diff --git a/manifests/base.pp b/manifests/base.pp new file mode 100644 index 0000000..2f2f973 --- /dev/null +++ b/manifests/base.pp @@ -0,0 +1,96 @@ +class sshd::base { + # prepare variables to use in templates + case $sshd_listen_address { + '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } + } + case $sshd_allowed_users { + '': { $sshd_allowed_users = '' } + } + case $sshd_allowed_groups { + '': { $sshd_allowed_groups = '' } + } + case $sshd_use_pam { + '': { $sshd_use_pam = 'no' } + } + case $sshd_permit_root_login { + '': { $sshd_permit_root_login = 'without-password' } + } + case $sshd_password_authentication { + '': { $sshd_password_authentication = 'no' } + } + case $sshd_tcp_forwarding { + '': { $sshd_tcp_forwarding = 'no' } + } + case $sshd_x11_forwarding { + '': { $sshd_x11_forwarding = 'no' } + } + case $sshd_agent_forwarding { + '': { $sshd_agent_forwarding = 'no' } + } + case $sshd_challenge_response_authentication { + '': { $sshd_challenge_response_authentication = 'no' } + } + case $sshd_pubkey_authentication { + '': { $sshd_pubkey_authentication = 'yes' } + } + case $sshd_rsa_authentication { + '': { $sshd_rsa_authentication = 'no' } + } + case $sshd_strict_modes { + '': { $sshd_strict_modes = 'yes' } + } + case $sshd_ignore_rhosts { + '': { $sshd_ignore_rhosts = 'yes' } + } + case $sshd_rhosts_rsa_authentication { + '': { $sshd_rhosts_rsa_authentication = 'no' } + } + case $sshd_hostbased_authentication { + '': { $sshd_hostbased_authentication = 'no' } + } + case $sshd_permit_empty_passwords { + '': { $sshd_permit_empty_passwords = 'no' } + } + case $sshd_port { + '': { $sshd_port = 22 } + } + case $sshd_authorized_keys_file { + '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } + } + case $sshd_sftp_subsystem { + '': { $sshd_sftp_subsystem = '' } + } + case $sshd_additional_options { + '': { $sshd_additional_options = '' } + } + + file { 'sshd_config': + path => '/etc/ssh/sshd_config', + owner => root, + group => 0, + mode => 600, + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, + notify => Service[sshd], + } + # Now add the key, if we've got one + case $sshrsakey_key { + '': { info("no sshrsakey on $fqdn") } + default: { + @@sshkey{"$hostname.$domain": + type => ssh-rsa, + key => $sshrsakey_key, + ensure => present, + } + } + } + service{'sshd': + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], + } +} diff --git a/manifests/client.pp b/manifests/client.pp index 34308b4..2fc3a84 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -10,26 +10,7 @@ class sshd::client { } } } -} - -class sshd::client::base { - # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - mode => 0644, owner => root, group => 0; - } - - # Now collect all server keys - Sshkey <<||>> -} - -class sshd::client::linux inherits sshd::client::base { - package {'openssh-clients': - ensure => installed, - } -} - -class sshd::client::debian inherits sshd::client::linux { - Package['openssh-clients']{ - name => 'openssh-client', + if $use_shorewall{ + include shorewall::rules::out::ssh } } diff --git a/manifests/client/base.pp b/manifests/client/base.pp new file mode 100644 index 0000000..2c3e31f --- /dev/null +++ b/manifests/client/base.pp @@ -0,0 +1,9 @@ +class sshd::client::base { + # this is needed because the gid might have changed + file { '/etc/ssh/ssh_known_hosts': + mode => 0644, owner => root, group => 0; + } + + # Now collect all server keys + Sshkey <<||>> +} diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp new file mode 100644 index 0000000..9ca6da9 --- /dev/null +++ b/manifests/client/debian.pp @@ -0,0 +1,5 @@ +class sshd::client::debian inherits sshd::client::linux { + Package['openssh-clients']{ + name => 'openssh-client', + } +} diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp new file mode 100644 index 0000000..522fa50 --- /dev/null +++ b/manifests/client/linux.pp @@ -0,0 +1,5 @@ +class sshd::client::linux inherits sshd::client::base { + package {'openssh-clients': + ensure => installed, + } +} diff --git a/manifests/debian.pp b/manifests/debian.pp new file mode 100644 index 0000000..555cf12 --- /dev/null +++ b/manifests/debian.pp @@ -0,0 +1,13 @@ +class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include