confdroid/confdroid_ssh
1
0
Fork 0
Code Issues Projects Wiki Activity

Compare commits

base: confdroid:14c19ec01027d3e3233290a1aa907968ed0b2eb6
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026
..
compare: confdroid:master
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026

24 Commits
14c19ec010 ... master

Author SHA1 Message Date
Jenkins Server
c70ac664a5 Merge build 39 into master 2026-04-14 17:03:01 +02:00
Jenkins Server
cc7f06d876 Recommit for updates in build 39 2026-04-14 17:02:59 +02:00
Jenkins Server
04a7e544a5 Merge remote-tracking branch 'origin/master' into jenkins-build-39 2026-04-14 17:02:08 +02:00
12ww1160
af538bb0e9 OP#78 define is added and tested working 2026-04-14 17:01:44 +02:00
Jenkins Server
60d451ee2c Merge build 38 into master 2026-04-14 16:22:12 +02:00
Jenkins Server
99f37cf02c Recommit for updates in build 38 2026-04-14 16:22:11 +02:00
Jenkins Server
65c46a04c2 Merge remote-tracking branch 'origin/master' into jenkins-build-38 2026-04-14 16:21:12 +02:00
12ww1160
5508f5a51f OP#78 add define 2026-04-14 16:20:49 +02:00
Jenkins Server
d9a07271fd Merge build 37 into master 2026-04-14 13:58:23 +02:00
Jenkins Server
72d12baece Merge remote-tracking branch 'origin/master' into jenkins-build-37 2026-04-14 13:57:30 +02:00
12ww1160
1e52fd312d rewrite pipeline to reflect pushing same commits to both remotes 2026-04-14 13:57:14 +02:00
Jenkins Server
b08e59caaf Merge build 36 into master 2026-04-14 13:52:17 +02:00
Jenkins Server
249c2de187 Merge remote-tracking branch 'origin/master' into jenkins-build-36 2026-04-14 13:51:25 +02:00
12ww1160
fd214f6a7d rewrite pipeline to reflect pushing same commits to both remotes 2026-04-14 13:51:09 +02:00
12ww1160
a35060c2cf rewrite pipeline to reflect pushing same commits to both remotes 2026-04-14 13:47:17 +02:00
Jenkins
ada8bc4220 Merge branch 'jenkins-build-34' into 'master' 
Auto-merge for build 34

See merge request puppet/confdroid_ssh!34
 2026-04-14 11:34:23 +00:00
Jenkins Server
b629a265bd Recommit for updates in build 34 2026-04-14 13:34:17 +02:00
Jenkins Server
0c2658b6da Merge remote-tracking branch 'origin/master' into jenkins-build-34 2026-04-14 13:33:25 +02:00
12ww1160
893ed11ce7 OP#577 update Readme 2026-04-14 13:33:01 +02:00
Jenkins
d7c8d71d64 Merge branch 'jenkins-build-33' into 'master' 
Auto-merge for build 33

See merge request puppet/confdroid_ssh!33
 2026-04-14 11:09:48 +00:00
Jenkins Server
4d3c86cd0c Recommit for updates in build 33 2026-04-14 13:09:40 +02:00
Jenkins Server
8d123c372c Merge remote-tracking branch 'origin/master' into jenkins-build-33 2026-04-14 13:08:49 +02:00
12ww1160
8821ff73f4 OP#577 update Readme 2026-04-14 13:08:33 +02:00
Jenkins
46e8642904 Merge branch 'jenkins-build-32' into 'master' 
Auto-merge for build 32

See merge request puppet/confdroid_ssh!32
 2026-04-14 11:01:00 +00:00
16 changed files with 579 additions and 1521 deletions
Expand all files Collapse all files

3
.puppet-lint.rc Normal file
View File

@@ -0,0 +1,3 @@
--no-variable_scope-check
--no-top_scope_facts
--no-140chars-check

130
Jenkinsfile vendored Normal file
View File

@@ -0,0 +1,130 @@
pipeline {
agent {
label 'puppet'
}
post {
always {
deleteDir() /* clean up our workspace */
}
success {
updateGitlabCommitStatus state: 'success'
}
failure {
updateGitlabCommitStatus state: 'failed'
step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
}
}
options {
gitLabConnection('gitlab.confdroid.com')
}
stages {
stage('pull master') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git fetch origin
source_branch="${gitlabSourceBranch:-${BRANCH_NAME:-${GIT_LOCAL_BRANCH:-$GIT_BRANCH}}}"
source_branch="${source_branch#origin/}"
source_branch="${source_branch#refs/heads/}"
if [ -z "$source_branch" ]; then
source_branch="development"
fi
echo "Using source branch: $source_branch"
# Create an isolated build branch from the triggering branch revision.
git checkout -B jenkins-build-$BUILD_NUMBER "origin/$source_branch"
# Merge the current master into the build branch before validation.
git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
'''
}
}
}
stage('puppet parser') {
steps {
sh '''for file in $(find . -iname \'*.pp\'); do
/opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
done;'''
}
}
stage('check templates') {
steps{
sh '''for file in $(find . -iname \'*.erb\');
do erb -P -x -T "-" $file | ruby -c || exit 1;
done;'''
}
}
stage('puppet-lint') {
steps {
sh '''/usr/local/bin/puppet-lint . \\
--no-variable_scope-check \\
|| { echo "Puppet lint failed"; exit 1; }
'''
}
}
stage('SonarScan') {
steps {
withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
sh '''
/opt/sonar-scanner/bin/sonar-scanner \
-Dsonar.projectKey=confdroid_ssh \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarqube.confdroid.com \
-Dsonar.token=$SONAR_TOKEN
'''
}
}
}
stage('create Puppet documentation') {
steps {
sh '/opt/puppetlabs/bin/puppet strings'
}
}
stage('update repo') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
git fetch origin
git checkout -B master origin/master
git merge --no-ff jenkins-build-$BUILD_NUMBER -m "Merge build $BUILD_NUMBER into master"
git push origin master
'''
}
}
}
stage('Mirror to Gitea') {
steps {
withCredentials([usernamePassword(
credentialsId: 'Jenkins-gitea',
usernameVariable: 'GITEA_USER',
passwordVariable: 'GITEA_TOKEN')]) {
script {
sh '''
git fetch origin
git checkout master
git reset --hard origin/master
git remote get-url master >/dev/null 2>&1 \
&& git remote set-url master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git \
|| git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
push --force master refs/heads/master:refs/heads/master
'''
}
}
}
}
}
}

28
README.md
View File

@@ -7,6 +7,7 @@
- [Synopsis](#synopsis)
- [WARNING](#warning)
- [Features](#features)
- [Adding custom configurations](#adding-custom-configurations)
- [Support](#support)
- [Parameter Inheritance](#parameter-inheritance)
- [Module Deployment](#module-deployment)
@@ -25,12 +26,33 @@
## Features
- install required binaries
- manage selinux rules
- manage required files and directories including selinux context
- manage service
- (optional) manage firewall
> Note
Originally I thought it was a great idea to have a single custom configuration file, which would override the default settings in the sshd_config. But I quickly learned, that this is not a great idea, for it seemed to work out differently on various hosts despite identical settings. For instance gitlab is using SSH not only for remote sessions but also for git operations, which broke with this file in place. So right now this module will only ensure the main default config is available and the service is always running. Custom configurations can be enabled after through testing through the parameters under #sshd section, but can be forced off through the `ssh_custom_ensure`setting set to `absent` (default).
## Adding custom configurations
Custom configuration files live in `/etc/ssh/sshd_config.d/`. IN order to create a custom config file, add a stanza like this in your control repo:
```puppet
confdroid_ssh::custom::custom_config { '30-my-custom-rule':
config_name => '30-custom-rule',
config_content => ['PasswordAuthentication no'],
}
```
This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:
```puppet
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
PasswordAuthentication no
```
Note that the value for config_content **has to be an array**, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.
## Support

24
doc/_index.html
View File

@@ -122,6 +122,30 @@
<h2>Defined Type Listing A-Z</h2>
<table>
<tr>
<td valign='top' width="33%">
<ul id="alpha_C" class="alpha">
<li class="letter">C</li>
<ul>
<li>
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</li>
</ul>
</ul>
</td>
</tr>
</table>

