OP#577 update Readme

.gitignore

@@ -2,4 +2,5 @@
 Gemfile.lock
 FileList
 .scannerwork
-.vscode
+.vscode
+.puppet-lint.rc

Jenkinsfile

@@ -116,6 +116,7 @@ pipeline {
                   git branch -D jenkins-build-$BUILD_NUMBER
                   git rm -f Jenkinsfile
                   git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                  git rm -r --cached .puppet-lint.rc || echo "No .puppet-lint.rc to remove from git"
                   git commit --amend --no-edit --allow-empty
                   git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
                   git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \

README.md

@@ -25,11 +25,13 @@
 ## Features
 
 - install required binaries
-- manage local custom configuration based on parameters, overriding the defaults
 - manage selinux rules
 - manage service
 - (optional) manage firewall
-  
+
+> Note
+Originally I thought it was a great idea to have a single custom configuration file, which would override the default settings in the sshd_config. But I quickly learned, that this is not a great idea, for it seemed to work out differently on various hosts despite identical settings. For instance gitlab is using SSH not only for remote sessions but also for git operations, which broke with this file in place. So right now this module will only ensure the main default config is available and the service is always running. Custom configurations can be enabled after through testing through the parameters under #sshd section, but can be forced off through the `ssh_custom_ensure`setting set to `absent` (default).
+
 ## Support
 
 - Rocky 9 (Any RHEL 9 based OS should work but has not been tested)
@@ -41,7 +43,7 @@ All parameters are listed in `params.pp` and inherited from there.  Variable par
 
 ## Module Deployment
 
-ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
+Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
 
 ## Tests
 

manifests/main/dirs.pp

@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
     path     => $ssh_etc_path,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
     ensure   => directory,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0700',
+    mode     => '0755',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,

manifests/main/files.pp

@@ -23,7 +23,7 @@ class confdroid_ssh::main::files (
 
   if $ssh_manage_config {
     file { $sshd_custom_conf:
-      ensure   => file,
+      ensure   => $ssh_custom_ensure,
       path     => $sshd_custom_conf,
       owner    => $sshd_user,
       group    => $sshd_user,
@@ -35,12 +35,5 @@ class confdroid_ssh::main::files (
       content  => template($sshd_custom_erb),
       notify   => Service[$sshd_service],
     }
-    # we want the default root login setting to be managed by the custom conf, 
-    # so we remove the default file if it exists
-    file { $sshd_root_login_file:
-      ensure => absent,
-      path   => $sshd_root_login_file,
-      notify => Service[$sshd_service],
-    }
   }
 }

manifests/params.pp

@@ -190,6 +190,14 @@
 #   display a custom banner message to users when they connect. This can be used
 #   to display legal notices, security warnings, or other information to users when
 #   they connect to the SSH server.
+# @param [String] ssh_login_grace_time setting for sshd_config.
+#   Default is '2m', which means that users have 2 minutes to successfully
+#   authenticate before the server disconnects them, but can be set to a different
+#   time interval if desired. This setting can be used to limit the amount of time
+#   that attackers have to attempt to brute-force authentication, but should be set
+#   to a reasonable value to avoid disconnecting legitimate users who may need more time to log
+# @param [String] ssh_custom_ensure whether the custom configuration file 
+#   should be file or absent.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -203,9 +211,11 @@ class confdroid_ssh::params (
   String $ssh_source_range                  = '0.0.0.0/0',
 
   # sshd configuration 
+  String  $ssh_custom_ensure                = 'absent',
   Boolean $ssh_manage_config                = true,
   String  $ssh_address_family               = 'any',
   String  $ssh_listen_address               = '0.0.0.0',
+  String  $ssh_login_grace_time             = '2m',
   String  $ssh_root_login                   = 'prohibit-password',
   String  $ssh_strict_modes                 = 'yes',
   String  $ssh_max_auth_tries               = '6',
@@ -220,9 +230,9 @@ class confdroid_ssh::params (
   String  $ssh_rekeylimit                   = 'default none',
   String  $ssh_syslog_facility              = 'AUTH',
   String  $ssh_log_level                    = 'INFO',
-  String  $ssh_password_authentication      = 'no',
+  String  $ssh_password_authentication      = 'yes',
   String  $ssh_permit_empty_passwords       = 'no',
-  String  $ssh_kbd_interactive_auth         = 'no',
+  String  $ssh_kbd_interactive_auth         = 'yes',
   Boolean $ssh_use_kerberos                 = false,
   String  $ssh_kerberos_authentication      = 'yes',
   String  $ssh_kerberos_or_local_passwd     = 'yes',

templates/sshd_custom_conf.erb

@@ -5,33 +5,34 @@
 ##### be made in the Puppet manifest parameters.                              #
 ###############################################################################
 
-Port <%= @ssh_fw_port %>
-AddressFamily <%= @ssh_address_family %>
-ListenAddress <%= @ssh_listen_address %> 
+#Port <%= @ssh_fw_port %>
+#AddressFamily <%= @ssh_address_family %>
+#ListenAddress <%= @ssh_listen_address %> 
 <% if @ssh_use_specific_hostkey -%>
-HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
+#HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
 <% end -%>
-RekeyLimit <%= @ssh_rekeylimit %>
+#RekeyLimit <%= @ssh_rekeylimit %>
 
-SyslogFacility <%= @ssh_syslog_facility %>
-LogLevel <%= @ssh_log_level %>
+#SyslogFacility <%= @ssh_syslog_facility %>
+#LogLevel <%= @ssh_log_level %>
 
-PermitRootLogin <%= @ssh_root_login %>
-StrictModes <%= @ssh_strict_modes %>
-MaxAuthTries <%= @ssh_max_auth_tries %>
-MaxSessions <%= @ssh_max_sessions %>
+#LoginGraceTime <%= @ssh_login_grace_time %>
+#PermitRootLogin <%= @ssh_root_login %>
+#StrictModes <%= @ssh_strict_modes %>
+#MaxAuthTries <%= @ssh_max_auth_tries %>
+#MaxSessions <%= @ssh_max_sessions %>
 
-PubkeyAuthentication <%= @ssh_pubkey_auth %>
-AuthorizedKeysFile	<%= @ssh_auth_key_files %>
+#PubkeyAuthentication <%= @ssh_pubkey_auth %>
+#AuthorizedKeysFile	<%= @ssh_auth_key_files %>
 
-AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
-AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
-AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
+#AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
+#AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
+#AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
 
-PasswordAuthentication <%= @ssh_password_authentication %>
-PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
-KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
-UsePAM <%= @ssh_use_pam %>
+#PasswordAuthentication <%= @ssh_password_authentication %>
+#PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
+#KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+#UsePAM <%= @ssh_use_pam %>
 
 <% if @ssh_use_kerberos -%>
 KerberosAuthentication <%= @ssh_kerberos_authentication %>
@@ -48,25 +49,25 @@ GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
 GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
 <% end -%>
 
-AllowAgentForwarding <%= @ssh_allow_agent_forwarding %>
-AllowTcpForwarding <%= @ssh_allow_tcp_forwarding %>
-GatewayPorts <%= @ssh_gateway_ports %>
-X11Forwarding <%= @ssh_x11_forwarding %>
-X11DisplayOffset <%= @ssh_x11_display_offset %>
-X11UseLocalhost <%= @ssh_x11_use_localhost %>
-PermitTTY <%= @ssh_permit_tty %>
-PrintMotd <%= @ssh_print_motd %>
-PrintLastLog <%= @ssh_print_lastlog %>
-TCPKeepAlive <%= @ssh_tcp_keepalive %>
-PermitUserEnvironment <%= @ssh_permit_user_environment %>
-Compression <%= @ssh_compression %>
-ClientAliveInterval <%= @ssh_client_alive_interval %>
-ClientAliveCountMax <%= @ssh_client_alive_count_max %>
-UseDNS <%= @ssh_use_dns %>
-PidFile <%= @ssh_pid_file %>
-MaxStartups <%= @ssh_max_startups %>
-PermitTunnel <%= @ssh_permit_tunnel %>
-ChrootDirectory <%= @ssh_chroot_directory %>
-VersionAddendum <%= @ssh_version_addendum %>
+#AllowAgentForwarding <%= @ssh_allow_agent_forwarding %>
+#AllowTcpForwarding <%= @ssh_allow_tcp_forwarding %>
+#GatewayPorts <%= @ssh_gateway_ports %>
+#X11Forwarding <%= @ssh_x11_forwarding %>
+#X11DisplayOffset <%= @ssh_x11_display_offset %>
+#X11UseLocalhost <%= @ssh_x11_use_localhost %>
+#PermitTTY <%= @ssh_permit_tty %>
+#PrintMotd <%= @ssh_print_motd %>
+#PrintLastLog <%= @ssh_print_lastlog %>
+#TCPKeepAlive <%= @ssh_tcp_keepalive %>
+#PermitUserEnvironment <%= @ssh_permit_user_environment %>
+#Compression <%= @ssh_compression %>
+#ClientAliveInterval <%= @ssh_client_alive_interval %>
+#ClientAliveCountMax <%= @ssh_client_alive_count_max %>
+#UseDNS <%= @ssh_use_dns %>
+#PidFile <%= @ssh_pid_file %>
+#MaxStartups <%= @ssh_max_startups %>
+#PermitTunnel <%= @ssh_permit_tunnel %>
+#ChrootDirectory <%= @ssh_chroot_directory %>
+#VersionAddendum <%= @ssh_version_addendum %>
 
-Banner <%= @ssh_banner %>
+#Banner <%= @ssh_banner %>