manifests/params.pp

## confdroid_ssh::params.pp
# Module name: confdroid_ssh
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class contains all class parameters for confdroid_ssh
# @param [Array] ssh_reqpackages packages to install
# @param [String] pkg_ensure version to install: 'present' or 'latest'
# @param [String] ssh_fw_rule whether set the fw rule to 
#   present or absent.
# @param [String] ssh_fw_port port to use for SSHD and in fw
# @param [String] ssh_fw_order order of firewall rule
# @param [String] ssh_source_range source range for firewall rule
# @param [Boolean] ssh_manage_config whether to manage the configuration
# @param [String] ssh_address_family AddressFamily setting for sshd_config
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile 
#   setting for sshd_config. Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config. 
#   Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
#   Default is 'nobody' to use an unpriviledged user.
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
# @param [String] ssh_hostkey_type type of host key to use if 
#   ssh_use_specific_hostkey is true
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config. 
#   Default is 'default none'.
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
#   Default is 'AUTH'.
# @param [String] ssh_log_level LogLevel setting for sshd_config.
#   Default is 'INFO'.
# @param [String] ssh_password_authentication PasswordAuthentication setting 
#   for sshd_config. Default is 'no', which requires key-based authentication.
#   This is a recommended security setting, so passwords do not show up in logs, 
#   but can be set to 'yes' if password authentication is desired.
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting 
#   for sshd_config. Default is 'no', which is a recommended security setting 
#   and works  in connection with key-based authentication, but can be set 
#   to 'yes' if password authentication should be allowed and empty passwords 
#   should be allowed. Again, this should be used with caution if enabled.
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
#   Default is 'no', which is a recommended security setting together 
#   with password authentication, but can be set to 'yes' if 
#   keyboard-interactive authentication should be allowed. (not recommended)
# @param [String] ssh_kerberos_authentication setting for sshd_config.
#   Default is 'no'. Kerberos authentication is not commonly used and 
#   requires a lot of other settings, so it is disabled by default, but can be 
#   set to 'yes' if desired.
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
#   Default is 'no'. This setting is only relevant if Kerberos authentication is
#   enabled, and should be set to 'yes' if you want to allow local password
#   authentication as a fallback if Kerberos authentication fails, but can be
#   set to 'no' if you want to only allow Kerberos authentication.
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config. 
