opuppet/module-sshd
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge branch 'master' of git://labs.riseup.net/shared-sshd

Browse source
This commit is contained in:
Silvio Rhatto 2011-07-13 18:39:18 -03:00
commit 99928cd61e
13 changed files with 488 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README
View file

@ -170,6 +170,10 @@ The following is a list of the currently available variables:
(e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile
%h/.ssh/authorized_keys %h/.ssh/authorized_keys
$sshd_hardened_ssl
Use only strong SSL ciphers and MAC.
Values: no or yes; Default: no.
$sshd_sftp_subsystem $sshd_sftp_subsystem
Set a different sftp-subystem than the default one. Might be interesting for Set a different sftp-subystem than the default one. Might be interesting for
sftponly usage. Default: empty -> no change of the default sftponly usage. Default: empty -> no change of the default

7
manifests/init.pp
View file

@ -77,6 +77,9 @@ class sshd {
case $sshd_authorized_keys_file { case $sshd_authorized_keys_file {
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
} }
case $sshd_hardened_ssl {
'': { $sshd_hardened_ssl = 'no' }
}
case $sshd_sftp_subsystem { case $sshd_sftp_subsystem {
'': { $sshd_sftp_subsystem = '' } '': { $sshd_sftp_subsystem = '' }
} }
@ -99,7 +102,7 @@ class sshd {
'': { $sshd_use_strong_ciphers = "no" } '': { $sshd_use_strong_ciphers = "no" }
} }
include sshd::client include sshd::client
case $operatingsystem { case $operatingsystem {
gentoo: { include sshd::gentoo } gentoo: { include sshd::gentoo }
@ -107,7 +110,7 @@ class sshd {
centos: { include sshd::centos } centos: { include sshd::centos }
openbsd: { include sshd::openbsd } openbsd: { include sshd::openbsd }
debian,ubuntu: { include sshd::debian } debian,ubuntu: { include sshd::debian }
default: { include sshd::default } default: { include sshd::base }
} }
if $use_nagios { if $use_nagios {

4
manifests/ssh_authorized_key.pp
View file

@ -3,7 +3,7 @@ define sshd::ssh_authorized_key(
$ensure = 'present', $ensure = 'present',
$type = 'ssh-dss', $type = 'ssh-dss',
$key = 'absent', $key = 'absent',
$user = 'root', $user = '',
$target = undef, $target = undef,
$options = 'absent' $options = 'absent'
){ ){
@ -22,7 +22,7 @@ define sshd::ssh_authorized_key(
undef,'': { undef,'': {
case $real_user { case $real_user {
'root': { $real_target = '/root/.ssh/authorized_keys' } 'root': { $real_target = '/root/.ssh/authorized_keys' }
default: { $real_target = "/home/${user}/.ssh/authorized_keys" } default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" }
} }
} }
default: { default: {

5
templates/sshd_config/CentOS.erb
View file

@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %>
AllowGroups <%= sshd_allowed_groups %> AllowGroups <%= sshd_allowed_groups %>
<%- end -%> <%- end -%>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %> <%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %> <%= sshd_tail_additional_options %>
<%- end %> <%- end %>

9
templates/sshd_config/Debian_etch.erb
View file

@ -157,16 +157,12 @@ UsePAM yes
UsePAM no UsePAM no
<%- end -%> <%- end -%>
HostbasedUsesNameFromPacketOnly yes
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> <%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes AllowTcpForwarding yes
<%- else -%> <%- else -%>
AllowTcpForwarding no AllowTcpForwarding no
<%- end -%> <%- end -%>
ChallengeResponseAuthentication no
<%- unless sshd_allowed_users.to_s.empty? then -%> <%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%> AllowUsers <%= sshd_allowed_users -%>
<%- end -%> <%- end -%>
@ -178,6 +174,11 @@ AllowGroups <%= sshd_allowed_groups %>
PrintMotd no PrintMotd no
<%- end -%> <%- end -%>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %> <%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %> <%= sshd_tail_additional_options %>
<%- end %> <%- end %>

