confdroid/confdroid_ssh
1
0
Fork 0
Code Issues Projects Wiki Activity

Compare commits

base: confdroid:761f071573e1e418e5edc0411583fb009c5f5a23
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026
...
compare: confdroid:master
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026

60 Commits
761f071573 ... master

Author SHA1 Message Date
Jenkins Server
c70ac664a5 Merge build 39 into master 2026-04-14 17:03:01 +02:00
Jenkins Server
cc7f06d876 Recommit for updates in build 39 2026-04-14 17:02:59 +02:00
Jenkins Server
04a7e544a5 Merge remote-tracking branch 'origin/master' into jenkins-build-39 2026-04-14 17:02:08 +02:00
12ww1160
af538bb0e9 OP#78 define is added and tested working 2026-04-14 17:01:44 +02:00
Jenkins Server
60d451ee2c Merge build 38 into master 2026-04-14 16:22:12 +02:00
Jenkins Server
99f37cf02c Recommit for updates in build 38 2026-04-14 16:22:11 +02:00
Jenkins Server
65c46a04c2 Merge remote-tracking branch 'origin/master' into jenkins-build-38 2026-04-14 16:21:12 +02:00
12ww1160
5508f5a51f OP#78 add define 2026-04-14 16:20:49 +02:00
Jenkins Server
d9a07271fd Merge build 37 into master 2026-04-14 13:58:23 +02:00
Jenkins Server
72d12baece Merge remote-tracking branch 'origin/master' into jenkins-build-37 2026-04-14 13:57:30 +02:00
12ww1160
1e52fd312d rewrite pipeline to reflect pushing same commits to both remotes 2026-04-14 13:57:14 +02:00
Jenkins Server
b08e59caaf Merge build 36 into master 2026-04-14 13:52:17 +02:00
Jenkins Server
249c2de187 Merge remote-tracking branch 'origin/master' into jenkins-build-36 2026-04-14 13:51:25 +02:00
12ww1160
fd214f6a7d rewrite pipeline to reflect pushing same commits to both remotes 2026-04-14 13:51:09 +02:00
12ww1160
a35060c2cf rewrite pipeline to reflect pushing same commits to both remotes 2026-04-14 13:47:17 +02:00
Jenkins
ada8bc4220 Merge branch 'jenkins-build-34' into 'master' 
Auto-merge for build 34

See merge request puppet/confdroid_ssh!34
 2026-04-14 11:34:23 +00:00
Jenkins Server
b629a265bd Recommit for updates in build 34 2026-04-14 13:34:17 +02:00
Jenkins Server
0c2658b6da Merge remote-tracking branch 'origin/master' into jenkins-build-34 2026-04-14 13:33:25 +02:00
12ww1160
893ed11ce7 OP#577 update Readme 2026-04-14 13:33:01 +02:00
Jenkins
d7c8d71d64 Merge branch 'jenkins-build-33' into 'master' 
Auto-merge for build 33

See merge request puppet/confdroid_ssh!33
 2026-04-14 11:09:48 +00:00
Jenkins Server
4d3c86cd0c Recommit for updates in build 33 2026-04-14 13:09:40 +02:00
Jenkins Server
8d123c372c Merge remote-tracking branch 'origin/master' into jenkins-build-33 2026-04-14 13:08:49 +02:00
12ww1160
8821ff73f4 OP#577 update Readme 2026-04-14 13:08:33 +02:00
Jenkins
46e8642904 Merge branch 'jenkins-build-32' into 'master' 
Auto-merge for build 32

See merge request puppet/confdroid_ssh!32
 2026-04-14 11:01:00 +00:00
Jenkins Server
6578688e1f Recommit for updates in build 32 2026-04-14 13:00:52 +02:00
Jenkins Server
cb5b517900 Merge remote-tracking branch 'origin/master' into jenkins-build-32 2026-04-14 12:59:54 +02:00
12ww1160
12d58a30f7 OP#577 update Readme 2026-04-14 12:59:37 +02:00
Jenkins
7a0a60b12b Merge branch 'jenkins-build-31' into 'master' 
Auto-merge for build 31

See merge request puppet/confdroid_ssh!31
 2026-04-14 10:48:21 +00:00
Jenkins Server
72810343ec Recommit for updates in build 31 2026-04-14 12:48:14 +02:00
Jenkins Server
eba68be525 Merge remote-tracking branch 'origin/master' into jenkins-build-31 2026-04-14 12:47:20 +02:00
12ww1160
12ca98ceca OP#577 update Readme 2026-04-14 12:46:57 +02:00
Jenkins
df02776fef Merge branch 'jenkins-build-30' into 'master' 
Auto-merge for build 30

See merge request puppet/confdroid_ssh!30
 2026-04-14 10:35:10 +00:00
Jenkins Server
e0dcf663ae Recommit for updates in build 30 2026-04-14 12:34:57 +02:00
Jenkins Server
35e8ce37da Merge remote-tracking branch 'origin/master' into jenkins-build-30 2026-04-14 12:34:04 +02:00
12ww1160
5e3db16d2c OP#575 set default for custom config to absent 2026-04-14 12:33:48 +02:00
Jenkins
2967e65743 Merge branch 'jenkins-build-29' into 'master' 
Auto-merge for build 29