#   Default is 'no'. This setting is only relevant if Kerberos authentication 
#   is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
#   but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
#   Default is 'no'. This setting is only relevant if Kerberos authentication
#   is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
#   but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
#   Default is 'no'. This setting is only relevant if Kerberos authentication
#   is enabled, and should be set to 'yes' if you want to enable userok with 
#   Kerberos, but can be set to 'no' if you want to disable it.
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
#   If true, the relevant Kerberos settings will be included in the sshd_config, 
#   otherwise they will be ignored. 
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
#   If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
#   will be disabled. GSSAPI authentication is not commonly used and requires
#   a lot of other settings, so it is disabled by default, but can be set to
#   true if desired.
# @param [String] ssh_gssapi_authentication setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
#   enabled, and should be set to 'yes' if you want to enable GSS authentication, 
#   but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
#   enabled, and should be set to 'yes' if you want to enable GSS credential 
#   cleanup, but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
#   enabled, and should be set to 'yes' if you want to enable GSS key exchange.
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
#   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
#   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
#   commonly used for SSH authentication and can introduce security risks if 
#   not configured properly, so it is disabled by default. Thi setting is 
#   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
#   should be set to 'yes' only if you want to use PAM for authentication 
#   together with those settings.
# @param [String] ssh_allow_agent_forwarding setting for sshd_config. 
#   Default is 'yes', which allows SSH agent forwarding, but can be set to 'no' 
#   if you want to disable this feature for security reasons.
# @param [String] ssh_allow_tcp_forwarding setting for sshd_config.
#   Default is 'yes', which allows TCP forwarding, but can be set to 'no' 
#   if you want to disable this feature for security reasons.
# @param [String] ssh_gateway_ports setting for sshd_config.
#   Default is 'no', which means that remote hosts cannot connect to 
#   forwarded ports, but can be set to 'yes' or 'clientspecified' if you want
#   to allow remote hosts to connect to forwarded ports. This setting should 
#   be used with caution if enabled, as  it can introduce security risks.
# @param [String] ssh_x11_forwarding setting for sshd_config.
#   Default is 'no', which disables X11 forwarding, but can be set to 'yes' 
#   if you want to allow X11 forwarding. This setting should be used with 
#   caution if enabled.
# @param [String] ssh_x11_display_offset setting for sshd_config.
#   Default is '10'. This setting is only relevant if X11 forwarding is 
#   enabled, and specifies the first display number available for X11 
#   forwarding. The default of '10' means that the first forwarded display 
#   will be :10, the second will be :11, and so on. This setting can be 
#   adjusted if you want to use a different range of display numbers for 
#   X11 forwarding.  
# @param [String] ssh_x11_use_localhost setting for sshd_config.
#   Default is 'yes', which means that X11 forwarding will only be 
#   available on the loopback interface, but can be set to 'no' if you want
#   to allow X11 forwarding on all network interfaces.
# @param [String] ssh_permit_tty setting for sshd_config.
#   Default is 'yes', which allows TTY allocation, but can be set to 'no' 
#   if you want to disable TTY allocation. 
# @param [String] ssh_print_motd setting for sshd_config.
#   Default is 'yes', which means that the message of the day will be printed
#   when users log in, but can be set to 'no' if you want to disable this feature.
# @param [String] ssh_print_lastlog setting for sshd_config.
#   Default is 'yes', which means that the last login information will be printed
#   when users log in, but can be set to 'no' if you want to disable this feature.
# @param [String] ssh_tcp_keepalive setting for sshd_config.
#   Default is 'yes', which means that TCP keepalive messages will be sent, but
#   can be set to 'no' if you want to disable this feature. This setting can 
#   be useful to disable if you have issues with dropped connections, but in 
#   general it is recommended to keep it enabled.
# @param [String] ssh_permit_user_environment setting for sshd_config.
