diff --git a/.puppet-lint.rc b/.puppet-lint.rc deleted file mode 100644 index 269b058..0000000 --- a/.puppet-lint.rc +++ /dev/null @@ -1,3 +0,0 @@ ---no-variable_scope-check ---no-top_scope_facts ---no-140chars-check \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 03e1e65..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,130 +0,0 @@ -pipeline { - agent { - label 'puppet' - } - - post { - always { - deleteDir() /* clean up our workspace */ - } - success { - updateGitlabCommitStatus state: 'success' - } - failure { - updateGitlabCommitStatus state: 'failed' - step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true]) - } - } - - options { - gitLabConnection('gitlab.confdroid.com') - } - - stages { - - stage('pull master') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - # Ensure we're on the development branch (triggered by push) - git checkout development - # Create jenkins branch from development - git checkout -b jenkins-build-$BUILD_NUMBER - # Optionally merge master into jenkins to ensure compatibility - git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; } - ''' - } - } - } - - stage('puppet parser') { - steps { - sh '''for file in $(find . -iname \'*.pp\'); do - /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1; - done;''' - } - } - - stage('check templates') { - steps{ - sh '''for file in $(find . -iname \'*.erb\'); - do erb -P -x -T "-" $file | ruby -c || exit 1; - done;''' - } - } - - stage('puppet-lint') { - steps { - sh '''/usr/local/bin/puppet-lint . \\ - --no-variable_scope-check \\ - || { echo "Puppet lint failed"; exit 1; } - ''' - } - } - - stage('SonarScan') { - steps { - withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) { - sh ''' - /opt/sonar-scanner/bin/sonar-scanner \ - -Dsonar.projectKey=confdroid_ssh \ - -Dsonar.sources=. \ - -Dsonar.host.url=https://sonarqube.confdroid.com \ - -Dsonar.token=$SONAR_TOKEN - ''' - } - } - } - - stage('create Puppet documentation') { - steps { - sh '/opt/puppetlabs/bin/puppet strings' - } - } - - stage('update repo') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit" - git push -o merge_request.create \ - -o merge_request.target=master \ - -o merge_request.title="Auto-merge for build $BUILD_NUMBER" \ - -o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \ - -o merge_request.merge_when_pipeline_succeeds=true \ - origin jenkins-build-$BUILD_NUMBER - ''' - } - } - } - stage('Mirror to Gitea') { - steps { - withCredentials([usernamePassword( - credentialsId: 'Jenkins-gitea', - usernameVariable: 'GITEA_USER', - passwordVariable: 'GITEA_TOKEN')]) { - script { - // Checkout from GitLab (already done implicitly) - sh ''' - git checkout master - git pull origin master - git branch -D development - git branch -D jenkins-build-$BUILD_NUMBER - git rm -f Jenkinsfile - git rm -r --cached .vscode || echo "No .vscode to remove from git" - git rm -r --cached .puppet-lint.rc || echo "No .puppet-lint.rc to remove from git" - git commit --amend --no-edit --allow-empty - git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git - git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \ - push master --mirror - ''' - } - } - } - } - } -} \ No newline at end of file diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html b/doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html index c67a40e..61e259c 100644 --- a/doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html +++ b/doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html @@ -141,7 +141,7 @@ class confdroid_ssh::main::dirs ( path => $ssh_etc_path, owner => $sshd_user, group => $sshd_user, - mode => '0700', + mode => '0755', selrange => s0, selrole => object_r, seltype => etc_t, @@ -152,7 +152,7 @@ class confdroid_ssh::main::dirs ( ensure => directory, owner => $sshd_user, group => $sshd_user, - mode => '0700', + mode => '0755', selrange => s0, selrole => object_r, seltype => etc_t, diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html index dd5db69..5290b75 100644 --- a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html +++ b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html @@ -532,7 +532,7 @@ (String) - (defaults to: 'no') + (defaults to: 'yes') — @@ -568,7 +568,7 @@ (String) - (defaults to: 'no') + (defaults to: 'yes') — @@ -1168,6 +1168,24 @@ —

setting for sshd_config. Default is ‘none’, which means that no banner will be displayed to users when they connect, but can be set to a valid file path if you want to display a custom banner message to users when they connect. This can be used to display legal notices, security warnings, or other information to users when they connect to the SSH server.

+
+ + + +
  • + + ssh_login_grace_time + + + (String) + + + (defaults to: '2m') + + + — +
    +

    setting for sshd_config. Default is ‘2m’, which means that users have 2 minutes to successfully authenticate before the server disconnects them, but can be set to a different time interval if desired. This setting can be used to limit the amount of time that attackers have to attempt to brute-force authentication, but should be set to a reasonable value to avoid disconnecting legitimate users who may need more time to log

    • @@ -1183,12 +1201,6 @@ 
     
 
-194
-195
-196
-197
-198
-199
 200
 201
 202
@@ -1269,10 +1281,17 @@
 277
 278
 279
-280
    +280 +281 +282 +283 +284 +285 +286 +287 - 
    # File 'manifests/params.pp', line 194
+        
    # File 'manifests/params.pp', line 200
 
 class confdroid_ssh::params (
 
@@ -1289,6 +1308,7 @@ class confdroid_ssh::params (
   Boolean $ssh_manage_config                = true,
   String  $ssh_address_family               = 'any',
   String  $ssh_listen_address               = '0.0.0.0',
+  String  $ssh_login_grace_time             = '2m',
   String  $ssh_root_login                   = 'prohibit-password',
   String  $ssh_strict_modes                 = 'yes',
   String  $ssh_max_auth_tries               = '6',
@@ -1303,9 +1323,9 @@ class confdroid_ssh::params (
   String  $ssh_rekeylimit                   = 'default none',
   String  $ssh_syslog_facility              = 'AUTH',
   String  $ssh_log_level                    = 'INFO',
-  String  $ssh_password_authentication      = 'no',
+  String  $ssh_password_authentication      = 'yes',
   String  $ssh_permit_empty_passwords       = 'no',
-  String  $ssh_kbd_interactive_auth         = 'no',
+  String  $ssh_kbd_interactive_auth         = 'yes',
   Boolean $ssh_use_kerberos                 = false,
   String  $ssh_kerberos_authentication      = 'yes',
   String  $ssh_kerberos_or_local_passwd     = 'yes',
diff --git a/manifests/main/dirs.pp b/manifests/main/dirs.pp
index 33c2cc8..e3ae64a 100644
--- a/manifests/main/dirs.pp
+++ b/manifests/main/dirs.pp
@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
     path     => $ssh_etc_path,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
     ensure   => directory,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,
diff --git a/manifests/params.pp b/manifests/params.pp
index 6161639..6040012 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -190,6 +190,12 @@
 #   display a custom banner message to users when they connect. This can be used
 #   to display legal notices, security warnings, or other information to users when
 #   they connect to the SSH server.
+# @param [String] ssh_login_grace_time setting for sshd_config.
+#   Default is '2m', which means that users have 2 minutes to successfully
+#   authenticate before the server disconnects them, but can be set to a different
+#   time interval if desired. This setting can be used to limit the amount of time
+#   that attackers have to attempt to brute-force authentication, but should be set
+#   to a reasonable value to avoid disconnecting legitimate users who may need more time to log
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -206,6 +212,7 @@ class confdroid_ssh::params (
   Boolean $ssh_manage_config                = true,
   String  $ssh_address_family               = 'any',
   String  $ssh_listen_address               = '0.0.0.0',
+  String  $ssh_login_grace_time             = '2m',
   String  $ssh_root_login                   = 'prohibit-password',
   String  $ssh_strict_modes                 = 'yes',
   String  $ssh_max_auth_tries               = '6',
@@ -220,9 +227,9 @@ class confdroid_ssh::params (
   String  $ssh_rekeylimit                   = 'default none',
   String  $ssh_syslog_facility              = 'AUTH',
   String  $ssh_log_level                    = 'INFO',
-  String  $ssh_password_authentication      = 'no',
+  String  $ssh_password_authentication      = 'yes',
   String  $ssh_permit_empty_passwords       = 'no',
-  String  $ssh_kbd_interactive_auth         = 'no',
+  String  $ssh_kbd_interactive_auth         = 'yes',
   Boolean $ssh_use_kerberos                 = false,
   String  $ssh_kerberos_authentication      = 'yes',
   String  $ssh_kerberos_or_local_passwd     = 'yes',
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index 530322a..85f943d 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -16,6 +16,7 @@ RekeyLimit <%= @ssh_rekeylimit %>
 SyslogFacility <%= @ssh_syslog_facility %>
 LogLevel <%= @ssh_log_level %>
 
+LoginGraceTime <%= @ssh_login_grace_time %>
 PermitRootLogin <%= @ssh_root_login %>
 StrictModes <%= @ssh_strict_modes %>
 MaxAuthTries <%= @ssh_max_auth_tries %>