opuppet/module-sshd
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
325 commits 2 branches 0 tags 297 KiB
Commit graph

325 commits

This branch
This branch
All branches
Author SHA1 Message Date
Antoine Beaupré
7a18ca3c8f rewrite autossh startup script with dh_make template 2015-06-18 17:14:59 -04:00
Antoine Beaupré
baf0a425d2 remove traces of isuma vendor 2015-06-18 17:11:21 -04:00
Antoine Beaupré
72b4eadc2d import from autossh package 2015-06-18 17:11:21 -04:00
Jerome Charaoui
abd504a5f4 Facter values changed in 2.x for XenServer 2015-06-08 14:08:59 -04:00
Jerome Charaoui
1f6803708a Add newline to ssh_authorized_key file content 2015-05-21 13:20:38 -04:00
Jerome Charaoui
feeb9400e5 Simplify ssh_authorized_key 2015-05-21 13:19:40 -04:00
Jerome Charaoui
cbfa047a71 Revert "Simplify ssh_authorized_key" 
puppet-lint complains about "selector inside resource"

This reverts commit f3c0115743.
 2015-05-21 13:12:18 -04:00
Jerome Charaoui
f3c0115743 Simplify ssh_authorized_key 2015-05-21 10:29:03 -04:00
Jerome Charaoui
4c87f6bd1e Add header to ssh_authorized_key when override_builting = 1 2015-05-21 10:17:52 -04:00
Jerome Charaoui
383f919ebb Fix invalid single quotes around variables 2015-05-21 09:58:38 -04:00
Jerome Charaoui
b8e3c1a673 Merge branch 'debian-login-grace' into 'master' 
sync LoginGraceTime with debian defaults

for some reason this was 10 minutes in our module, yet 120s everywhere else.

and only in wheezy too, wtf...

See merge request !13
 2015-05-20 23:29:41 +00:00
Jerome Charaoui
0a2bca5167 Merge branch 'master' into 'master' 
add override_builtin parameter to handle the common authorized_key directory case

riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code.

See merge request !15
 2015-05-20 23:29:00 +00:00
Matt Taggart
e60fb9a027 add override_builtin parameter to handle the common authorized_key directory case 2015-05-20 14:55:09 -07:00
Antoine Beaupré
d00986b0e0 sync LoginGraceTime with debian defaults 2015-05-13 16:20:24 -04:00
Micah
f74a82c38c Merge branch 'fix_lookupvar' into 'master' 
Adjust variable lookup in templates to silence deprecation warnings, fixes #1

See merge request !12
 2015-05-07 16:46:22 +00:00
Jerome Charaoui
ac6e09ecde Adjust variable lookup in templates to silence deprecation warnings, fixes #1 2015-05-07 11:34:07 -04:00
Jerome Charaoui
df03b0865c Merge branch 'enhance_hardened' into 'master' 
Enhance hardened

This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible

See merge request !10
 2015-05-07 15:30:07 +00:00
Micah Anderson
e4a9c15987 Implement enhanced MAC (Message Authentication Codes) according to 
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
 2015-05-04 15:42:26 -04:00
Micah Anderson
1402e67b21 Implement enhanced symmetric cipher selection, based on 
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed
 2015-05-04 15:42:26 -04:00
Micah Anderson
430c48200e Implement KexAlgorithms settings, based on Key exchange section of 
https://stribika.github.io/2015/01/04/secure-secure-shell.html

Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.
 2015-05-04 15:42:26 -04:00
Micah Anderson
fd82841c1f Change 'hardened_ssl' paramter to simply 'hardened', this makes more 
sense in general
 2015-05-04 15:42:26 -04:00
Jerome Charaoui
b5e16ec064 Merge branch 'remove_lenny' into 'master' 
remove Debian Lenny support

See merge request !8
 2015-05-04 17:34:16 +00:00
Micah Anderson
42d4597ca9 remove Debian Lenny support 2015-05-01 12:49:37 -04:00
Antoine Beaupré
e9596d0f6d Merge remote-tracking branch 'micah/remove_etch' into shared 
Conflicts:
	templates/sshd_config/Debian_etch.erb
 2015-04-17 14:47:03 -04:00
Antoine Beaupré
d4923b2c3a Merge branch 'hostkey_type' into 'master' 
Hostkey type

This is the pull request associated with: https://labs.riseup.net/code/issues/8285

See merge request !6
 2015-04-17 18:43:16 +00:00
Micah Anderson
e2cad38276 remove etch support 2015-04-17 13:58:03 -04:00
Micah Anderson
953ad0f777 Add GPLv3 license 2015-04-17 11:29:11 -04:00
Micah Anderson
5c9ce49321 change the ssh_keygen function to use different methods depending on if 
its puppet 3 or puppet 2
 2015-03-27 15:27:12 -04:00
Micah Anderson
52fd60c9f6 Given that ssh -V prints the info we want on stderr, made it so we are 100% sure we are only parsing the expected string 2015-03-27 15:24:02 -04:00
Jerome Charaoui
dabbc89d37 Merge branch 'document_nagios_custom_logic' into 'master' 
Document nagios custom logic

Add some note for ppl who need to inject their own logic before creating nagios-related checks.

See merge request !5
 2015-03-02 15:37:03 +00:00
Gabriel Filion
52031ffb06 README: mention how one could reuse nagios resources with their own logic 
Some people might want to inject their own logic before including nagios
resources. We can explain that since the nagios resources are in their
own part of the manifests, they can shortcut the module's automatic
handling of it, and call it manually from their own manifests.
 2015-02-20 17:27:06 -05:00
Gabriel Filion
31ee7fec5a README: Change project URL to point at the new one 2015-02-20 17:24:12 -05:00
LeLutin
ded7f9540f Merge branch 'master' into 'master' 
Add RedHat_xenenterprise template symlink

See merge request !4
 2015-02-20 16:53:13 +00:00
Jerome Charaoui
62fe7c25f4 Add RedHat_xenenterprise template symlink 2015-01-22 11:20:49 -05:00
ng
2d6433e0ca Merge branch 'master' into 'master' 
Fix for Debian squeeze and ssh_keygen for Puppet < 3 installs

Facter versions that are shipping in Debian squeeze and wheezy do not support the operatingsystemmajrelease core fact, which appears only from facter 1.7 onwards.

This isn't a big problem for wheezy since the openssh-server version it ships supports multiple AuthorizedKeysFile file paths,

On Debian squeeze, openssh-server does NOT support multuple AuthorizedKeysFile and will refuse to start with such a definition.

ALSO:

`ssh_keygen` is currently broken for Puppet 2.7.x clients. This commit should resolve the issue.

The fix was suggested by @ng in reference to https://github.com/duritong/puppet-sysctl/blob/master/lib/puppet/provider/sysctl_runtime/sysctl_runtime.rb#L16-L17

See merge request !3
 2015-01-17 09:52:07 +00:00
Jerome Charaoui
1e4f46a35b Fix ssh_keygen for Puppet < 3 installs 2015-01-15 17:09:56 -05:00
Jerome Charaoui
45892056cd Debian squeeze and wheezy do not support the operatingsystemmajrelease fact (they ship facter 1.6.x) 2015-01-15 16:49:35 -05:00
Micah Anderson
d78749fd8f Add a $hostkey_type variable that allows you to set which hostkey 
types you want to support in your sshd_config.

We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.

Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
 2014-11-21 21:20:29 -05:00
Micah Anderson
03751baf8e add custom fact, providing ssh_version 2014-11-21 18:18:15 -05:00
Micah Anderson
ae9cf81188 Merge remote-tracking branch 'tails/feature/jessie-and-sid-templates' 2014-11-21 16:46:09 -05:00
Micah Anderson
4652fbcae0 Merge remote-tracking branch 'immerda/master' 2014-11-01 10:30:37 -04:00
Micah Anderson
37bd36fe06 Revert "get ecdsa host keys in Debian Wheezy" 
This reverts commit 1eabfe1b59.

These shitty NIST curves are no good
 2014-11-01 10:29:48 -04:00
intrigeri
254d2361f5 Copy the Debian sid template to a new one for Jessie. 
Another option could be to symlink it, but the freeze is coming soon, so most
likely they'll start to diverge at some point.
 2014-09-17 20:44:12 +00:00
intrigeri
75117dd042 Resynchronize Debian sid template with the configuration file currently shipped by the package. 2014-09-17 20:43:45 +00:00
mh
1f6f568930 move to os release number on centos for selection 2014-08-15 10:22:40 +02:00
mh
f19d1718b4 Openbsd also does not yet have it 2014-06-10 19:41:50 +02:00
mh
88c58b307c EL 6 also does not have this option yet 2014-06-10 19:28:19 +02:00
mh
4b7fc1a695 lintig a document 2014-06-10 18:31:11 +02:00
mh
0f9315b4f3 not all versions support the new default 2014-06-10 18:29:47 +02:00
mh
cd783ad5eb Merge remote-tracking branch 'shared/master' 
Conflicts:
	manifests/init.pp
 2014-06-10 11:25:16 +02:00