#   Default is 'no', which means that user environment variables will not be
#   processed, but can be set to 'yes' if you want to allow users to specify 
#   environment variables in their ~/.ssh/environment file.
# @param [String] ssh_compression setting for sshd_config.
#   Default is 'delayed', which means that compression will be enabled after
#   successful authentication, but can be set to 'yes' if you want to enable
#   compression from the start of the connection. The 'delayed' setting is a
#   good compromise that allows for faster authentication while still providing
#   the benefits of compression for the rest of the session.
# @param [String] ssh_client_alive_interval setting for sshd_config.
#   Default is '0', which means that no keepalive messages will be sent by the
#   server, but can be set to a positive integer to specify the interval in seconds
#   between keepalive messages sent by the server to the client. This can be useful
#   to detect and close stale connections, but should be used with caution as it can
#   cause unexpected disconnections if set too aggressively.
# @param [String] ssh_client_alive_count_max setting for sshd_config.
#   Default is '3'. This setting is only relevant if ssh_client_alive_interval is set
#   to a positive integer, and specifies the number of consecutive keepalive messages
#   that can be sent without receiving a response from the client before the server
#   considers the connection to be stale and disconnects it.
# @param [String] ssh_use_dns setting for sshd_config.
#   Default is 'no', which means that the server will not perform DNS lookups on
#   connecting clients, but can be set to 'yes' if you want the server to 
#   perform DNS lookups. Disabling DNS lookups can improve connection times 
#   and reduce the risk of DNS  spoofing attacks, so it is generally 
#   recommended to keep this setting disabled unless you have a specific need for it.
# @param [String] ssh_pid_file setting for sshd_config.
#   Default is '/var/run/sshd.pid', which is the common location for the 
#   sshd PID file, but can be set to a different path if desired. 
#   This setting specifies the location of the sshd PID file.
# @param [String] ssh_max_startups setting for sshd_config.
#   Default is '10:30:100', which means that the server will allow up to 10 
#   concurrent unauthenticated connections, and will start dropping connections 
#   with a probability that increases linearly.
# @param [String] ssh_permit_tunnel setting for sshd_config.
#   Default is 'no', which means that tunneling is not allowed, but can be
#   set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow 
#   only point-to-point tunneling. This setting should be used with caution if enabled.
# @param [String] ssh_chroot_directory setting for sshd_config.
#   Default is 'none', which means that no chroot directory will be used, but
#   can be set to a valid directory path if you want to use chroot for SSH
#   sessions. 
# @param [String] ssh_version_addendum setting for sshd_config.
#   Default is 'none', which means that no version addendum will be included in
#   the SSH banner, but can be set to a custom string if you want to include
#   additional information in the SSH version banner. This can be used for
#   branding purposes, but should be used with caution as it can potentially
#   leak information about the server that could be useful to attackers.
# @param [String] ssh_banner setting for sshd_config.
#   Default is 'none', which means that no banner will be displayed to users
#   when they connect, but can be set to a valid file path if you want to
#   display a custom banner message to users when they connect. This can be used
#   to display legal notices, security warnings, or other information to users when
#   they connect to the SSH server.
# @param [String] ssh_login_grace_time setting for sshd_config.
#   Default is '2m', which means that users have 2 minutes to successfully
#   authenticate before the server disconnects them, but can be set to a different
#   time interval if desired. This setting can be used to limit the amount of time
#   that attackers have to attempt to brute-force authentication, but should be set
#   to a reasonable value to avoid disconnecting legitimate users who may need more time to log
# @param [String] ssh_custom_ensure whether the custom configuration file 
#   should be file or absent.
##############################################################################
class confdroid_ssh::params (

  Array $ssh_reqpackages                    = ['openssh','openssh-clients','openssh-server'],
  String $pkg_ensure                        = 'present',

  # firewall settings
  String $ssh_fw_rule                       = 'present',
  String $ssh_fw_port                       = '22',
  String $ssh_fw_order                      = '50',
  String $ssh_source_range                  = '0.0.0.0/0',

  # sshd configuration 
  String  $ssh_custom_ensure                = 'absent',
  Boolean $ssh_manage_config                = true,
  String  $ssh_address_family               = 'any',
  String  $ssh_listen_address               = '0.0.0.0',
  String  $ssh_login_grace_time             = '2m',
  String  $ssh_root_login                   = 'prohibit-password',
  String  $ssh_strict_modes                 = 'yes',
  String  $ssh_max_auth_tries               = '6',
  String  $ssh_max_sessions                 = '10',
  String  $ssh_pubkey_auth                  = 'yes',
  String  $ssh_auth_key_files               = '.ssh/authorized_keys',
  String  $ssh_authorized_principals_file   = 'none',
  String  $ssh_authorized_keys_command      = 'none',
  String  $ssh_authorized_keys_command_user = 'nobody',
  Boolean $ssh_use_specific_hostkey         = false,
  String  $ssh_hostkey_type                 = 'rsa',
  String  $ssh_rekeylimit                   = 'default none',
  String  $ssh_syslog_facility              = 'AUTH',
  String  $ssh_log_level                    = 'INFO',
  String  $ssh_password_authentication      = 'yes',
  String  $ssh_permit_empty_passwords       = 'no',
  String  $ssh_kbd_interactive_auth         = 'yes',
  Boolean $ssh_use_kerberos                 = false,
  String  $ssh_kerberos_authentication      = 'yes',
  String  $ssh_kerberos_or_local_passwd     = 'yes',
  String  $ssh_kerberos_ticket_cleanup      = 'yes',
  String  $ssh_kerberos_get_afstoken        = 'no',
  String  $ssh_kerberos_use_kuserok         = 'yes',
  Boolean $ssh_use_gssapi                   = false,
  String  $ssh_gssapi_authentication        = 'yes',
  String  $ssh_gssapi_cleanup_credentials   = 'yes',
  String  $ssh_gssapi_key_exchange          = 'no',
  String  $ssh_gssapi_enablek5users         = 'no',
  String  $ssh_use_pam                      = 'no',
  String  $ssh_allow_agent_forwarding       = 'yes',
  String  $ssh_allow_tcp_forwarding         = 'yes',
  String  $ssh_gateway_ports                = 'no',
  String  $ssh_x11_forwarding               = 'no',
  String  $ssh_x11_display_offset           = '10',
  String  $ssh_x11_use_localhost            = 'yes',
  String  $ssh_permit_tty                   = 'yes',
  String  $ssh_print_motd                   = 'yes',
  String  $ssh_print_lastlog                = 'yes',
  String  $ssh_tcp_keepalive                = 'yes',
  String  $ssh_permit_user_environment      = 'no',
  String  $ssh_compression                  = 'delayed',
  String  $ssh_client_alive_interval        = '0',
  String  $ssh_client_alive_count_max       = '3',
  String  $ssh_use_dns                      = 'no',
  String  $ssh_pid_file                     = '/var/run/sshd.pid',
  String  $ssh_max_startups                 = '10:30:100',
  String  $ssh_permit_tunnel                = 'no',
  String  $ssh_chroot_directory             = 'none',
  String  $ssh_version_addendum             = 'none',
  String  $ssh_banner                       = 'none',

) {
# default facts
  $fqdn                     = $facts['networking']['fqdn']
  $hostname                 = $facts['networking']['hostname']
  $domain                   = $facts['networking']['domain']
  $os_name                  = $facts['os']['name']
  $os_release               = $facts['os']['release']['major']

  $sshd_user                = 'root'
  $ssh_etc_path             = '/etc/ssh'
  $sshd_service             = 'sshd'
  $sshd_config_path         = "${ssh_etc_path}/sshd_config"
  $sshd_custom_path         = "${ssh_etc_path}/sshd_config.d"
  $sshd_custom_conf         = "${sshd_custom_path}/10-custom.conf"
  $sshd_custom_erb          = 'confdroid_ssh/sshd_custom_conf.erb'
  $sshd_config_erb          = 'confdroid_ssh/sshd_config.erb'
  $sshd_root_login_file     = "${sshd_custom_path}/01-permitrootlogin.conf"

  # includes must be last
  include confdroid_ssh::main::config
}
OP#561 initial commit after fork 2026-04-05 14:39:09 +02:00			`## confdroid_ssh::params.pp`
			`# Module name: confdroid_ssh`
			`# Author: 12ww1160 (12ww1160@confdroid.com)`
			`# @summary Class contains all class parameters for confdroid_ssh`
OP#561 add firewall 2026-04-05 15:16:48 +02:00			`# @param [Array] ssh_reqpackages packages to install`
adjust everything for compliance with puppet-lint 2025-05-16 11:58:00 +02:00			`# @param [String] pkg_ensure version to install: 'present' or 'latest'`
OP#561 try new fw settings 2026-04-09 15:06:31 +02:00			`# @param [String] ssh_fw_rule whether set the fw rule to`
OP#561 try new fw settings 2026-04-09 15:00:41 +02:00			`# present or absent.`
