456fec72ed
git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2267 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
335 lines
10 KiB
Puppet
335 lines
10 KiB
Puppet
#
|
|
# ssh module
|
|
#
|
|
# Copyright 2008, micah@riseup.net
|
|
# Copyright 2008, admin(at)immerda.ch
|
|
# Copyright 2008, Puzzle ITC GmbH
|
|
# Marcel Härry haerry+puppet(at)puzzle.ch
|
|
# Simon Josi josi+puppet(at)puzzle.ch
|
|
#
|
|
# This program is free software; you can redistribute
|
|
# it and/or modify it under the terms of the GNU
|
|
# General Public License version 3 as published by
|
|
# the Free Software Foundation.
|
|
#
|
|
# Deploy authorized_keys file with the define
|
|
# sshd::deploy_auth_key
|
|
#
|
|
# sshd-config:
|
|
#
|
|
# The configuration of the sshd is rather strict and might not fit all
|
|
# needs. However there are a bunch of variables, which you might
|
|
# consider configuring.
|
|
#
|
|
# To set any of the following, simply set them as variables in your manifests
|
|
# before the class is included, for example:
|
|
#
|
|
# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
|
|
# $sshd_use_pam = yes
|
|
# include sshd::debian
|
|
#
|
|
# The following is a list of the currently available variables:
|
|
#
|
|
# sshd_listen_address: specify the addresses sshd should listen on
|
|
# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
|
|
# addresses, or leave it unset to listen on all
|
|
# Default: empty -> results in listening on 0.0.0.0
|
|
#
|
|
# sshd_allowed_users: list of usernames separated by spaces.
|
|
# set this for example to "foobar root"
|
|
# to ensure that only user foobar and root
|
|
# might login.
|
|
# Default: empty -> no restriction is set
|
|
#
|
|
# sshd_use_pam: if you want to use pam or not for authenticaton
|
|
# Values: no or yes.
|
|
# Default: no
|
|
#
|
|
# sshd_permit_root_login: If you want to allow root logins or not.
|
|
# Valid values: yes, no, without-password, forced-commands-only
|
|
# Default: without-password
|
|
#
|
|
# sshd_password_authentication: If you want to enable password authentication or not
|
|
# Valid values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
|
|
# When disabled, s/key passowords are disabled
|
|
# Valid values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_tcp_forwarding: If you want to enable TcpForwarding
|
|
# Valid Values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_x11_forwarding: If you want to enable x11 forwarding
|
|
# Valid Values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_agent_forwarding: If you want to allow ssh-agent forwarding
|
|
# Valid Values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_pubkey_authentication: If you want to enable public key authentication
|
|
# Valid Values: yes or no
|
|
# Default: yes
|
|
#
|
|
# sshd_rsa_authentication: If you want to enable RSA Authentication
|
|
# Valid Values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication
|
|
# Valid Values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
|
|
# Valid Values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login)
|
|
# Valid Values: yes or no
|
|
# Default: yes
|
|
#
|
|
# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords
|
|
# Valid Values: yes or no
|
|
# Default: no
|
|
#
|
|
# sshd_port: If you want to specify a different port than the default 22
|
|
# Default: 22
|
|
#
|
|
# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
|
|
# Default: AuthorizedKeysFile %h/.ssh/authorized_keys
|
|
#
|
|
|
|
class sshd {
|
|
include sshd::client
|
|
|
|
case $operatingsystem {
|
|
gentoo: { include sshd::gentoo }
|
|
redhat: { include sshd::redhat }
|
|
centos: { include sshd::centos }
|
|
openbsd: { include sshd::openbsd }
|
|
debian: { include sshd::debian }
|
|
ubuntu: { include sshd::ubuntu }
|
|
default: { include sshd::default }
|
|
}
|
|
}
|
|
|
|
|
|
class sshd::base {
|
|
# prepare variables to use in templates
|
|
$real_sshd_listen_address = $sshd_listen_address ? {
|
|
'' => [ '0.0.0.0', '::' ],
|
|
default => $sshd_listen_address
|
|
}
|
|
$real_sshd_allowed_users = $sshd_allowed_users ? {
|
|
'' => '',
|
|
default => $sshd_allowed_users
|
|
}
|
|
$real_sshd_use_pam = $sshd_use_pam ? {
|
|
'' => 'no',
|
|
default => $sshd_use_pam
|
|
}
|
|
$real_sshd_permit_root_login = $sshd_permit_root_login ? {
|
|
'' => 'without-password',
|
|
default => $sshd_permit_root_login
|
|
}
|
|
$real_sshd_password_authentication = $sshd_password_authentication ? {
|
|
'' => 'no',
|
|
default => $sshd_password_authentication
|
|
}
|
|
$real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
|
|
'' => 'no',
|
|
default => $sshd_tcp_forwarding
|
|
}
|
|
$real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
|
|
'' => 'no',
|
|
default => $sshd_x11_forwarding
