Commit graph

224 commits

Author SHA1 Message Date
mh
d5404bbdba remove legacy facts 2011-07-29 19:35:00 +02:00
mh
cb7cd9e314 Merge remote-tracking branch 'shared/master' 2011-07-29 19:31:41 +02:00
Silvio Rhatto
0e9e1b6f2c Adding PrintMotd parameter to all templates and setting per-distro default value 2011-07-21 11:01:33 -03:00
Gabriel Filion
89aeace9b6 Document the $sshd_shared_ip variable in the README
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-17 00:38:25 -04:00
Gabriel Filion
0822b5bfb5 Document the $sshd_print_motd variable in the README
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-17 00:28:54 -04:00
Gabriel Filion
69c8085470 Provide a default value for $sshd_shared_ip in sshd::client
Since it's possible to "include sshd::client" without using "include
sshd" (e.g. installing/managing ssh client but not the server) provide a
default value for $sshd_shared_ip also in the sshd::client class.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-17 00:21:44 -04:00
Gabriel Filion
6615426a49 Clean out $ssh_use_strong_ciphers
A tentative option from rhatto using the variable named
$ssh_use_strong_ciphers still has two lines in init.pp

Since the same functionality is provided by the variable
$ssh_hardened_ssl that was merged in the shared repository, rhatto
removed his feature. But there are still two lines left, so simply
remove them.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-16 23:49:11 -04:00
Gabriel Filion
a5312442b6 Enable $ssh_hardened_ssl for FreeBSD
It is the only sshd_config template that didn't have this option, so
copy it from the other templates.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-16 23:45:24 -04:00
Silvio Rhatto
b221570654 Updating FreeBSD template for new sshd_ports variable 2011-07-14 13:15:27 -03:00
Silvio Rhatto
57d8883d48 Removing sshd_use_strong_ciphers parameter as sshd_hardened_ssl does the job 2011-07-13 18:41:59 -03:00
Silvio Rhatto
99928cd61e Merge branch 'master' of git://labs.riseup.net/shared-sshd 2011-07-13 18:39:18 -03:00
Micah Anderson
779d27e0ae Merge remote-tracking branch 'lelutin/freebsd' 2011-06-21 11:46:42 -04:00
intrigeri
bbfc7c04ba Merge branch 'feature/debian_wheezy' 2011-06-21 00:28:44 +02:00
intrigeri
005baf59c5 Add sshd_config template for Debian Wheezy.
Currently, this is a symlink to the Debian sid's one, which I've recently
resync'd. Once Wheezy is frozen, we'll want to fork its own template.
2011-06-21 00:28:37 +02:00
intrigeri
34863e959f New opt-in support to only use strong SSL ciphers and MACs.
The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.
2011-06-21 00:27:55 +02:00
mh
7a44f28880 we should pass the architecture to devel packages 2011-04-03 12:52:46 +02:00
Silvio Rhatto
4d73d3784e Changing strong cipher to aes128-crt 2011-02-23 14:46:20 -03:00
Silvio Rhatto
75105d66d8 Adding sshd_use_strong_ciphers to all sshd_config templates 2011-02-23 14:40:02 -03:00
Silvio Rhatto
9ac4697eb5 Changing parameter name sshd_perfect_forward_secrecy to sshd_use_strong_ciphers as sshd already does PFS 2011-02-23 14:25:18 -03:00
Micah Anderson
af76f6cfe7 Merge remote-tracking branch 'lelutin/ubuntu' 2011-02-22 16:11:36 -05:00
Gabriel Filion
95bf6e032b FreeBSD: Use variables for the Kerberos options
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-02-21 15:18:14 -05:00
Micah Anderson
ac240412cc remove HostbasedUsesNameFromPacketOnly yes from Debian sshd_config templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used 2011-02-21 12:45:49 -05:00
intrigeri
c99ff17b1f Resync Debian sid template with the Squeeze's one.
Currently, the only difference is LoginGraceTime, that defaults to 600 in sid.
2011-02-21 18:29:25 +01:00
intrigeri
6baed9bd81 Merge remote branch 'lelutin/debian_template' 2011-02-21 18:20:46 +01:00
Silvio Rhatto
85880085ff Updating lucid template with new ssh port scheme 2011-02-19 18:48:59 -02:00
Silvio Rhatto
474b23271d Merge branch 'master' of git://labs.riseup.net/shared-sshd
Conflicts:
	templates/sshd_config/Debian_squeeze.erb
2011-02-19 18:08:02 -02:00
Micah Anderson
e0d3cdbd36 Update README to include the ssh_keygen function 2011-02-19 14:18:02 -05:00
Micah Anderson
86f31fcff9 Pull together a more comprehensive README, moving the configurable variables from init.pp into the README, and detailing the other features, and requirements, of the module 2011-02-19 14:12:04 -05:00
intrigeri
2f7903bcc4 Merge remote branch 'shared/master'
Conflicts:
	templates/sshd_config/Debian_squeeze.erb

