module-sshd/manifests/init.pp
Micah Anderson 1b2dcaf510 update formatting to be consistent with upstream puppet emacs mode, if this is different from the vim
mode, then there is a difference between these two editor's formatting that needs to be resolved
2008-10-23 15:04:47 -04:00

305 lines
9.2 KiB
Puppet

#
# ssh module
#
# Copyright 2008, micah@riseup.net
# Copyright 2008, admin(at)immerda.ch
# Copyright 2008, Puzzle ITC GmbH
# Marcel Härry haerry+puppet(at)puzzle.ch
# Simon Josi josi+puppet(at)puzzle.ch
#
# This program is free software; you can redistribute
# it and/or modify it under the terms of the GNU
# General Public License version 3 as published by
# the Free Software Foundation.
#
# Deploy authorized_keys file with the define
# sshd::ssh_authorized_key
#
# sshd-config:
#
# The configuration of the sshd is rather strict and might not fit all
# needs. However there are a bunch of variables, which you might
# consider configuring.
#
# To set any of the following, simply set them as variables in your manifests
# before the class is included, for example:
#
# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
# $sshd_use_pam = yes
# include sshd::debian
#
# The following is a list of the currently available variables:
#
# sshd_listen_address: specify the addresses sshd should listen on
# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
# addresses, or leave it unset to listen on all
# Default: empty -> results in listening on 0.0.0.0
#
# sshd_allowed_users: list of usernames separated by spaces.
# set this for example to "foobar root"
# to ensure that only user foobar and root
# might login.
# Default: empty -> no restriction is set
#
# sshd_allowed_groups list of groups separated by spaces.
# set this for example to "wheel sftponly"
# to ensure that only users in the groups
# wheel and sftponly might login.
# Default: empty -> no restriction is set
# Note: This is set after sshd_allowed_users,
# take care of the behaviour if you use
# these 2 options together.
#
# sshd_use_pam: if you want to use pam or not for authenticaton
# Values: no or yes.
# Default: no
#
# sshd_permit_root_login: If you want to allow root logins or not.
# Valid values: yes, no, without-password, forced-commands-only
# Default: without-password
#
# sshd_password_authentication: If you want to enable password authentication or not
# Valid values: yes or no
# Default: no
#
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
# When disabled, s/key passowords are disabled
# Valid values: yes or no
# Default: no
#
# sshd_tcp_forwarding: If you want to enable TcpForwarding
# Valid Values: yes or no
# Default: no
#
# sshd_x11_forwarding: If you want to enable x11 forwarding
# Valid Values: yes or no
# Default: no
#
# sshd_agent_forwarding: If you want to allow ssh-agent forwarding
# Valid Values: yes or no
# Default: no
#
# sshd_pubkey_authentication: If you want to enable public key authentication
# Valid Values: yes or no
# Default: yes
#
# sshd_rsa_authentication: If you want to enable RSA Authentication
# Valid Values: yes or no
# Default: no
#
# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
# Valid Values: yes or no
# Default: no
#
# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
# Valid Values: yes or no
# Default: no
#
# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
# Valid Values: yes or no
# Default: yes
#
# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
# Valid Values: yes or no
# Default: no
#
# sshd_port: If you want to specify a different port than the default 22
# Default: 22
#
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
#
# sshd_sftp_subsystem: Set a different sftp-subystem than the default one.
# Might be interesting for sftponly usage
# Default: empty -> no change of the default
#
# sshd_additional_options: Set this to any additional sshd_options which aren't listed above.
# As well this option might be usefull to define complexer Match Blocks
# This string is going to be included, like it is defined. So take care!
# Default: empty -> not added.
class sshd {