|
|
}
|
|
$real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
|
|
'' => 'no',
|
|
default => $sshd_agent_forwarding
|
|
}
|
|
$real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
|
|
'' => 'no',
|
|
default => $sshd_challenge_response_authentication
|
|
}
|
|
$real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
|
|
'' => 'yes',
|
|
default => $sshd_pubkey_authentication
|
|
}
|
|
$real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
|
|
'' => 'no',
|
|
default => $sshd_rsa_authentication
|
|
}
|
|
$real_sshd_strict_modes = $sshd_strict_modes ? {
|
|
'' => 'yes',
|
|
default => $sshd_strict_modes
|
|
}
|
|
$real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
|
|
'' => 'yes',
|
|
default => $sshd_ignore_rhosts
|
|
}
|
|
$real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
|
|
'' => 'no',
|
|
default => $sshd_rhosts_rsa_authentication
|
|
}
|
|
$real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
|
|
'' => 'no',
|
|
default => $sshd_hostbased_authentication
|
|
}
|
|
$real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
|
|
'' => 'no',
|
|
default => $sshd_permit_empty_passwords
|
|
}
|
|
$real_sshd_port = $sshd_port ? {
|
|
'' => 22,
|
|
default => $sshd_port
|
|
}
|
|
$real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
|
|
'' => "%h/.ssh/authorized_keys",
|
|
default => $sshd_authorized_keys_file
|
|
}
|
|
|
|
file { 'sshd_config':
|
|
path => '/etc/ssh/sshd_config',
|
|
owner => root,
|
|
group => 0,
|
|
mode => 600,
|
|
content => $lsbdistcodename ? {
|
|
'' => template("sshd/sshd_config/${operatingsystem}.erb"),
|
|
default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
|
|
},
|
|
notify => Service[sshd],
|
|
}
|
|
# Now add the key, if we've got one
|
|
case $sshrsakey_key {
|
|
'': { info("no sshrsakey on $fqdn") }
|
|
default: {
|
|
@@sshkey{"$hostname.$domain":
|
|
type => ssh-rsa,
|
|
key => $sshrsakey_key,
|
|
ensure => present,
|
|
}
|
|
}
|
|
}
|
|
service{'sshd':
|
|
name => 'sshd',
|
|
enable => true,
|
|
ensure => running,
|
|
hasstatus => true,
|
|
require => File[sshd_config],
|
|
}
|
|
}
|
|
|
|
class sshd::linux inherits sshd::base {
|
|
package{openssh:
|
|
ensure => present,
|
|
}
|
|
File[sshd_config]{
|
|
require +> Package[openssh],
|
|
}
|
|
}
|
|
|
|
class sshd::gentoo inherits sshd::linux {
|
|
Package[openssh]{
|
|
category => 'net-misc',
|
|
}
|
|
}
|
|
|
|
class sshd::debian inherits sshd::linux {
|
|
|
|
# the templates for Debian need lsbdistcodename
|
|
include assert_lsbdistcodename
|
|
|
|
Package[openssh]{
|
|
name => 'openssh-server',
|
|
}
|
|
Service[sshd]{
|
|
name => 'ssh',
|
|
hasstatus => false,
|
|
}
|
|
}
|
|
class sshd::ubuntu inherits sshd::debian {}
|
|
|
|
class sshd::redhat inherits sshd::linux {
|
|
Package[openssh]{
|
|
name => 'openssh-server',
|
|
}
|
|
}
|
|
class sshd::centos inherits sshd::redhat {}
|
|
|
|
class sshd::openbsd inherits sshd::base {
|
|
Service[sshd]{
|
|
restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
|
|
stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
|
|
start => '/usr/sbin/sshd',
|
|
hasstatus => false,
|
|
}
|
|
}
|
|
|
|
### defines
|
|
# wrapper to have some defaults.
|
|
define sshd::ssh_authorized_key(
|
|
$type = 'ssh-dss',
|
|
$key,
|
|
$user = 'root',
|
|
$target = undef,
|
|
$options = 'absent'
|
|
){
|
|
ssh_authorized_key{$name:
|
|
type => $type,
|
|
key => $key,
|
|
user => $user,
|
|
target => $target,
|
|
}
|
|
|
|
case $options {
|
|
'absent': { info("not setting any option for ssh_authorized_key: $name") }
|
|
default: {
|
|
Ssh_authorized_key[$name]{
|
|
options => $options,
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# deprecated!
|
|
define sshd::deploy_auth_key(
|
|
$source = 'present',
|
|
$user = 'root',
|
|
$target_dir = '/root/.ssh/',
|
|
$group = 0 ) {
|
|
|
|
notice("this way of deploying authorized keys is deprecated. use the native ssh_authorized_key instead")
|
|
|
|
$real_target = $target_dir ? {
|
|
'' => "/home/$user/.ssh/",
|
|
default => $target_dir,
|
|
}
|
|
|
|
file {$real_target:
|
|
ensure => directory,
|
|
owner => $user,
|
|
group => $group,
|
|
mode => 700,
|
|
}
|
|
|
|
case $source {
|
|
'present': { $keysource = $name }
|
|
default: { $keysource = $source }
|
|
}
|
|
|
|
file {"authorized_keys_${user}":
|
|
path => "$real_target/authorized_keys",
|
|
owner => $user,
|
|
group => $group,
|
|
mode => 600,
|
|
source => [ "puppet://$server/files/sshd/authorized_keys/${keysource}",
|
|
"puppet://$server/files/sshd/authorized_keys/${fqdn}",
|
|
"puppet://$server/files/sshd/authorized_keys/default",
|
|
"puppet://$server/sshd/authorized_keys/${name}",
|
|
"puppet://$server/sshd/authorized_keys/${fqdn}",
|
|
"puppet://$server/sshd/authorized_keys/default" ],
|
|
}
|
|
}
|