I always picked the shared repository version when conflicts arose.
The only exception to this rule was:
I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order
to be consistent with existing Etch and Lenny templates.
This is not the default Debian setting, but I would find it weird if a host
had this setting changed by Puppet after upgrading to Squeeze.
The right way to proceed would probably be to make this configurable.
2011-02-14 17:17:31 +01:00
intrigeri
7c046e3fdf Merge remote branch 'immerda/master' 2011-02-14 17:01:04 +01:00
Silvio Rhatto
ac30247bf9 Perfect forward secrecy config at squeeze template 2011-02-13 18:42:36 -02:00
Silvio Rhatto
505692a72e Merge branch 'master' of git://labs.riseup.net/shared-sshd 2011-02-13 15:13:10 -02:00
Gabriel Filion
5654d69add Enable support for Ubuntu
The sshd class currently has a mechanism to make resources for Ubuntu
similar to the ones for Debian, but the sshd::client class doesn't.

Also, There are no templates for sshd_config on Ubuntu so provide for
them. Since Ubuntu releases almost all use ssh versions that are as
recent as the Debian squeeze one, and the default sshd_config file is
usually the same as on Debian, add a default (Ubuntu.erb) template so
that it fits all Ubuntu releases.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30 21:47:40 -05:00
Gabriel Filion
abb8566742 Add sshd_config template for Debian sid
Debian's unstable branch currently has no template for sshd_config, and
thus cannot use the sshd class.

Add a template for Debian sid.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30 21:28:36 -05:00
Gabriel Filion
3662c5a2a5 Finish fixing ChallengeResponseAuthentication
This value was hardcoded in both the Debian lenny and etch templates.
The lenny template was fixed with commit 167cf53271 but the etch
template was left out.

Fix the etch template so that the ChallengeResponseAuthentication
instruction is not overridden.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30 21:24:00 -05:00
Gabriel Filion
5dd814871a ssh_authorized_key: use $name for user by default
Currently ssh_authorized_key has some logic about $user being false or
'', but it sets its value to default to 'root'.
So, in order to use the name as the user's name, one has to clear the
user parameter, which is totally redundant.

Since it is sometimes useful to publish multiple keys for a user, the
$user parameter is useful.

To make using ssh_authorized_key for one-key normal users simpler, make
$user default to being empty (which will use $name as the user name).
'root' can always be specified either via the name or by the $user
paramter.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30 21:15:35 -05:00
Gabriel Filion
5bb61c2761 Fix ssh_authorized_key
When one uses the $name to define the user that should receive an SSH
key, setting $user to a negative value, ssh_authorized_key currently
creates the authorized_keys file under /home/.ssh/authorized_keys

Fix this by changing ${user} to ${real_user} in the key's path.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30 21:15:35 -05:00
Gabriel Filion
35768ed1e8 Add an sshd_config template for FreeBSD
Since there is no "catch-all" default configuration file for sshd, we
need to add for each OS.

Add a template for FreeBSD so that sshd can be configured on this OS.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30 21:15:35 -05:00
Gabriel Filion
7224e085a3 Fix inclusion for default os
When the os of a client is not one of those that use a specialized
class, (e.g. FreeBSD) the inclusion is currently broken: it tries to
include sshd::default which does not exist.

Change this to include sshd::base instead.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30 21:15:35 -05:00
Micah Anderson
2188f46db7 fix debian squeeze sshd_config template to add a missing newline 2010-12-20 14:18:30 -05:00
Silvio Rhatto
30a4593a05 Introducing perfect forward secrecy for SSH 2010-12-16 20:20:53 -02:00
mh
fa3d9e1654 do some trickery as arguments from puppet are passed as an array 2010-12-16 17:33:04 +01:00
mh
584cee7236 made error mesage a bit more verbose 2010-12-16 17:15:36 +01:00
mh
93fabb2021 remove stupid swap 2010-12-16 17:12:56 +01:00
mh
5c72941082 Add a function to create ssh keys on the fly
This allows you to use content of ssh keys within your manifests
and generate them automatically if they don't exist yet.
2010-12-16 16:22:24 +01:00
Micah Anderson
0ec0562257 remote KerberosGetAFSToken, its actually not a functional configuration option, even though it is listed in the man page, and commented out in the default config file. I filed a bug with debian (#607238) 2010-12-15 20:38:07 -05:00
Micah Anderson
167cf53271 "ChallengeResponseAuthentication no" was being hardcoded later in the Debian Lenny sshd_config template, even though we offer it as a variable. With this commit, the variable will actually work, rather than be overriden 2010-12-14 13:41:05 -05:00
Micah Anderson
72e24df3b6 add Debian Squeeze sshd template. Enabled kerberos and gssapi options, using the defaults when not specified 2010-12-14 13:22:43 -05:00
intrigeri
51156042b1 Mention dependency on lsb module. 2010-12-11 11:34:11 +01:00
mh
7e6d3af6f8 lenny already has AcceptEnv by default 2010-10-21 15:31:31 +02:00