OP#561 add firewall 2026-04-05 15:16:48 +02:00			`# @param [String] ssh_fw_port port to use for SSHD and in fw`
			`# @param [String] ssh_fw_order order of firewall rule`
OP#561 add source range 2026-04-05 15:26:08 +02:00			`# @param [String] ssh_source_range source range for firewall rule`
OP#561 add custom conf file 2026-04-05 15:40:23 +02:00			`# @param [Boolean] ssh_manage_config whether to manage the configuration`
OP#561 add config params 2026-04-05 15:58:39 +02:00			`# @param [String] ssh_address_family AddressFamily setting for sshd_config`
			`# @param [String] ssh_listen_address ListenAddress setting for sshd_config`
OP#561 add root login 2026-04-05 16:11:17 +02:00			`# @param [String] ssh_root_login PermitRootLogin setting for sshd_config`
OP#561 add parameters 2026-04-09 13:42:18 +02:00			`# @param [String] ssh_strict_modes StrictModes setting for sshd_config`
			`# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config`
			`# @param [String] ssh_max_sessions MaxSessions setting for sshd_config`
OP#575 add host key selection 2026-04-13 12:56:43 +02:00			`# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config`
			`# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config`
			`# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile`
			`# setting for sshd_config. Default is 'none' to disable this setting.`
			`# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config.`
			`# Default is 'none' to disable this setting.`
			`# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.`
			`# Default is 'nobody' to use an unpriviledged user.`
			`# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key`
			`# @param [String] ssh_hostkey_type type of host key to use if`
			`# ssh_use_specific_hostkey is true`
OP#575 add more params 2026-04-13 13:09:26 +02:00			`# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config.`
			`# Default is 'default none'.`
			`# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.`
			`# Default is 'AUTH'.`
			`# @param [String] ssh_log_level LogLevel setting for sshd_config.`
			`# Default is 'INFO'.`
OP#575 finish password section 2026-04-13 14:20:06 +02:00			`# @param [String] ssh_password_authentication PasswordAuthentication setting`
			`# for sshd_config. Default is 'no', which requires key-based authentication.`
			`# This is a recommended security setting, so passwords do not show up in logs,`
			`# but can be set to 'yes' if password authentication is desired.`
			`# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting`
			`# for sshd_config. Default is 'no', which is a recommended security setting`
			`# and works in connection with key-based authentication, but can be set`
			`# to 'yes' if password authentication should be allowed and empty passwords`
			`# should be allowed. Again, this should be used with caution if enabled.`
			`# @param [String] ssh_kbd_interactive_auth setting for sshd_config.`
			`# Default is 'no', which is a recommended security setting together`
			`# with password authentication, but can be set to 'yes' if`
			`# keyboard-interactive authentication should be allowed. (not recommended)`
OP#575 add kerberis and gssapi sections 2026-04-13 14:53:58 +02:00			`# @param [String] ssh_kerberos_authentication setting for sshd_config.`
			`# Default is 'no'. Kerberos authentication is not commonly used and`
			`# requires a lot of other settings, so it is disabled by default, but can be`
			`# set to 'yes' if desired.`
			`# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if Kerberos authentication is`
			`# enabled, and should be set to 'yes' if you want to allow local password`
			`# authentication as a fallback if Kerberos authentication fails, but can be`
			`# set to 'no' if you want to only allow Kerberos authentication.`
			`# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if Kerberos authentication`
			`# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,`
			`# but can be set to 'no' if you want to disable it.`
			`# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if Kerberos authentication`
			`# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,`
			`# but can be set to 'no' if you want to disable it.`
			`# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if Kerberos authentication`
			`# is enabled, and should be set to 'yes' if you want to enable userok with`
			`# Kerberos, but can be set to 'no' if you want to disable it.`
			`# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.`
			`# If true, the relevant Kerberos settings will be included in the sshd_config,`
			`# otherwise they will be ignored.`
			`# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.`
			`# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it`
			`# will be disabled. GSSAPI authentication is not commonly used and requires`
			`# a lot of other settings, so it is disabled by default, but can be set to`
			`# true if desired.`
			`# @param [String] ssh_gssapi_authentication setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if GSSAPI authentication is`
			`# enabled, and should be set to 'yes' if you want to enable GSS authentication,`
			`# but can be set to 'no' if you want to disable it.`
			`# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if GSSAPI authentication is`
			`# enabled, and should be set to 'yes' if you want to enable GSS credential`
			`# cleanup, but can be set to 'no' if you want to disable it.`
			`# @param [String] ssh_gssapi_key_exchange setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if GSSAPI authentication is`
			`# enabled, and should be set to 'yes' if you want to enable GSS key exchange.`
			`# @param [String] ssh_gssapi_enablek5users setting for sshd_config.`
			`# Default is 'no'. This setting is only relevant if GSSAPI authentication is`
			`# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.`
OP#575 add kerberos and gssapi sections am PAM 2026-04-13 15:00:24 +02:00			`# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not`
			`# commonly used for SSH authentication and can introduce security risks if`
			`# not configured properly, so it is disabled by default. Thi setting is`
			`# related to PasswordAuthentication and KbdInteractiveAuthentication, and`
			`# should be set to 'yes' only if you want to use PAM for authentication`
			`# together with those settings.`
OP#575 add more params 2026-04-13 15:51:49 +02:00			`# @param [String] ssh_allow_agent_forwarding setting for sshd_config.`
			`# Default is 'yes', which allows SSH agent forwarding, but can be set to 'no'`
			`# if you want to disable this feature for security reasons.`
			`# @param [String] ssh_allow_tcp_forwarding setting for sshd_config.`
			`# Default is 'yes', which allows TCP forwarding, but can be set to 'no'`
			`# if you want to disable this feature for security reasons.`
			`# @param [String] ssh_gateway_ports setting for sshd_config.`
			`# Default is 'no', which means that remote hosts cannot connect to`
			`# forwarded ports, but can be set to 'yes' or 'clientspecified' if you want`
			`# to allow remote hosts to connect to forwarded ports. This setting should`
			`# be used with caution if enabled, as it can introduce security risks.`
			`# @param [String] ssh_x11_forwarding setting for sshd_config.`
			`# Default is 'no', which disables X11 forwarding, but can be set to 'yes'`
			`# if you want to allow X11 forwarding. This setting should be used with`
			`# caution if enabled.`
			`# @param [String] ssh_x11_display_offset setting for sshd_config.`
			`# Default is '10'. This setting is only relevant if X11 forwarding is`
			`# enabled, and specifies the first display number available for X11`
			`# forwarding. The default of '10' means that the first forwarded display`
			`# will be :10, the second will be :11, and so on. This setting can be`
			`# adjusted if you want to use a different range of display numbers for`
			`# X11 forwarding.`
			`# @param [String] ssh_x11_use_localhost setting for sshd_config.`
			`# Default is 'yes', which means that X11 forwarding will only be`
			`# available on the loopback interface, but can be set to 'no' if you want`
			`# to allow X11 forwarding on all network interfaces.`
			`# @param [String] ssh_permit_tty setting for sshd_config.`
			`# Default is 'yes', which allows TTY allocation, but can be set to 'no'`
			`# if you want to disable TTY allocation.`
			`# @param [String] ssh_print_motd setting for sshd_config.`
			`# Default is 'yes', which means that the message of the day will be printed`
			`# when users log in, but can be set to 'no' if you want to disable this feature.`
			`# @param [String] ssh_print_lastlog setting for sshd_config.`
			`# Default is 'yes', which means that the last login information will be printed`
			`# when users log in, but can be set to 'no' if you want to disable this feature.`
			`# @param [String] ssh_tcp_keepalive setting for sshd_config.`
			`# Default is 'yes', which means that TCP keepalive messages will be sent, but`
			`# can be set to 'no' if you want to disable this feature. This setting can`
			`# be useful to disable if you have issues with dropped connections, but in`
			`# general it is recommended to keep it enabled.`
			`# @param [String] ssh_permit_user_environment setting for sshd_config.`
			`# Default is 'no', which means that user environment variables will not be`
			`# processed, but can be set to 'yes' if you want to allow users to specify`
			`# environment variables in their ~/.ssh/environment file.`
			`# @param [String] ssh_compression setting for sshd_config.`
			`# Default is 'delayed', which means that compression will be enabled after`
			`# successful authentication, but can be set to 'yes' if you want to enable`
			`# compression from the start of the connection. The 'delayed' setting is a`
			`# good compromise that allows for faster authentication while still providing`
			`# the benefits of compression for the rest of the session.`
			`# @param [String] ssh_client_alive_interval setting for sshd_config.`
			`# Default is '0', which means that no keepalive messages will be sent by the`
			`# server, but can be set to a positive integer to specify the interval in seconds`
			`# between keepalive messages sent by the server to the client. This can be useful`
			`# to detect and close stale connections, but should be used with caution as it can`
			`# cause unexpected disconnections if set too aggressively.`
			`# @param [String] ssh_client_alive_count_max setting for sshd_config.`
			`# Default is '3'. This setting is only relevant if ssh_client_alive_interval is set`
			`# to a positive integer, and specifies the number of consecutive keepalive messages`
			`# that can be sent without receiving a response from the client before the server`
			`# considers the connection to be stale and disconnects it.`
			`# @param [String] ssh_use_dns setting for sshd_config.`
			`# Default is 'no', which means that the server will not perform DNS lookups on`
			`# connecting clients, but can be set to 'yes' if you want the server to`
			`# perform DNS lookups. Disabling DNS lookups can improve connection times`
			`# and reduce the risk of DNS spoofing attacks, so it is generally`
			`# recommended to keep this setting disabled unless you have a specific need for it.`
			`# @param [String] ssh_pid_file setting for sshd_config.`
			`# Default is '/var/run/sshd.pid', which is the common location for the`
			`# sshd PID file, but can be set to a different path if desired.`
			`# This setting specifies the location of the sshd PID file.`
			`# @param [String] ssh_max_startups setting for sshd_config.`
			`# Default is '10:30:100', which means that the server will allow up to 10`
			`# concurrent unauthenticated connections, and will start dropping connections`
			`# with a probability that increases linearly.`
			`# @param [String] ssh_permit_tunnel setting for sshd_config.`
			`# Default is 'no', which means that tunneling is not allowed, but can be`
			`# set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow`
			`# only point-to-point tunneling. This setting should be used with caution if enabled.`
			`# @param [String] ssh_chroot_directory setting for sshd_config.`
			`# Default is 'none', which means that no chroot directory will be used, but`
			`# can be set to a valid directory path if you want to use chroot for SSH`
			`# sessions.`
			`# @param [String] ssh_version_addendum setting for sshd_config.`
			`# Default is 'none', which means that no version addendum will be included in`
			`# the SSH banner, but can be set to a custom string if you want to include`
			`# additional information in the SSH version banner. This can be used for`
			`# branding purposes, but should be used with caution as it can potentially`
			`# leak information about the server that could be useful to attackers.`
OP#575 finish sshd config file 2026-04-13 16:38:07 +02:00			`# @param [String] ssh_banner setting for sshd_config.`
			`# Default is 'none', which means that no banner will be displayed to users`
			`# when they connect, but can be set to a valid file path if you want to`
			`# display a custom banner message to users when they connect. This can be used`
			`# to display legal notices, security warnings, or other information to users when`
			`# they connect to the SSH server.`
OP#575 fix params 2026-04-14 11:48:37 +02:00			`# @param [String] ssh_login_grace_time setting for sshd_config.`
			`# Default is '2m', which means that users have 2 minutes to successfully`
			`# authenticate before the server disconnects them, but can be set to a different`
			`# time interval if desired. This setting can be used to limit the amount of time`
			`# that attackers have to attempt to brute-force authentication, but should be set`
			`# to a reasonable value to avoid disconnecting legitimate users who may need more time to log`
OP#575 add option to set custom config absent or file 2026-04-14 12:27:40 +02:00			`# @param [String] ssh_custom_ensure whether the custom configuration file`
			`# should be file or absent.`
full commit 2025-04-22 15:58:46 +02:00			`##############################################################################`
OP#561 initial commit after fork 2026-04-05 14:39:09 +02:00			`class confdroid_ssh::params (`
full commit 2025-04-22 15:58:46 +02:00