assert_lsbdistcodename + + Package[openssh]{ + name => 'openssh-server', + } + Service[sshd]{ + name => 'ssh', + hasstatus => false, + } +} diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp new file mode 100644 index 0000000..f56a96d --- /dev/null +++ b/manifests/gentoo.pp @@ -0,0 +1,5 @@ +class sshd::gentoo inherits sshd::linux { + Package[openssh]{ + category => 'net-misc', + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 04484ca..cece69e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -123,198 +123,20 @@ class sshd { case $operatingsystem { gentoo: { include sshd::gentoo } - redhat: { include sshd::redhat } + redhat,centos: { include sshd::redhat } centos: { include sshd::centos } openbsd: { include sshd::openbsd } - debian: { include sshd::debian } - ubuntu: { include sshd::ubuntu } + debian,ubuntu: { include sshd::debian } default: { include sshd::default } } -} - -class sshd::base { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - case $sshd_port { - '': { $sshd_port = 22 } - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } - } - - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey_key { - '': { info("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], - } if $use_nagios { if $nagios_check_ssh { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } } } -} -class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, - } - File[sshd_config]{ - require +> Package[openssh], - } -} - -class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } -} - -class sshd::debian inherits sshd::linux { - - # the templates for Debian need lsbdistcodename - include assert_lsbdistcodename - - Package[openssh]{ - name => 'openssh-server', - } - Service[sshd]{ - name => 'ssh', - hasstatus => false, - } -} -class sshd::ubuntu inherits sshd::debian {} - -class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } -} -class sshd::centos inherits sshd::redhat {} - -class sshd::openbsd inherits sshd::base { - Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, - } -} - -### defines -# wrapper to have some defaults. -define sshd::ssh_authorized_key( - $type = 'ssh-dss', - $key, - $user = 'root', - $target = 'absent', - $options = 'absent' -){ - - case $target { - 'absent': { - case $user { - 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } - } - } - default: { - $real_target = $target - } - } - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $user, - target => $real_target, - } - - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } + if $use_shorewall{ + include shorewall::rules::ssh } } diff --git a/manifests/linux.pp b/manifests/linux.pp new file mode 100644 index 0000000..f659808 --- /dev/null +++ b/manifests/linux.pp @@ -0,0 +1,8 @@ +class sshd::linux inherits sshd::base { + package{openssh: + ensure => present, + } + File[sshd_config]{ + require +> Package[openssh], + } +} diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp new file mode 100644 index 0000000..f1379d7 --- /dev/null +++ b/manifests/openbsd.pp @@ -0,0 +1,8 @@ +class sshd::openbsd inherits sshd::base { + Service[sshd]{ + restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', + hasstatus => false, + } +} diff --git a/manifests/redhat.pp b/manifests/redhat.pp new file mode 100644 index 0000000..e9bf1d1 --- /dev/null +++ b/manifests/redhat.pp @@ -0,0 +1,5 @@ +class sshd::redhat inherits sshd::linux { + Package[openssh]{ + name => 'openssh-server', + } +} diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp new file mode 100644 index 0000000..2d528da --- /dev/null +++ b/manifests/ssh_authorized_key.pp @@ -0,0 +1,36 @@ +# wrapper to have some defaults. +define sshd::ssh_authorized_key( + $type = 'ssh-dss', + $key, + $user = 'root', + $target = 'absent', + $options = 'absent' +){ + + case $target { + 'absent': { + case $user { + 'root': { $real_target = '/root/.ssh/authorized_keys' } + default: { $real_target = "/home/${user}/.ssh/authorized_keys" } + } + } + default: { + $real_target = $target + } + } + ssh_authorized_key{$name: + type => $type, + key => $key, + user => $user, + target => $real_target, + } + + case $options { + 'absent': { info("not setting any option for ssh_authorized_key: $name") } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } + } + } +}