confdroid/confdroid_ssh
1
0
Fork 0
Code Issues Projects Wiki Activity

Merge branch 'jenkins-build-24' into 'master'

Browse Source 
Auto-merge for build 24

See merge request puppet/confdroid_ssh!24
This commit is contained in:
Jenkins
2026-04-13 13:53:16 +00:00
parent f68e688bfa 3dcd479229
commit 2c1b15e468
3 changed files with 597 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

534
doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
View File

@@ -790,6 +790,366 @@
—
<div class='inline'>
<p>setting for sshd_config. Default is no. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to yes only if you want to use PAM for authentication together with those settings.</p>
</div>
</li>
<li>
<span class='name'>ssh_allow_agent_forwarding</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is yes, which allows SSH agent forwarding, but can be set to no if you want to disable this feature for security reasons.</p>
</div>
</li>
<li>
<span class='name'>ssh_allow_tcp_forwarding</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is yes, which allows TCP forwarding, but can be set to no if you want to disable this feature for security reasons.</p>
</div>
</li>
<li>
<span class='name'>ssh_gateway_ports</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no, which means that remote hosts cannot connect to forwarded ports, but can be set to yes or clientspecified if you want to allow remote hosts to connect to forwarded ports. This setting should be used with caution if enabled, as it can introduce security risks.</p>
</div>
</li>
<li>
<span class='name'>ssh_x11_forwarding</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no, which disables X11 forwarding, but can be set to yes if you want to allow X11 forwarding. This setting should be used with caution if enabled.</p>
</div>
</li>
<li>
<span class='name'>ssh_x11_display_offset</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;10&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is 10. This setting is only relevant if X11 forwarding is enabled, and specifies the first display number available for X11 forwarding. The default of 10 means that the first forwarded display will be :10, the second will be :11, and so on. This setting can be adjusted if you want to use a different range of display numbers for X11 forwarding.</p>
</div>
</li>
<li>
<span class='name'>ssh_x11_use_localhost</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is yes, which means that X11 forwarding will only be available on the loopback interface, but can be set to no if you want to allow X11 forwarding on all network interfaces.</p>
</div>
</li>
<li>
<span class='name'>ssh_permit_tty</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is yes, which allows TTY allocation, but can be set to no if you want to disable TTY allocation.</p>
</div>
</li>
<li>
<span class='name'>ssh_print_motd</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is yes, which means that the message of the day will be printed when users log in, but can be set to no if you want to disable this feature.</p>
</div>
</li>
<li>
<span class='name'>ssh_print_lastlog</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is yes, which means that the last login information will be printed when users log in, but can be set to no if you want to disable this feature.</p>
</div>
</li>
<li>
<span class='name'>ssh_tcp_keepalive</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is yes, which means that TCP keepalive messages will be sent, but can be set to no if you want to disable this feature. This setting can be useful to disable if you have issues with dropped connections, but in general it is recommended to keep it enabled.</p>
</div>
</li>
<li>
<span class='name'>ssh_permit_user_environment</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no, which means that user environment variables will not be processed, but can be set to yes if you want to allow users to specify environment variables in their ~/.ssh/environment file.</p>
</div>
</li>
<li>
<span class='name'>ssh_compression</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;delayed&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is delayed, which means that compression will be enabled after successful authentication, but can be set to yes if you want to enable compression from the start of the connection. The delayed setting is a good compromise that allows for faster authentication while still providing the benefits of compression for the rest of the session.</p>
</div>
</li>
<li>
<span class='name'>ssh_client_alive_interval</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;0&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is 0, which means that no keepalive messages will be sent by the server, but can be set to a positive integer to specify the interval in seconds between keepalive messages sent by the server to the client. This can be useful to detect and close stale connections, but should be used with caution as it can cause unexpected disconnections if set too aggressively.</p>
</div>
</li>
<li>
<span class='name'>ssh_client_alive_count_max</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;3&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is 3. This setting is only relevant if ssh_client_alive_interval is set to a positive integer, and specifies the number of consecutive keepalive messages that can be sent without receiving a response from the client before the server considers the connection to be stale and disconnects it.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_dns</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no, which means that the server will not perform DNS lookups on connecting clients, but can be set to yes if you want the server to perform DNS lookups. Disabling DNS lookups can improve connection times and reduce the risk of DNS spoofing attacks, so it is generally recommended to keep this setting disabled unless you have a specific need for it.</p>
</div>
</li>
<li>
<span class='name'>ssh_pid_file</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;/var/run/sshd.pid&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is /var/run/sshd.pid, which is the common location for the sshd PID file, but can be set to a different path if desired. This setting specifies the location of the sshd PID file.</p>
</div>
</li>
<li>
<span class='name'>ssh_max_startups</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;10:30:100&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is 10:30:100, which means that the server will allow up to 10 concurrent unauthenticated connections, and will start dropping connections with a probability that increases linearly.</p>
</div>
</li>
<li>
<span class='name'>ssh_permit_tunnel</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no, which means that tunneling is not allowed, but can be set to yes if you want to allow tunneling, or point-to-point to allow only point-to-point tunneling. This setting should be used with caution if enabled.</p>
</div>
</li>
<li>
<span class='name'>ssh_chroot_directory</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is none, which means that no chroot directory will be used, but can be set to a valid directory path if you want to use chroot for SSH sessions.</p>
</div>
</li>
<li>
<span class='name'>ssh_version_addendum</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is none, which means that no version addendum will be included in the SSH banner, but can be set to a custom string if you want to include additional information in the SSH version banner. This can be used for branding purposes, but should be used with caution as it can potentially leak information about the server that could be useful to attackers.</p>
</div>
</li>
@@ -805,75 +1165,95 @@
<pre class="lines">
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164</pre>
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 99</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 188</span>
class confdroid_ssh::params (
@@ -919,6 +1299,26 @@ class confdroid_ssh::params (
String $ssh_gssapi_key_exchange = &#39;no&#39;,
String $ssh_gssapi_enablek5users = &#39;no&#39;,
String $ssh_use_pam = &#39;no&#39;,
String $ssh_allow_agent_forwarding = &#39;yes&#39;,
String $ssh_allow_tcp_forwarding = &#39;yes&#39;,
String $ssh_gateway_ports = &#39;no&#39;,
String $ssh_x11_forwarding = &#39;no&#39;,
String $ssh_x11_display_offset = &#39;10&#39;,
String $ssh_x11_use_localhost = &#39;yes&#39;,
String $ssh_permit_tty = &#39;yes&#39;,
String $ssh_print_motd = &#39;yes&#39;,
String $ssh_print_lastlog = &#39;yes&#39;,
String $ssh_tcp_keepalive = &#39;yes&#39;,
String $ssh_permit_user_environment = &#39;no&#39;,
String $ssh_compression = &#39;delayed&#39;,
String $ssh_client_alive_interval = &#39;0&#39;,
String $ssh_client_alive_count_max = &#39;3&#39;,
String $ssh_use_dns = &#39;no&#39;,
String $ssh_pid_file = &#39;/var/run/sshd.pid&#39;,
String $ssh_max_startups = &#39;10:30:100&#39;,
String $ssh_permit_tunnel = &#39;no&#39;,
String $ssh_chroot_directory = &#39;none&#39;,
String $ssh_version_addendum = &#39;none&#39;,
) {
# default facts

109
manifests/params.pp
View File

@@ -95,6 +95,95 @@
# related to PasswordAuthentication and KbdInteractiveAuthentication, and
# should be set to 'yes' only if you want to use PAM for authentication
# together with those settings.
# @param [String] ssh_allow_agent_forwarding setting for sshd_config.
# Default is 'yes', which allows SSH agent forwarding, but can be set to 'no'
# if you want to disable this feature for security reasons.
# @param [String] ssh_allow_tcp_forwarding setting for sshd_config.
# Default is 'yes', which allows TCP forwarding, but can be set to 'no'
# if you want to disable this feature for security reasons.
# @param [String] ssh_gateway_ports setting for sshd_config.
# Default is 'no', which means that remote hosts cannot connect to
# forwarded ports, but can be set to 'yes' or 'clientspecified' if you want
# to allow remote hosts to connect to forwarded ports. This setting should
# be used with caution if enabled, as it can introduce security risks.
# @param [String] ssh_x11_forwarding setting for sshd_config.
# Default is 'no', which disables X11 forwarding, but can be set to 'yes'
# if you want to allow X11 forwarding. This setting should be used with
# caution if enabled.
# @param [String] ssh_x11_display_offset setting for sshd_config.
# Default is '10'. This setting is only relevant if X11 forwarding is
# enabled, and specifies the first display number available for X11
# forwarding. The default of '10' means that the first forwarded display
# will be :10, the second will be :11, and so on. This setting can be
# adjusted if you want to use a different range of display numbers for
# X11 forwarding.
# @param [String] ssh_x11_use_localhost setting for sshd_config.
# Default is 'yes', which means that X11 forwarding will only be
# available on the loopback interface, but can be set to 'no' if you want
# to allow X11 forwarding on all network interfaces.
# @param [String] ssh_permit_tty setting for sshd_config.
# Default is 'yes', which allows TTY allocation, but can be set to 'no'
# if you want to disable TTY allocation.
# @param [String] ssh_print_motd setting for sshd_config.
# Default is 'yes', which means that the message of the day will be printed
# when users log in, but can be set to 'no' if you want to disable this feature.
# @param [String] ssh_print_lastlog setting for sshd_config.
# Default is 'yes', which means that the last login information will be printed
# when users log in, but can be set to 'no' if you want to disable this feature.
# @param [String] ssh_tcp_keepalive setting for sshd_config.
# Default is 'yes', which means that TCP keepalive messages will be sent, but
# can be set to 'no' if you want to disable this feature. This setting can
# be useful to disable if you have issues with dropped connections, but in
# general it is recommended to keep it enabled.
# @param [String] ssh_permit_user_environment setting for sshd_config.
# Default is 'no', which means that user environment variables will not be
# processed, but can be set to 'yes' if you want to allow users to specify
# environment variables in their ~/.ssh/environment file.
# @param [String] ssh_compression setting for sshd_config.
# Default is 'delayed', which means that compression will be enabled after
# successful authentication, but can be set to 'yes' if you want to enable
# compression from the start of the connection. The 'delayed' setting is a
# good compromise that allows for faster authentication while still providing
# the benefits of compression for the rest of the session.
# @param [String] ssh_client_alive_interval setting for sshd_config.
# Default is '0', which means that no keepalive messages will be sent by the
# server, but can be set to a positive integer to specify the interval in seconds
# between keepalive messages sent by the server to the client. This can be useful
# to detect and close stale connections, but should be used with caution as it can
# cause unexpected disconnections if set too aggressively.
# @param [String] ssh_client_alive_count_max setting for sshd_config.
# Default is '3'. This setting is only relevant if ssh_client_alive_interval is set
# to a positive integer, and specifies the number of consecutive keepalive messages
# that can be sent without receiving a response from the client before the server
# considers the connection to be stale and disconnects it.
# @param [String] ssh_use_dns setting for sshd_config.
# Default is 'no', which means that the server will not perform DNS lookups on
# connecting clients, but can be set to 'yes' if you want the server to
# perform DNS lookups. Disabling DNS lookups can improve connection times
# and reduce the risk of DNS spoofing attacks, so it is generally
# recommended to keep this setting disabled unless you have a specific need for it.
# @param [String] ssh_pid_file setting for sshd_config.
# Default is '/var/run/sshd.pid', which is the common location for the
# sshd PID file, but can be set to a different path if desired.
# This setting specifies the location of the sshd PID file.
# @param [String] ssh_max_startups setting for sshd_config.
# Default is '10:30:100', which means that the server will allow up to 10
# concurrent unauthenticated connections, and will start dropping connections
# with a probability that increases linearly.
# @param [String] ssh_permit_tunnel setting for sshd_config.
# Default is 'no', which means that tunneling is not allowed, but can be
# set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow
# only point-to-point tunneling. This setting should be used with caution if enabled.
# @param [String] ssh_chroot_directory setting for sshd_config.
# Default is 'none', which means that no chroot directory will be used, but
# can be set to a valid directory path if you want to use chroot for SSH
# sessions.
# @param [String] ssh_version_addendum setting for sshd_config.
# Default is 'none', which means that no version addendum will be included in
# the SSH banner, but can be set to a custom string if you want to include
# additional information in the SSH version banner. This can be used for
# branding purposes, but should be used with caution as it can potentially
# leak information about the server that could be useful to attackers.
##############################################################################
class confdroid_ssh::params (
@@ -140,6 +229,26 @@ class confdroid_ssh::params (
String $ssh_gssapi_key_exchange = 'no',
String $ssh_gssapi_enablek5users = 'no',
String $ssh_use_pam = 'no',
String $ssh_allow_agent_forwarding = 'yes',
String $ssh_allow_tcp_forwarding = 'yes',
String $ssh_gateway_ports = 'no',
String $ssh_x11_forwarding = 'no',
String $ssh_x11_display_offset = '10',
String $ssh_x11_use_localhost = 'yes',
String $ssh_permit_tty = 'yes',
String $ssh_print_motd = 'yes',
String $ssh_print_lastlog = 'yes',
String $ssh_tcp_keepalive = 'yes',
String $ssh_permit_user_environment = 'no',
String $ssh_compression = 'delayed',
String $ssh_client_alive_interval = '0',
String $ssh_client_alive_count_max = '3',
String $ssh_use_dns = 'no',
String $ssh_pid_file = '/var/run/sshd.pid',
String $ssh_max_startups = '10:30:100',
String $ssh_permit_tunnel = 'no',
String $ssh_chroot_directory = 'none',
String $ssh_version_addendum = 'none',
) {
# default facts

21
templates/sshd_custom_conf.erb
View File

@@ -47,3 +47,24 @@ GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
<% end -%>
AllowAgentForwarding <%= @ssh_allow_agent_forwarding %>
AllowTcpForwarding <%= @ssh_allow_tcp_forwarding %>
GatewayPorts <%= @ssh_gateway_ports %>
X11Forwarding <%= @ssh_x11_forwarding %>
X11DisplayOffset <%= @ssh_x11_display_offset %>
X11UseLocalhost <%= @ssh_x11_use_localhost %>
PermitTTY <%= @ssh_permit_tty %>
PrintMotd <%= @ssh_print_motd %>
PrintLastLog <%= @ssh_print_lastlog %>
TCPKeepAlive <%= @ssh_tcp_keepalive %>
PermitUserEnvironment <%= @ssh_permit_user_environment %>
Compression <%= @ssh_compression %>
ClientAliveInterval <%= @ssh_client_alive_interval %>
ClientAliveCountMax <%= @ssh_client_alive_count_max %>
UseDNS <%= @ssh_use_dns %>
PidFile <%= @ssh_pid_file %>
MaxStartups <%= @ssh_max_startups %>
PermitTunnel <%= @ssh_permit_tunnel %>
ChrootDirectory <%= @ssh_chroot_directory %>
VersionAddendum <%= @ssh_version_addendum %>