28
doc/file.README.html
View File

@@ -70,6 +70,8 @@
</li><li>
<p><a href="#features">Features</a></p>
</li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p>
</li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -97,16 +99,34 @@
<ul><li>
<p>install required binaries</p>
</li><li>
<p>manage selinux rules</p>
<p>manage required files and directories including selinux context</p>
</li><li>
<p>manage service</p>
</li><li>
<p>(optional) manage firewall</p>
</li></ul>
<blockquote>
<p>Note Originally I thought it was a great idea to have a single custom configuration file, which would override the default settings in the sshd_config. But I quickly learned, that this is not a great idea, for it seemed to work out differently on various hosts despite identical settings. For instance gitlab is using SSH not only for remote sessions but also for git operations, which broke with this file in place. So right now this module will only ensure the main default config is available and the service is always running. Custom configurations can be enabled after through testing through the parameters under #sshd section, but can be forced off through the <code>ssh_custom_ensure</code>setting set to <code>absent</code> (default).</p>
</blockquote>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2>
<ul><li>

28
doc/index.html
View File

@@ -70,6 +70,8 @@
</li><li>
<p><a href="#features">Features</a></p>
</li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p>
</li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -97,16 +99,34 @@
<ul><li>
<p>install required binaries</p>
</li><li>
<p>manage selinux rules</p>
<p>manage required files and directories including selinux context</p>
</li><li>
<p>manage service</p>
</li><li>
<p>(optional) manage firewall</p>
</li></ul>
<blockquote>
<p>Note Originally I thought it was a great idea to have a single custom configuration file, which would override the default settings in the sshd_config. But I quickly learned, that this is not a great idea, for it seemed to work out differently on various hosts despite identical settings. For instance gitlab is using SSH not only for remote sessions but also for git operations, which broke with this file in place. So right now this module will only ensure the main default config is available and the service is always running. Custom configurations can be enabled after through testing through the parameters under #sshd section, but can be forced off through the <code>ssh_custom_ensure</code>setting set to <code>absent</code> (default).</p>
</blockquote>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2>
<ul><li>

4
doc/puppet_class_list.html
View File

@@ -28,6 +28,10 @@
Puppet Classes
</a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div>
<div id="search">Search: <input type="text" /></div>

34
doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Afiles.html
View File

@@ -118,23 +118,7 @@
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39</pre>
23</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -156,22 +140,6 @@ class confdroid_ssh::main::files (
content =&gt; template($sshd_config_erb),
notify =&gt; Service[$sshd_service],
}
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure =&gt; $ssh_custom_ensure,
path =&gt; $sshd_custom_conf,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0640&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($sshd_custom_erb),
notify =&gt; Service[$sshd_service],
}
}
}</pre>
</td>
</tr>

1170
doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
View File

File diff suppressed because it is too large Load Diff

54
doc/puppet_defined_type_list.html Normal file
View File

@@ -0,0 +1,54 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8" />
<link rel="stylesheet" href="css/full_list.css" type="text/css" media="screen" />
<link rel="stylesheet" href="css/common.css" type="text/css" media="screen" />
<script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="js/full_list.js"></script>
<title>Defined Type List</title>
<base id="base_target" target="_parent" />
</head>
<body>
<div id="content">
<div class="fixed_header">
<h1 id="full_list_header">Defined Type List</h1>
<div id="full_list_nav">
<span><a target="_self" href="puppet_class_list.html">
Puppet Classes
</a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div>
<div id="search">Search: <input type="text" /></div>
</div>
<ul id="full_list" class="puppet_defined_type">
<li id="object_puppet_defined_types::confdroid_ssh::custom::custom_config" class="odd">
<div class="item">
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</div>
</li>
</ul>
</div>
</body>
</html>

209
doc/puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html Normal file
View File

@@ -0,0 +1,209 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Defined Type: confdroid_ssh::custom::custom_config
&mdash; Documentation by YARD 0.9.36
</title>
<link rel="stylesheet" href="../css/style.css" type="text/css" />
<link rel="stylesheet" href="../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "puppet_defined_types::confdroid_ssh::custom::custom_config";
relpath = '../';
</script>
<script type="text/javascript" charset="utf-8" src="../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../puppet_defined_type_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../_index.html">Index (c)</a> &raquo;
<span class='title'><span class='object_link'>Defined Types</span></span>
&raquo;
<span class="title">confdroid_ssh::custom::custom_config</span>
</div>
<div id="search">
<a class="full_list_link" id="puppet_class_list_link"
href="../puppet_class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Defined Type: confdroid_ssh::custom::custom_config</h1>
<div class="box_info">
<dl>
<dt>Defined in:</dt>
<dd>
manifests/custom/custom_config.pp
</dd>
</dl>
</div>
<h2>Summary</h2>
Class manages custom configurations for SSH
<h2>Overview</h2>
<div class="docstring">
<div class="discussion">
<p>confdroid_ssh::custom::custom_config.pp Module name: confdroid_ssh Author: 12ww1160 (12ww1160@confdroid.com) } this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content: PasswordAuthentication no and notify the sshd service to reload the configuration</p>
</div>
</div>
<div class="tags">
<div class="examples">
<p class="tag_title">Examples:</p>
<pre class="example code"><code>confdroid_ssh::custom::custom_config { &#39;50-test&#39;:
config_name =&gt; &#39;50-test&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],</code></pre>
</div>
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>config_name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>name of the custom configuration file (without .conf extension)</p>
</div>
</li>
<li>
<span class='name'>config_content</span>
<span class='type'>(<tt>Array[String]</tt>)</span>
&mdash;
<div class='inline'>
<p>array of configuration lines to include in the custom config</p>
</div>
</li>
</ul>
</div><div class="method_details_list">
<table class="source_code">
<tr>
<td>
<pre class="lines">
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/custom/custom_config.pp', line 17</span>
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = &#39;confdroid_ssh/custom_config.erb&#39;
$config_basename = regsubst($config_name, &#39;\\.conf$&#39;, &#39;&#39;)
$config_file = &quot;${config_name}.conf&quot;
file { &quot;${sshd_custom_path}/${config_file}&quot;:
ensure =&gt; file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0600&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($custom_config_erb),
notify =&gt; Service[$sshd_service],
}
}</pre>
</td>
</tr>
</table>
</div>
</div>
<div id="footer">
Generated by <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>.
</div>
</div>
</body>
</html>

41
manifests/custom/custom_config.pp Normal file
View File

@@ -0,0 +1,41 @@
## confdroid_ssh::custom::custom_config.pp
# Module name: confdroid_ssh
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages custom configurations for SSH
# @param [String] config_name name of the custom configuration file
# (without .conf extension)
# @param [Array[String]] config_content array of configuration lines to
# include in the custom config
# @example
# confdroid_ssh::custom::custom_config { '50-test':
# config_name => '50-test',
# config_content => ['PasswordAuthentication no'],
# }
# this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content:
# PasswordAuthentication no and notify the sshd service to reload the configuration
##############################################################################
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = 'confdroid_ssh/custom_config.erb'
$config_basename = regsubst($config_name, '\\.conf$', '')
$config_file = "${config_name}.conf"
file { "${sshd_custom_path}/${config_file}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($custom_config_erb),
notify => Service[$sshd_service],
}
}

16
manifests/main/files.pp
View File

@@ -20,20 +20,4 @@ class confdroid_ssh::main::files (
content => template($sshd_config_erb),
notify => Service[$sshd_service],
}
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure => $ssh_custom_ensure,
path => $sshd_custom_conf,
owner => $sshd_user,
group => $sshd_user,
mode => '0640',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($sshd_custom_erb),
notify => Service[$sshd_service],
}
}
}

250
manifests/params.pp
View File

@@ -9,196 +9,7 @@
# @param [String] ssh_fw_port port to use for SSHD and in fw
# @param [String] ssh_fw_order order of firewall rule
# @param [String] ssh_source_range source range for firewall rule
# @param [Boolean] ssh_manage_config whether to manage the configuration
# @param [String] ssh_address_family AddressFamily setting for sshd_config
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile
# setting for sshd_config. Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config.
# Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
# Default is 'nobody' to use an unpriviledged user.
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
# @param [String] ssh_hostkey_type type of host key to use if
# ssh_use_specific_hostkey is true
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config.
# Default is 'default none'.
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
# Default is 'AUTH'.
# @param [String] ssh_log_level LogLevel setting for sshd_config.
# Default is 'INFO'.
# @param [String] ssh_password_authentication PasswordAuthentication setting
# for sshd_config. Default is 'no', which requires key-based authentication.
# This is a recommended security setting, so passwords do not show up in logs,
# but can be set to 'yes' if password authentication is desired.
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting
# for sshd_config. Default is 'no', which is a recommended security setting
# and works in connection with key-based authentication, but can be set
# to 'yes' if password authentication should be allowed and empty passwords
# should be allowed. Again, this should be used with caution if enabled.
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
# Default is 'no', which is a recommended security setting together
# with password authentication, but can be set to 'yes' if
# keyboard-interactive authentication should be allowed. (not recommended)
# @param [String] ssh_kerberos_authentication setting for sshd_config.
# Default is 'no'. Kerberos authentication is not commonly used and
# requires a lot of other settings, so it is disabled by default, but can be
# set to 'yes' if desired.
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication is
# enabled, and should be set to 'yes' if you want to allow local password
# authentication as a fallback if Kerberos authentication fails, but can be
# set to 'no' if you want to only allow Kerberos authentication.
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable userok with
# Kerberos, but can be set to 'no' if you want to disable it.
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
# If true, the relevant Kerberos settings will be included in the sshd_config,
# otherwise they will be ignored.
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
# will be disabled. GSSAPI authentication is not commonly used and requires
# a lot of other settings, so it is disabled by default, but can be set to
# true if desired.
# @param [String] ssh_gssapi_authentication setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS credential
# cleanup, but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
# commonly used for SSH authentication and can introduce security risks if
# not configured properly, so it is disabled by default. Thi setting is
# related to PasswordAuthentication and KbdInteractiveAuthentication, and
# should be set to 'yes' only if you want to use PAM for authentication
# together with those settings.
# @param [String] ssh_allow_agent_forwarding setting for sshd_config.
# Default is 'yes', which allows SSH agent forwarding, but can be set to 'no'
# if you want to disable this feature for security reasons.
# @param [String] ssh_allow_tcp_forwarding setting for sshd_config.
# Default is 'yes', which allows TCP forwarding, but can be set to 'no'
# if you want to disable this feature for security reasons.
# @param [String] ssh_gateway_ports setting for sshd_config.
# Default is 'no', which means that remote hosts cannot connect to
# forwarded ports, but can be set to 'yes' or 'clientspecified' if you want
# to allow remote hosts to connect to forwarded ports. This setting should
# be used with caution if enabled, as it can introduce security risks.
# @param [String] ssh_x11_forwarding setting for sshd_config.
# Default is 'no', which disables X11 forwarding, but can be set to 'yes'
# if you want to allow X11 forwarding. This setting should be used with
# caution if enabled.
# @param [String] ssh_x11_display_offset setting for sshd_config.
# Default is '10'. This setting is only relevant if X11 forwarding is
# enabled, and specifies the first display number available for X11
# forwarding. The default of '10' means that the first forwarded display
# will be :10, the second will be :11, and so on. This setting can be
# adjusted if you want to use a different range of display numbers for
# X11 forwarding.
# @param [String] ssh_x11_use_localhost setting for sshd_config.
# Default is 'yes', which means that X11 forwarding will only be
# available on the loopback interface, but can be set to 'no' if you want
# to allow X11 forwarding on all network interfaces.
# @param [String] ssh_permit_tty setting for sshd_config.
# Default is 'yes', which allows TTY allocation, but can be set to 'no'
# if you want to disable TTY allocation.
# @param [String] ssh_print_motd setting for sshd_config.
# Default is 'yes', which means that the message of the day will be printed
# when users log in, but can be set to 'no' if you want to disable this feature.
# @param [String] ssh_print_lastlog setting for sshd_config.
# Default is 'yes', which means that the last login information will be printed
# when users log in, but can be set to 'no' if you want to disable this feature.
# @param [String] ssh_tcp_keepalive setting for sshd_config.
# Default is 'yes', which means that TCP keepalive messages will be sent, but
# can be set to 'no' if you want to disable this feature. This setting can
# be useful to disable if you have issues with dropped connections, but in
# general it is recommended to keep it enabled.
# @param [String] ssh_permit_user_environment setting for sshd_config.
# Default is 'no', which means that user environment variables will not be
# processed, but can be set to 'yes' if you want to allow users to specify
# environment variables in their ~/.ssh/environment file.
# @param [String] ssh_compression setting for sshd_config.
# Default is 'delayed', which means that compression will be enabled after
# successful authentication, but can be set to 'yes' if you want to enable
# compression from the start of the connection. The 'delayed' setting is a
# good compromise that allows for faster authentication while still providing
# the benefits of compression for the rest of the session.
# @param [String] ssh_client_alive_interval setting for sshd_config.
# Default is '0', which means that no keepalive messages will be sent by the
# server, but can be set to a positive integer to specify the interval in seconds
# between keepalive messages sent by the server to the client. This can be useful
# to detect and close stale connections, but should be used with caution as it can
# cause unexpected disconnections if set too aggressively.
# @param [String] ssh_client_alive_count_max setting for sshd_config.
# Default is '3'. This setting is only relevant if ssh_client_alive_interval is set
# to a positive integer, and specifies the number of consecutive keepalive messages
# that can be sent without receiving a response from the client before the server
# considers the connection to be stale and disconnects it.
# @param [String] ssh_use_dns setting for sshd_config.
# Default is 'no', which means that the server will not perform DNS lookups on
# connecting clients, but can be set to 'yes' if you want the server to
# perform DNS lookups. Disabling DNS lookups can improve connection times
# and reduce the risk of DNS spoofing attacks, so it is generally
# recommended to keep this setting disabled unless you have a specific need for it.
# @param [String] ssh_pid_file setting for sshd_config.
# Default is '/var/run/sshd.pid', which is the common location for the
# sshd PID file, but can be set to a different path if desired.
# This setting specifies the location of the sshd PID file.
# @param [String] ssh_max_startups setting for sshd_config.
# Default is '10:30:100', which means that the server will allow up to 10
# concurrent unauthenticated connections, and will start dropping connections
# with a probability that increases linearly.
# @param [String] ssh_permit_tunnel setting for sshd_config.
# Default is 'no', which means that tunneling is not allowed, but can be
# set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow
# only point-to-point tunneling. This setting should be used with caution if enabled.
# @param [String] ssh_chroot_directory setting for sshd_config.
# Default is 'none', which means that no chroot directory will be used, but
# can be set to a valid directory path if you want to use chroot for SSH
# sessions.
# @param [String] ssh_version_addendum setting for sshd_config.
# Default is 'none', which means that no version addendum will be included in
# the SSH banner, but can be set to a custom string if you want to include
# additional information in the SSH version banner. This can be used for
# branding purposes, but should be used with caution as it can potentially
# leak information about the server that could be useful to attackers.
# @param [String] ssh_banner setting for sshd_config.
# Default is 'none', which means that no banner will be displayed to users
# when they connect, but can be set to a valid file path if you want to
# display a custom banner message to users when they connect. This can be used
# to display legal notices, security warnings, or other information to users when
# they connect to the SSH server.
# @param [String] ssh_login_grace_time setting for sshd_config.
# Default is '2m', which means that users have 2 minutes to successfully
# authenticate before the server disconnects them, but can be set to a different
# time interval if desired. This setting can be used to limit the amount of time
# that attackers have to attempt to brute-force authentication, but should be set
# to a reasonable value to avoid disconnecting legitimate users who may need more time to log
# @param [String] ssh_custom_ensure whether the custom configuration file
# should be file or absent.
##############################################################################
###############################################################################
class confdroid_ssh::params (
Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],
@@ -210,63 +21,6 @@ class confdroid_ssh::params (
String $ssh_fw_order = '50',
String $ssh_source_range = '0.0.0.0/0',
# sshd configuration
String $ssh_custom_ensure = 'absent',
Boolean $ssh_manage_config = true,
String $ssh_address_family = 'any',
String $ssh_listen_address = '0.0.0.0',
String $ssh_login_grace_time = '2m',
String $ssh_root_login = 'prohibit-password',
String $ssh_strict_modes = 'yes',
String $ssh_max_auth_tries = '6',
String $ssh_max_sessions = '10',
String $ssh_pubkey_auth = 'yes',
String $ssh_auth_key_files = '.ssh/authorized_keys',
String $ssh_authorized_principals_file = 'none',
String $ssh_authorized_keys_command = 'none',
String $ssh_authorized_keys_command_user = 'nobody',
Boolean $ssh_use_specific_hostkey = false,
String $ssh_hostkey_type = 'rsa',
String $ssh_rekeylimit = 'default none',
String $ssh_syslog_facility = 'AUTH',
String $ssh_log_level = 'INFO',
String $ssh_password_authentication = 'yes',
String $ssh_permit_empty_passwords = 'no',
String $ssh_kbd_interactive_auth = 'yes',
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = 'yes',
String $ssh_kerberos_or_local_passwd = 'yes',
String $ssh_kerberos_ticket_cleanup = 'yes',
String $ssh_kerberos_get_afstoken = 'no',
String $ssh_kerberos_use_kuserok = 'yes',
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = 'yes',
String $ssh_gssapi_cleanup_credentials = 'yes',
String $ssh_gssapi_key_exchange = 'no',
String $ssh_gssapi_enablek5users = 'no',
String $ssh_use_pam = 'no',
String $ssh_allow_agent_forwarding = 'yes',
String $ssh_allow_tcp_forwarding = 'yes',
String $ssh_gateway_ports = 'no',
String $ssh_x11_forwarding = 'no',
String $ssh_x11_display_offset = '10',
String $ssh_x11_use_localhost = 'yes',
String $ssh_permit_tty = 'yes',
String $ssh_print_motd = 'yes',
String $ssh_print_lastlog = 'yes',
String $ssh_tcp_keepalive = 'yes',
String $ssh_permit_user_environment = 'no',
String $ssh_compression = 'delayed',
String $ssh_client_alive_interval = '0',
String $ssh_client_alive_count_max = '3',
String $ssh_use_dns = 'no',
String $ssh_pid_file = '/var/run/sshd.pid',
String $ssh_max_startups = '10:30:100',
String $ssh_permit_tunnel = 'no',
String $ssh_chroot_directory = 'none',
String $ssh_version_addendum = 'none',
String $ssh_banner = 'none',
) {
# default facts
$fqdn = $facts['networking']['fqdn']
@@ -280,8 +34,6 @@ class confdroid_ssh::params (
$sshd_service = 'sshd'
$sshd_config_path = "${ssh_etc_path}/sshd_config"
$sshd_custom_path = "${ssh_etc_path}/sshd_config.d"
$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"
$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'
$sshd_config_erb = 'confdroid_ssh/sshd_config.erb'
$sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf"

8
templates/custom_config.erb Normal file
View File

@@ -0,0 +1,8 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
<% @config_content.each do |config_line| -%>
<%= config_line %>
<% end -%>

73
templates/sshd_custom_conf.erb
View File

@@ -1,73 +0,0 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. The file is built via parameters, so any changes should #
##### be made in the Puppet manifest parameters. #
###############################################################################
#Port <%= @ssh_fw_port %>
#AddressFamily <%= @ssh_address_family %>
#ListenAddress <%= @ssh_listen_address %>
<% if @ssh_use_specific_hostkey -%>
#HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
<% end -%>
#RekeyLimit <%= @ssh_rekeylimit %>
#SyslogFacility <%= @ssh_syslog_facility %>
#LogLevel <%= @ssh_log_level %>
#LoginGraceTime <%= @ssh_login_grace_time %>
#PermitRootLogin <%= @ssh_root_login %>
#StrictModes <%= @ssh_strict_modes %>
#MaxAuthTries <%= @ssh_max_auth_tries %>
#MaxSessions <%= @ssh_max_sessions %>
#PubkeyAuthentication <%= @ssh_pubkey_auth %>
#AuthorizedKeysFile <%= @ssh_auth_key_files %>
#AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
#AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
#AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
#PasswordAuthentication <%= @ssh_password_authentication %>
#PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
#KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
#UsePAM <%= @ssh_use_pam %>
<% if @ssh_use_kerberos -%>
KerberosAuthentication <%= @ssh_kerberos_authentication %>
KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
<% end -%>
<% if @ssh_use_gssapi -%>
GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
<% end -%>
#AllowAgentForwarding <%= @ssh_allow_agent_forwarding %>
#AllowTcpForwarding <%= @ssh_allow_tcp_forwarding %>
#GatewayPorts <%= @ssh_gateway_ports %>
#X11Forwarding <%= @ssh_x11_forwarding %>
#X11DisplayOffset <%= @ssh_x11_display_offset %>
#X11UseLocalhost <%= @ssh_x11_use_localhost %>
#PermitTTY <%= @ssh_permit_tty %>
#PrintMotd <%= @ssh_print_motd %>
#PrintLastLog <%= @ssh_print_lastlog %>
#TCPKeepAlive <%= @ssh_tcp_keepalive %>
#PermitUserEnvironment <%= @ssh_permit_user_environment %>
#Compression <%= @ssh_compression %>
#ClientAliveInterval <%= @ssh_client_alive_interval %>
#ClientAliveCountMax <%= @ssh_client_alive_count_max %>
#UseDNS <%= @ssh_use_dns %>
#PidFile <%= @ssh_pid_file %>
#MaxStartups <%= @ssh_max_startups %>
#PermitTunnel <%= @ssh_permit_tunnel %>
#ChrootDirectory <%= @ssh_chroot_directory %>
#VersionAddendum <%= @ssh_version_addendum %>
#Banner <%= @ssh_banner %>