }
  }
  case $sshd_permit_root_login {
    '': { $sshd_permit_root_login = 'without-password' }
  }
  case $sshd_password_authentication {
    '': { $sshd_password_authentication = 'no' }
  }
  case $sshd_tcp_forwarding {
    '': { $sshd_tcp_forwarding = 'no' }
  }
  case $sshd_x11_forwarding {
    '': { $sshd_x11_forwarding = 'no' }
  }
  case $sshd_agent_forwarding {
    '': { $sshd_agent_forwarding = 'no' }
  }
  case $sshd_challenge_response_authentication {
    '': { $sshd_challenge_response_authentication = 'no' }
  }
  case $sshd_pubkey_authentication {
    '': { $sshd_pubkey_authentication = 'yes' }
  }
  case $sshd_rsa_authentication {
    '': { $sshd_rsa_authentication = 'no' }
  }
  case $sshd_strict_modes {
    '': { $sshd_strict_modes = 'yes' }
  }
  case $sshd_ignore_rhosts {
    '': { $sshd_ignore_rhosts = 'yes' }
  }
  case $sshd_rhosts_rsa_authentication {
    '': { $sshd_rhosts_rsa_authentication = 'no' }
  }
  case $sshd_hostbased_authentication {
    '': { $sshd_hostbased_authentication = 'no' }
  }
  case $sshd_permit_empty_passwords {
    '': { $sshd_permit_empty_passwords = 'no' }
  }
  case $sshd_port {
    '': { $sshd_port = 22 }
  }
  case $sshd_authorized_keys_file {
    '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
  }
  case $sshd_sftp_subsystem {
    '': { $sshd_sftp_subsystem = '' }
  }
  case $sshd_head_additional_options {
    '': { $sshd_head_additional_options = '' }
  }
  case $sshd_tail_additional_options {
    '': { $sshd_tail_additional_options = '' }
  }
  case $sshd_ensure_version {
    '': { $sshd_ensure_version = "present" }
  }

  package{openssh:
    ensure => $sshd_ensure_version,
  }
  
  file { 'sshd_config':
    path => '/etc/ssh/sshd_config',
    owner => root,
    group => 0,
    mode => 600,
    content => $lsbdistcodename ? {
      '' => template("sshd/sshd_config/${operatingsystem}.erb"),
      default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
      },
      notify => Service[sshd],
  }
  # Now add the key, if we've got one
  case $sshrsakey {
    '': { warning("no sshrsakey on $fqdn") }
    default: {
      @@sshkey{"$hostname.$domain":
        type => ssh-rsa,
        key => $sshrsakey,
        ensure => present,
      }
      @@sshkey{"$ipaddress":
        type => ssh-rsa,
        key => $sshrsakey,
        ensure => present,
      }
    }
  }
  service{'sshd':
    name => 'sshd',
    enable => true,
    ensure => running,
    hasstatus => true,
    require => File[sshd_config],
  }
  
  if $use_nagios {
    case $nagios_check_ssh {
      'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
      default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } }
    }
  }
}

class sshd::linux inherits sshd::base {
  File[sshd_config]{
    require +> Package[openssh],
  }
}

class sshd::gentoo inherits sshd::linux {
  Package[openssh]{
    category => 'net-misc',
  }
}

class sshd::debian inherits sshd::linux {
  
  # the templates for Debian need lsbdistcodename
  include assert_lsbdistcodename
  
  Package[openssh]{
    name => 'openssh-server',
  }

  $sshd_restartandstatus = $lsbdistcodename ? {
    etch => false,
    lenny => true,
    default => false
  }

  Service[sshd]{
    name => 'ssh',
    pattern => 'sshd',
    hasstatus => $sshd_restartandstatus,
    hasrestart => $sshd_restartandstatus,
  }
}
class sshd::ubuntu inherits sshd::debian {}

class sshd::redhat inherits sshd::linux {
  Package[openssh]{
    name => 'openssh-server',
  }
}
class sshd::centos inherits sshd::redhat {}

class sshd::openbsd inherits sshd::base {
  Service[sshd]{
    restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
    stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
    start => '/usr/sbin/sshd',
    hasstatus => false,
  }
}

### defines 
# wrapper to have some defaults.
define sshd::ssh_authorized_key(
  $type = 'ssh-dss',
  $key,
  $user = '',
  $target = undef,
  $options = 'absent'
  )
{
  $real_user = $user ? {
    false => $name,
    "" => $name,
    default => $user,
   }
  case $target {
    undef: {
      $real_target = "/home/$real_user/.ssh/authorized_keys"
    }
    default: {
      $real_target = $target
    }
  }
  ssh_authorized_key{$name:
    type => $type,
    key => $key,
    user => $real_user,
    target => $real_target,
  }
  
  case $options {
    'absent': { info("not setting any option for ssh_authorized_key: $name") }
    default: {
      Ssh_authorized_key[$name]{
        options => $options,
      }
    }
  }
}