diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index ff0a9cd..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,129 +0,0 @@ -pipeline { - agent { - label 'puppet' - } - - post { - always { - deleteDir() /* clean up our workspace */ - } - success { - updateGitlabCommitStatus state: 'success' - } - failure { - updateGitlabCommitStatus state: 'failed' - step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true]) - } - } - - options { - gitLabConnection('gitlab.confdroid.com') - } - - stages { - - stage('pull master') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - # Ensure we're on the development branch (triggered by push) - git checkout development - # Create jenkins branch from development - git checkout -b jenkins-build-$BUILD_NUMBER - # Optionally merge master into jenkins to ensure compatibility - git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; } - ''' - } - } - } - - stage('puppet parser') { - steps { - sh '''for file in $(find . -iname \'*.pp\'); do - /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1; - done;''' - } - } - - stage('check templates') { - steps{ - sh '''for file in $(find . -iname \'*.erb\'); - do erb -P -x -T "-" $file | ruby -c || exit 1; - done;''' - } - } - - stage('puppet-lint') { - steps { - sh '''/usr/local/bin/puppet-lint . \\ - --no-variable_scope-check \\ - || { echo "Puppet lint failed"; exit 1; } - ''' - } - } - - stage('SonarScan') { - steps { - withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) { - sh ''' - /opt/sonar-scanner/bin/sonar-scanner \ - -Dsonar.projectKey=confdroid_ssh \ - -Dsonar.sources=. \ - -Dsonar.host.url=https://sonarqube.confdroid.com \ - -Dsonar.token=$SONAR_TOKEN - ''' - } - } - } - - stage('create Puppet documentation') { - steps { - sh '/opt/puppetlabs/bin/puppet strings' - } - } - - stage('update repo') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit" - git push -o merge_request.create \ - -o merge_request.target=master \ - -o merge_request.title="Auto-merge for build $BUILD_NUMBER" \ - -o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \ - -o merge_request.merge_when_pipeline_succeeds=true \ - origin jenkins-build-$BUILD_NUMBER - ''' - } - } - } - stage('Mirror to Gitea') { - steps { - withCredentials([usernamePassword( - credentialsId: 'Jenkins-gitea', - usernameVariable: 'GITEA_USER', - passwordVariable: 'GITEA_TOKEN')]) { - script { - // Checkout from GitLab (already done implicitly) - sh ''' - git checkout master - git pull origin master - git branch -D development - git branch -D jenkins-build-$BUILD_NUMBER - git rm -f Jenkinsfile - git rm -r --cached .vscode || echo "No .vscode to remove from git" - git commit --amend --no-edit --allow-empty - git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git - git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \ - push master --mirror - ''' - } - } - } - } - } -} \ No newline at end of file diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html index 968712a..e238d72 100644 --- a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html +++ b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html @@ -520,6 +520,60 @@ —

LogLevel setting for sshd_config. Default is ‘INFO’.

+
+ + + +
  • + + ssh_password_authentication + + + (String) + + + (defaults to: 'no') + + + — +
    +

    PasswordAuthentication setting for sshd_config. Default is ‘no’, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to ‘yes’ if password authentication is desired.

    +
    + +
    • + +
  • + + ssh_permit_empty_passwords + + + (String) + + + (defaults to: 'no') + + + — +
    +

    PermitEmptyPasswords setting for sshd_config. Default is ‘no’, which is a recommended security setting and works in connection with key-based authentication, but can be set to ‘yes’ if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.

    +
    + +
    • + +
  • + + ssh_kbd_interactive_auth + + + (String) + + + (defaults to: 'no') + + + — +
    +

    setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)

    • @@ -535,19 +589,6 @@ 
     
 
-37
-38
-39
-40
-41
-42
-43
-44
-45
-46
-47
-48
-49
 50
 51
 52
@@ -585,10 +626,26 @@
 84
 85
 86
-87
    +87 +88 +89 +90 +91 +92 +93 +94 +95 +96 +97 +98 +99 +100 +101 +102 +103 - 
    # File 'manifests/params.pp', line 37
+        
    # File 'manifests/params.pp', line 50
 
 class confdroid_ssh::params (
 
@@ -618,7 +675,10 @@ class confdroid_ssh::params (
   String  $ssh_hostkey_type                 = 'rsa',
   String  $ssh_rekeylimit                   = 'default none',
   String  $ssh_syslog_facility              = 'AUTH',
-  String  $ssh_log_level                    = 'INFO'
+  String  $ssh_log_level                    = 'INFO',
+  String  $ssh_password_authentication      = 'no',
+  String  $ssh_permit_empty_passwords       = 'no',
+  String  $ssh_kbd_interactive_auth         = 'no'
 
 ) {
 # default facts
diff --git a/manifests/params.pp b/manifests/params.pp
index 60bc548..cf14bc1 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -33,6 +33,19 @@
 #   Default is 'AUTH'.
 # @param [String] ssh_log_level LogLevel setting for sshd_config.
 #   Default is 'INFO'.
+# @param [String] ssh_password_authentication PasswordAuthentication setting 
+#   for sshd_config. Default is 'no', which requires key-based authentication.
+#   This is a recommended security setting, so passwords do not show up in logs, 
+#   but can be set to 'yes' if password authentication is desired.
+# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting 
+#   for sshd_config. Default is 'no', which is a recommended security setting 
+#   and works  in connection with key-based authentication, but can be set 
+#   to 'yes' if password authentication should be allowed and empty passwords 
+#   should be allowed. Again, this should be used with caution if enabled.
+# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
+#   Default is 'no', which is a recommended security setting together 
+#   with password authentication, but can be set to 'yes' if 
+#   keyboard-interactive authentication should be allowed. (not recommended)
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -62,7 +75,10 @@ class confdroid_ssh::params (
   String  $ssh_hostkey_type                 = 'rsa',
   String  $ssh_rekeylimit                   = 'default none',
   String  $ssh_syslog_facility              = 'AUTH',
-  String  $ssh_log_level                    = 'INFO'
+  String  $ssh_log_level                    = 'INFO',
+  String  $ssh_password_authentication      = 'no',
+  String  $ssh_permit_empty_passwords       = 'no',
+  String  $ssh_kbd_interactive_auth         = 'no'
 
 ) {
 # default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index f6aeb6c..da51d6f 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -8,11 +8,9 @@
 Port <%= @ssh_fw_port %>
 AddressFamily <%= @ssh_address_family %>
 ListenAddress <%= @ssh_listen_address %> 
-
 <% if @ssh_use_specific_hostkey -%>
 HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
 <% end -%>
-
 RekeyLimit <%= @ssh_rekeylimit %>
 
 SyslogFacility <%= @ssh_syslog_facility %>
@@ -30,4 +28,7 @@ AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
 AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
 AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
 
-# test
\ No newline at end of file
+PasswordAuthentication <%= @ssh_password_authentication %>
+PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
+KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+