7
templates/sshd_config/Debian_lenny.erb
View file

@ -160,8 +160,6 @@ UsePAM yes
UsePAM no UsePAM no
<%- end -%> <%- end -%>
HostbasedUsesNameFromPacketOnly yes
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> <%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes AllowTcpForwarding yes
<%- else -%> <%- else -%>
@ -185,6 +183,11 @@ AllowGroups <%= sshd_allowed_groups %>
PrintMotd no PrintMotd no
<%- end -%> <%- end -%>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %> <%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %> <%= sshd_tail_additional_options %>
<%- end %> <%- end %>

207
templates/sshd_config/Debian_sid.erb Normal file
View file

@ -0,0 +1,207 @@
# This file is managed by Puppet, all local modifications will be overwritten
#
# Package generated configuration file
# See the sshd(8) manpage for details
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
# What ports, IPs and protocols we listen for
<%- sshd_ports.each do |port| -%>
<%- if port.to_s == 'off' then -%>
#Port -- disabled by puppet
<% else -%>
Port <%= port %>
<% end -%>
<%- end -%>
# Use these options to restrict which interfaces/protocols sshd will bind to
<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
# Don't read the user's ~/.rhosts and ~/.shosts files
<%- if sshd_ignore_rhosts.to_s == 'yes' then -%>
IgnoreRhosts yes
<%- else -%>
IgnoreRhosts no
<% end -%>
# For this to work you will also need host keys in /etc/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
# To disable tunneled clear text passwords, change to no here!
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
# Kerberos options
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
KerberosAuthentication yes
<%- else -%>
KerberosAuthentication no
<%- end -%>
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
KerberosOrLocalPasswd yes
<%- else -%>
KerberosOrLocalPasswd no
<%- end -%>
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
KerberosTicketCleanup yes
<%- else -%>
KerberosTicketCleanup no
<%- end -%>
# GSSAPI options
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPIAuthentication yes
<%- else -%>
GSSAPIAuthentication no
<%- end -%>
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPICleanupCredentials yes
<%- else -%>
GSSAPICleanupCredentials yes
<%- end -%>
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/lib/openssh/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>

7
templates/sshd_config/Debian_squeeze.erb
View file

@ -178,8 +178,6 @@ UsePAM yes
UsePAM no UsePAM no
<%- end -%> <%- end -%>
HostbasedUsesNameFromPacketOnly yes
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> <%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes AllowTcpForwarding yes
<%- else -%> <%- else -%>
@ -199,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%>
AllowGroups <%= sshd_allowed_groups %> AllowGroups <%= sshd_allowed_groups %>
<%- end %> <%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %> <%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %> <%= sshd_tail_additional_options %>
<%- end %> <%- end %>