include sshd::client
case $operatingsystem {
gentoo: { include sshd::gentoo }
redhat: { include sshd::redhat }
centos: { include sshd::centos }
openbsd: { include sshd::openbsd }
debian: { include sshd::debian }
ubuntu: { include sshd::ubuntu }
default: { include sshd::default }
}
}
class sshd::base {
# prepare variables to use in templates
case $sshd_listen_address {
'': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
}
case $sshd_allowed_users {
'': { $sshd_allowed_users = '' }
}
case $sshd_allowed_groups {
'': { $sshd_allowed_groups = '' }
}
case $sshd_use_pam {
'': { $sshd_use_pam = 'no' }
}
case $sshd_permit_root_login {
'': { $sshd_permit_root_login = 'without-password' }
}
case $sshd_password_authentication {
'': { $sshd_password_authentication = 'no' }
}
case $sshd_tcp_forwarding {
'': { $sshd_tcp_forwarding = 'no' }
}
case $sshd_x11_forwarding {
'': { $sshd_x11_forwarding = 'no' }
}
case $sshd_agent_forwarding {
'': { $sshd_agent_forwarding = 'no' }
}
case $sshd_challenge_response_authentication {
'': { $sshd_challenge_response_authentication = 'no' }
}
case $sshd_pubkey_authentication {
'': { $sshd_pubkey_authentication = 'yes' }
}
case $sshd_rsa_authentication {
'': { $sshd_rsa_authentication = 'no' }
}
case $sshd_strict_modes {
'': { $sshd_strict_modes = 'yes' }
}
case $sshd_ignore_rhosts {
'': { $sshd_ignore_rhosts = 'yes' }
}
case $sshd_rhosts_rsa_authentication {
'': { $sshd_rhosts_rsa_authentication = 'no' }
}
case $sshd_hostbased_authentication {
'': { $sshd_hostbased_authentication = 'no' }
}
case $sshd_permit_empty_passwords {
'': { $sshd_permit_empty_passwords = 'no' }
}
case $sshd_port {
'': { $sshd_port = 22 }
}
case $sshd_authorized_keys_file {
'': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
}
case $sshd_sftp_subsystem {
'': { $sshd_sftp_subsystem = '' }
}
case $sshd_additional_options {
'': { $sshd_additional_options = '' }
}
file { 'sshd_config':
path => '/etc/ssh/sshd_config',
owner => root,
group => 0,
mode => 600,
content => $lsbdistcodename ? {
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
},
notify => Service[sshd],
}
# Now add the key, if we've got one
case $sshrsakey_key {
'': { info("no sshrsakey on $fqdn") }
default: {
@@sshkey{"$hostname.$domain":
type => ssh-rsa,
key => $sshrsakey_key,
ensure => present,
}
}
}
service{'sshd':
name => 'sshd',
enable => true,
ensure => running,
hasstatus => true,
require => File[sshd_config],
}
}
class sshd::linux inherits sshd::base {
package{openssh:
ensure => present,
}
File[sshd_config]{
require +> Package[openssh],
}
}
class sshd::gentoo inherits sshd::linux {
Package[openssh]{
category => 'net-misc',
}
}
class sshd::debian inherits sshd::linux {
# the templates for Debian need lsbdistcodename
include assert_lsbdistcodename
Package[openssh]{
name => 'openssh-server',
}
Service[sshd]{
name => 'ssh',
hasstatus => true,
hasrestart => true,
}
}
class sshd::ubuntu inherits sshd::debian {}
class sshd::redhat inherits sshd::linux {
Package[openssh]{
name => 'openssh-server',
}
}
class sshd::centos inherits sshd::redhat {}
class sshd::openbsd inherits sshd::base {
Service[sshd]{
restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
start => '/usr/sbin/sshd',
hasstatus => false,
}
}
### defines
# wrapper to have some defaults.
define sshd::ssh_authorized_key(
$type = 'ssh-dss',
$key,
$user = 'root',
$target = undef,
$options = 'absent'
)
{
ssh_authorized_key{$name:
type => $type,
key => $key,
user => $user,
target => $target,
}
case $options {
'absent': { info("not setting any option for ssh_authorized_key: $name") }
default: {
Ssh_authorized_key[$name]{
options => $options,
}
}
}
}