README.md 9.0 KB
Puppet SSH Module
This puppet module manages OpenSSH configuration and services.
!! Upgrade Notice (05/2015) !!
The hardened_ssl parameter name was changed to simply 'hardened'.
!! Upgrade Notice (01/2013) !!
This module now uses parameterized classes, where it used global variables before. So please whatch out before pulling, you need to change the class declarations in your manifest !
Dependencies
This module requires puppet => 2.6, and the following modules are required pre-dependencies:
- puppetlabs/stdlib >= 2.x
OpenSSH Server
On a node where you wish to have an openssh server installed, you should include
class { 'sshd': }
on that node. If you need to configure any aspects of sshd_config, set the variables before the include. Or you can adjust many parameters:
class { 'sshd':
ports => [ 20002 ],
permit_root_login => 'no',
}
See Configurable Variables below for what you can set.
Nagios
To have nagios checks setup automatically for sshd services, simply set
manage_nagios to true for that class. If you want to disable ssh
nagios checking for a particular node (such as when ssh is firewalled), then you
can set the class parameter nagios_check_ssh to false and that node will not be
monitored.
Nagios will automatically check the ports defined in ports, and the
hostname specified by nagios_check_ssh_hostname.
Note that if you need to use some specific logic to decide whether or not to
create a nagios service check, you should set $manage_nagios to false, and
use sshd::nagios from within your own manifests. You'll also need to manually
specify the port to that define. By default, if the $port parameter is not
specified, it will use the resource name as the port (e.g. if you call it like
this: sshd::nagios { '22': } )
NOTE: this requires that you are using the shared-nagios puppet module which
supports the nagios native types via nagios::service:
https://gitlab.com/shared-puppet-modules-group/sshd
Firewall
If you wish to have firewall rules setup automatically for you, using shorewall,
you will need to set: use_shorewall => true. The ports that you have
specified will automatically be used.
NOTE: This requires that you are using the shared-shorewall puppet module: git://labs.riseup.net/shared-shorewall
Configurable variables
Configuration of sshd is strict, and may not fit all needs, however there are a number of variables that you can consider configuring. The defaults are set to the distribution shipped sshd_config file defaults.
To set any of these variables, simply set them as variables in your manifests, before the class is included, for example:
class {'sshd':
listen_address => ['10.0.0.1', '192.168.0.1'],
use_pam => yes
}
If you need to install a version of the ssh daemon or client package other than
the default one that would be installed by ensure => installed, then you can
set the following variables:
class {'sshd':
ensure_version => "1:5.2p2-6"
}
The following is a list of the currently available variables:
listen_addressspecify the addresses sshd should listen on set this to['10.0.0.1', '192.168.0.1']to have it listen on both addresses, or leave it unset to listen on all Default: empty -> results in listening on0.0.0.0allowed_userslist of usernames separated by spaces. set this for example to"foobar root"to ensure that only user foobar and root might login. Default: empty -> no restriction is setallowed_groupslist of groups separated by spaces. set this for example to"wheel sftponly"to ensure that only users in the groups wheel and sftponly might login. Default: empty -> no restriction is set Note: This is set afterallowed_users, take care of the behaviour if you use these 2 options together.use_pamif you want to use pam or not for authenticaton. Values:no(default)yes
permit_root_loginIf you want to allow root logins or not. Valid values:yesnowithout-password(default)forced-commands-only
password_authenticationIf you want to enable password authentication or not. Valid values:yesno(default)
kerberos_authenticationIf you want the password that is provided by the user to be validated through the Kerberos KDC. To use this option the server needs a Kerberos servtab which allows the verification of the KDC's identity. Valid values:yesno(default)
kerberos_orlocalpasswdIf password authentication through Kerberos fails, then the password will be validated via any additional local mechanism. Valid values:yes(default)no
kerberos_ticketcleanupDestroy the user's ticket cache file on logout? Valid values:yes(default)no
gssapi_authenticationAuthenticate users based on GSSAPI? Valid values:yesno(default)
gssapi_cleanupcredentialsDestroy user's credential cache on logout? Valid values:yes(default)no
challenge_response_authenticationIf you want to enable ChallengeResponseAuthentication or not When disabled, s/key passwords are disabled. Valid values:yesno(default)
tcp_forwardingIf you want to enable TcpForwarding. Valid values:yesno(default)
x11_forwardingIf you want to enable x11 forwarding. Valid values:yesno(default)
agent_forwardingIf you want to allow ssh-agent forwarding. Valid values:yesno(default)
pubkey_authenticationIf you want to enable public key authentication. Valid values:yes(default)no
rsa_authenticationIf you want to enable RSA Authentication. Valid values:yesno(default)
rhosts_rsa_authenticationIf you want to enable rhosts RSA Authentication. Valid values:yesno(default)
hostbased_authenticationIf you want to enableHostbasedAuthentication. Valid values:yesno(default)
strict_modesIf you want to setStrictModes(check file modes/ownership before accepting login). Valid values:yes(default)no
permit_empty_passwordsIf you want enable PermitEmptyPasswords to allow empty passwords. Valid Values:yesno(default)
portsIf you want to specify a list of ports other than the default22; Default:[22]authorized_keys_fileSet this to the location of the AuthorizedKeysFile (e.g./etc/ssh/authorized_keys/%u). Default:AuthorizedKeysFile %h/.ssh/authorized_keyshardenedUse only strong ciphers, MAC, KexAlgorithms, etc. Values:no(default)yes
print_motdShow the Message of the day when a user logs in.sftp_subsystemSet a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the defaulthead_additional_optionsSet this to any additional sshd_options which aren't listed above. Anything set here will be added to the beginning of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added.tail_additional_optionsSet this to any additional sshd_options which aren't listed above. Anything set here will be added to the end of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added.shared_ipWhether the server uses a shared network IP address. If it does, then we don't want it to export an rsa key for its IP address. Values:no(default)yes
Defines and functions
Deploy authorized_keys file with the define authorized_key.
Generate a public/private keypair with the ssh_keygen function. For example, the following will generate ssh keys and put the different parts of the key into variables:
$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}")
$public_key = split($ssh_keys[1],' ')
$sshkey_type => $public_key[0]
$sshkey => $public_key[1]
Client
On a node where you wish to have the ssh client managed, you can do:
class{'sshd::client':
}
in the node definition. This will install the appropriate package.
License
- Copyright 2008-2011, Riseup Labs micah@riseup.net
- Copyright 2008, admin(at)immerda.ch
- Copyright 2008, Puzzle ITC GmbH
- Marcel Härry haerry+puppet(at)puzzle.ch
- Simon Josi josi+puppet(at)puzzle.ch
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 as published by the Free Software Foundation.