OP#575 add host key selection 2026-04-13 12:56:43 +02:00			`Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],`
			`String $pkg_ensure = 'present',`
OP#561 add firewall 2026-04-05 15:16:48 +02:00
			`# firewall settings`
OP#575 add host key selection 2026-04-13 12:56:43 +02:00			`String $ssh_fw_rule = 'present',`
			`String $ssh_fw_port = '22',`
			`String $ssh_fw_order = '50',`
			`String $ssh_source_range = '0.0.0.0/0',`
full commit 2025-04-22 15:58:46 +02:00
OP#575 add host key selection 2026-04-13 12:56:43 +02:00			`# sshd configuration`
OP#575 set default for custom config to absent 2026-04-14 12:33:48 +02:00			`String $ssh_custom_ensure = 'absent',`
OP#575 add host key selection 2026-04-13 12:56:43 +02:00			`Boolean $ssh_manage_config = true,`
			`String $ssh_address_family = 'any',`
			`String $ssh_listen_address = '0.0.0.0',`
OP#575 fix params 2026-04-14 11:48:37 +02:00			`String $ssh_login_grace_time = '2m',`
OP#575 add host key selection 2026-04-13 12:56:43 +02:00			`String $ssh_root_login = 'prohibit-password',`
			`String $ssh_strict_modes = 'yes',`
			`String $ssh_max_auth_tries = '6',`
			`String $ssh_max_sessions = '10',`
			`String $ssh_pubkey_auth = 'yes',`
			`String $ssh_auth_key_files = '.ssh/authorized_keys',`
			`String $ssh_authorized_principals_file = 'none',`
			`String $ssh_authorized_keys_command = 'none',`
			`String $ssh_authorized_keys_command_user = 'nobody',`
			`Boolean $ssh_use_specific_hostkey = false,`
			`String $ssh_hostkey_type = 'rsa',`
OP#575 add more params 2026-04-13 13:09:26 +02:00			`String $ssh_rekeylimit = 'default none',`
			`String $ssh_syslog_facility = 'AUTH',`
OP#575 finish password section 2026-04-13 14:20:06 +02:00			`String $ssh_log_level = 'INFO',`
OP#575 fix params 2026-04-14 11:48:37 +02:00			`String $ssh_password_authentication = 'yes',`
OP#575 finish password section 2026-04-13 14:20:06 +02:00			`String $ssh_permit_empty_passwords = 'no',`
OP#575 fix params 2026-04-14 11:48:37 +02:00			`String $ssh_kbd_interactive_auth = 'yes',`
OP#575 add kerberis and gssapi sections 2026-04-13 14:53:58 +02:00			`Boolean $ssh_use_kerberos = false,`
			`String $ssh_kerberos_authentication = 'yes',`
			`String $ssh_kerberos_or_local_passwd = 'yes',`
			`String $ssh_kerberos_ticket_cleanup = 'yes',`
			`String $ssh_kerberos_get_afstoken = 'no',`
			`String $ssh_kerberos_use_kuserok = 'yes',`
			`Boolean $ssh_use_gssapi = false,`
OP#575 add kerberos and gssapi sections am PAM 2026-04-13 15:00:24 +02:00			`String $ssh_gssapi_authentication = 'yes',`
			`String $ssh_gssapi_cleanup_credentials = 'yes',`
			`String $ssh_gssapi_key_exchange = 'no',`
			`String $ssh_gssapi_enablek5users = 'no',`
			`String $ssh_use_pam = 'no',`
OP#575 add more params 2026-04-13 15:51:49 +02:00			`String $ssh_allow_agent_forwarding = 'yes',`
			`String $ssh_allow_tcp_forwarding = 'yes',`
			`String $ssh_gateway_ports = 'no',`
			`String $ssh_x11_forwarding = 'no',`
			`String $ssh_x11_display_offset = '10',`
			`String $ssh_x11_use_localhost = 'yes',`
			`String $ssh_permit_tty = 'yes',`
			`String $ssh_print_motd = 'yes',`
			`String $ssh_print_lastlog = 'yes',`
			`String $ssh_tcp_keepalive = 'yes',`
			`String $ssh_permit_user_environment = 'no',`
			`String $ssh_compression = 'delayed',`
			`String $ssh_client_alive_interval = '0',`
			`String $ssh_client_alive_count_max = '3',`
			`String $ssh_use_dns = 'no',`
			`String $ssh_pid_file = '/var/run/sshd.pid',`
			`String $ssh_max_startups = '10:30:100',`
			`String $ssh_permit_tunnel = 'no',`
			`String $ssh_chroot_directory = 'none',`
			`String $ssh_version_addendum = 'none',`
OP#575 finish sshd config file 2026-04-13 16:38:07 +02:00			`String $ssh_banner = 'none',`
OP#561 add custom conf dir 2026-04-05 15:35:39 +02:00
full commit 2025-04-22 15:58:46 +02:00			`) {`
OP#561 initial commit after fork 2026-04-05 14:39:09 +02:00			`# default facts`
			`$fqdn = $facts['networking']['fqdn']`
			`$hostname = $facts['networking']['hostname']`
			`$domain = $facts['networking']['domain']`
			`$os_name = $facts['os']['name']`
			`$os_release = $facts['os']['release']['major']`

OP#561 add root login 2026-04-05 16:11:17 +02:00			`$sshd_user = 'root'`
			`$ssh_etc_path = '/etc/ssh'`
			`$sshd_service = 'sshd'`
			`$sshd_config_path = "${ssh_etc_path}/sshd_config"`
			`$sshd_custom_path = "${ssh_etc_path}/sshd_config.d"`
			`$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"`
			`$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'`
			`$sshd_config_erb = 'confdroid_ssh/sshd_config.erb'`
			`$sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf"`
full commit 2025-04-22 15:58:46 +02:00
			`# includes must be last`
OP#561 initial commit after fork 2026-04-05 14:39:09 +02:00			`include confdroid_ssh::main::config`
full commit 2025-04-22 15:58:46 +02:00			`}`