diff --git a/manifests/params.pp b/manifests/params.pp index 456bd7d..9b29811 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -16,26 +16,44 @@ # @param [String] ssh_strict_modes StrictModes setting for sshd_config # @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config # @param [String] ssh_max_sessions MaxSessions setting for sshd_config +# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config +# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config +# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile +# setting for sshd_config. Default is 'none' to disable this setting. +# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config. +# Default is 'none' to disable this setting. +# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config. +# Default is 'nobody' to use an unpriviledged user. +# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key +# @param [String] ssh_hostkey_type type of host key to use if +# ssh_use_specific_hostkey is true ############################################################################## class confdroid_ssh::params ( - Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'], - String $pkg_ensure = 'present', + Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'], + String $pkg_ensure = 'present', # firewall settings - String $ssh_fw_rule = 'present', - String $ssh_fw_port = '22', - String $ssh_fw_order = '50', - String $ssh_source_range = '0.0.0.0/0', + String $ssh_fw_rule = 'present', + String $ssh_fw_port = '22', + String $ssh_fw_order = '50', + String $ssh_source_range = '0.0.0.0/0', - # main configuration - Boolean $ssh_manage_config = true, - String $ssh_address_family = 'any', - String $ssh_listen_address = '0.0.0.0', - String $ssh_root_login = 'prohibit-password', - String $ssh_strict_modes = 'yes', - String $ssh_max_auth_tries = '6', - String $ssh_max_sessions = '10', + # sshd configuration + Boolean $ssh_manage_config = true, + String $ssh_address_family = 'any', + String $ssh_listen_address = '0.0.0.0', + String $ssh_root_login = 'prohibit-password', + String $ssh_strict_modes = 'yes', + String $ssh_max_auth_tries = '6', + String $ssh_max_sessions = '10', + String $ssh_pubkey_auth = 'yes', + String $ssh_auth_key_files = '.ssh/authorized_keys', + String $ssh_authorized_principals_file = 'none', + String $ssh_authorized_keys_command = 'none', + String $ssh_authorized_keys_command_user = 'nobody', + Boolean $ssh_use_specific_hostkey = false, + String $ssh_hostkey_type = 'rsa', ) { # default facts diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb index 496026b..60c43bf 100644 --- a/templates/sshd_custom_conf.erb +++ b/templates/sshd_custom_conf.erb @@ -12,4 +12,15 @@ ListenAddress <%= @ssh_listen_address %> PermitRootLogin <%= @ssh_root_login %> StrictModes <%= @ssh_strict_modes %> MaxAuthTries <%= @ssh_max_auth_tries %> -MaxSessions <%= @ssh_max_sessions %> \ No newline at end of file +MaxSessions <%= @ssh_max_sessions %> + +PubkeyAuthentication <%= @ssh_pubkey_auth %> +AuthorizedKeysFile <%= @ssh_auth_key_files %> + +AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %> +AuthorizedKeysCommand <%= @ssh_authorized_keys_command %> +AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %> + +<% if @ssh_use_specific_hostkey -%> +HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key +<% end -%> \ No newline at end of file