1
templates/sshd_config/Debian_wheezy.erb Symbolic link
View file

@ -0,0 +1 @@
Debian_sid.erb

239
templates/sshd_config/FreeBSD.erb Normal file
View file

@ -0,0 +1,239 @@
# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
# $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09:06 kensmith Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#VersionAddendum FreeBSD-20100308
<%- unless sshd_head_additional_options.to_s.empty? then %>
<%= sshd_head_additional_options %>
<%- end %>
<%- unless sshd_port.to_s.empty? then -%>
<%- if sshd_port.to_s == 'off' then -%>
#Port -- disabled by puppet
<% else -%>
Port <%= sshd_port -%>
<% end -%>
<%- else -%>
Port 22
<%- end -%>
#AddressFamily any
<% for address in sshd_listen_address -%>
ListenAddress <%= address %>
<% end -%>
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
<%- unless sshd_permit_root_login.to_s.empty? then -%>
PermitRootLogin <%= sshd_permit_root_login -%>
<%- else -%>
PermitRootLogin without-password
<%- end -%>
<%- if sshd_strict_modes.to_s == 'yes' then -%>
StrictModes yes
<%- else -%>
StrictModes no
<%- end -%>
#MaxAuthTries 6
#MaxSessions 10
<%- if sshd_rsa_authentication.to_s == 'yes' then -%>
RSAAuthentication yes
<%- else -%>
RSAAuthentication no
<%- end -%>
<%- if sshd_pubkey_authentication.to_s == 'yes' then -%>
PubkeyAuthentication yes
<%- else -%>
PubkeyAuthentication no
<%- end -%>
<%- unless sshd_authorized_keys_file.to_s.empty? then -%>
AuthorizedKeysFile <%= sshd_authorized_keys_file %>
<%- else -%>
AuthorizedKeysFile %h/.ssh/authorized_keys
<%- end -%>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
RhostsRSAAuthentication yes
<%- else -%>
RhostsRSAAuthentication no
<% end -%>
# similar for protocol version 2
<%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
HostbasedAuthentication yes
<%- else -%>
HostbasedAuthentication no
<% end -%>
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
<%- if sshd_password_authentication.to_s == 'yes' then -%>
PasswordAuthentication yes
<%- else -%>
PasswordAuthentication no
<%- end -%>
<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%>
PermitEmptyPasswords yes
<% else -%>
PermitEmptyPasswords no
<% end -%>
# Change to no to disable PAM authentication
<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%>
ChallengeResponseAuthentication yes
<%- else -%>
ChallengeResponseAuthentication no
<%- end -%>
# Kerberos options
<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
KerberosAuthentication yes
<%- else -%>
KerberosAuthentication no
<%- end -%>
<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
KerberosOrLocalPasswd yes
<%- else -%>
KerberosOrLocalPasswd no
<%- end -%>
<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
KerberosTicketCleanup yes
<%- else -%>
KerberosTicketCleanup no
<%- end -%>
# GSSAPI options
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPIAuthentication yes
<%- else -%>
GSSAPIAuthentication no
<%- end -%>
<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
GSSAPICleanupCredentials yes
<%- else -%>
GSSAPICleanupCredentials yes
<%- end -%>
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<%- if sshd_use_pam.to_s == 'yes' then -%>
UsePAM yes
<%- else -%>
UsePAM no
<%- end -%>
<%- if sshd_agent_forwarding.to_s == 'yes' then -%>
AllowAgentForwarding yes
<%- else -%>
AllowAgentForwarding no
<%- end -%>
<%- if sshd_tcp_forwarding.to_s == 'yes' then -%>
AllowTcpForwarding yes
<%- else -%>
AllowTcpForwarding no
<%- end -%>
#GatewayPorts no
<%- if sshd_x11_forwarding.to_s == 'yes' then -%>
X11Forwarding yes
<%- else -%>
X11Forwarding no
<%- end -%>
X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
<%- if sshd_sftp_subsystem.to_s.empty? then %>
Subsystem sftp /usr/libexec/sftp-server
<%- else %>
Subsystem sftp <%= sshd_sftp_subsystem %>
<%- end %>
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
<%- unless sshd_allowed_users.to_s.empty? then -%>
AllowUsers <%= sshd_allowed_users -%>
<%- end -%>
<%- unless sshd_allowed_groups.to_s.empty? then %>
AllowGroups <%= sshd_allowed_groups %>
<%- end %>
<%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %>
<%- end %>

4
templates/sshd_config/Gentoo.erb
View file

@ -208,6 +208,10 @@ AllowUsers <%= sshd_allowed_users %>
AllowGroups <%= sshd_allowed_groups %> AllowGroups <%= sshd_allowed_groups %>
<%- end %> <%- end %>
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %> <%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %> <%= sshd_tail_additional_options %>

5
templates/sshd_config/OpenBSD.erb
View file

@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %>
# AllowTcpForwarding no # AllowTcpForwarding no
# ForceCommand cvs server # ForceCommand cvs server
<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
Ciphers aes256-ctr
MACs hmac-sha1
<%- end -%>
<%- unless sshd_tail_additional_options.to_s.empty? then %> <%- unless sshd_tail_additional_options.to_s.empty? then %>
<%= sshd_tail_additional_options %> <%= sshd_tail_additional_options %>
<%- end %> <%- end %>

1
templates/sshd_config/Ubuntu.erb Symbolic link
View file

@ -0,0 +1 @@
Debian_squeeze.erb