See merge request puppet/confdroid_ssh!29
 2026-04-14 10:29:03 +00:00
Jenkins Server
12e800318b Recommit for updates in build 29 2026-04-14 12:28:53 +02:00
Jenkins Server
7006c54429 Merge remote-tracking branch 'origin/master' into jenkins-build-29 2026-04-14 12:27:59 +02:00
12ww1160
cfe921b42f OP#575 add option to set custom config absent or file 2026-04-14 12:27:40 +02:00
Jenkins
4e92d798b3 Merge branch 'jenkins-build-28' into 'master' 
Auto-merge for build 28

See merge request puppet/confdroid_ssh!28
 2026-04-14 10:12:31 +00:00
Jenkins Server
49fff33a8f Merge remote-tracking branch 'origin/master' into jenkins-build-28 2026-04-14 12:11:29 +02:00
12ww1160
45815fd385 OP#575 fix params 2026-04-14 12:11:11 +02:00
Jenkins
01611b4b43 Merge branch 'jenkins-build-27' into 'master' 
Auto-merge for build 27

See merge request puppet/confdroid_ssh!27
 2026-04-14 09:50:15 +00:00
Jenkins Server
5f6b9d8b99 Recommit for updates in build 27 2026-04-14 11:49:58 +02:00
Jenkins Server
a60b6a5ae6 Merge remote-tracking branch 'origin/master' into jenkins-build-27 2026-04-14 11:49:00 +02:00
12ww1160
2f7d9cc812 OP#575 fix params 2026-04-14 11:48:37 +02:00
Arne Teuke
ca0ec2bb84 Edit files.pp 2026-04-14 11:39:14 +02:00
Arne Teuke
c7e9800b5b Edit files.pp 2026-04-13 17:28:14 +02:00
Jenkins
fcd97dc6d4 Merge branch 'jenkins-build-26' into 'master' 
Auto-merge for build 26

See merge request puppet/confdroid_ssh!26
 2026-04-13 14:44:37 +00:00
Jenkins Server
3b890f83c7 Merge remote-tracking branch 'origin/master' into jenkins-build-26 2026-04-13 16:43:36 +02:00
12ww1160
738a0efbc7 OP#575 rm puppet-lint.rc 2026-04-13 16:43:10 +02:00
Jenkins
1068f97433 Merge branch 'jenkins-build-25' into 'master' 
Auto-merge for build 25

See merge request puppet/confdroid_ssh!25
 2026-04-13 14:39:41 +00:00
Jenkins Server
9a564261f7 Recommit for updates in build 25 2026-04-13 16:39:34 +02:00
Jenkins Server
417dd0e23a Merge remote-tracking branch 'origin/master' into jenkins-build-25 2026-04-13 16:38:37 +02:00
12ww1160
2bb6c5ecb8 OP#575 finish sshd config file 2026-04-13 16:38:07 +02:00
Jenkins
2c1b15e468 Merge branch 'jenkins-build-24' into 'master' 
Auto-merge for build 24

See merge request puppet/confdroid_ssh!24
 2026-04-13 13:53:16 +00:00
Jenkins Server
3dcd479229 Recommit for updates in build 24 2026-04-13 15:53:09 +02:00
Jenkins Server
3f98eee049 Merge remote-tracking branch 'origin/master' into jenkins-build-24 2026-04-13 15:52:12 +02:00
12ww1160
ceeb28aa1f OP#575 add more params 2026-04-13 15:51:49 +02:00
Jenkins
f68e688bfa Merge branch 'jenkins-build-23' into 'master' 
Auto-merge for build 23

See merge request puppet/confdroid_ssh!23
 2026-04-13 13:01:39 +00:00
18 changed files with 480 additions and 958 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -2,4 +2,5 @@
Gemfile.lock
FileList
.scannerwork
.vscode
.vscode
.puppet-lint.rc

41
Jenkinsfile vendored
View File

@@ -28,11 +28,17 @@ pipeline {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
# Ensure we're on the development branch (triggered by push)
git checkout development
# Create jenkins branch from development
git checkout -b jenkins-build-$BUILD_NUMBER
# Optionally merge master into jenkins to ensure compatibility
git fetch origin
source_branch="${gitlabSourceBranch:-${BRANCH_NAME:-${GIT_LOCAL_BRANCH:-$GIT_BRANCH}}}"
source_branch="${source_branch#origin/}"
source_branch="${source_branch#refs/heads/}"
if [ -z "$source_branch" ]; then
source_branch="development"
fi
echo "Using source branch: $source_branch"
# Create an isolated build branch from the triggering branch revision.
git checkout -B jenkins-build-$BUILD_NUMBER "origin/$source_branch"
# Merge the current master into the build branch before validation.
git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
'''
}
@@ -91,12 +97,10 @@ pipeline {
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
git push -o merge_request.create \
-o merge_request.target=master \
-o merge_request.title="Auto-merge for build $BUILD_NUMBER" \
-o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \
-o merge_request.merge_when_pipeline_succeeds=true \
origin jenkins-build-$BUILD_NUMBER
git fetch origin
git checkout -B master origin/master
git merge --no-ff jenkins-build-$BUILD_NUMBER -m "Merge build $BUILD_NUMBER into master"
git push origin master
'''
}
}
@@ -108,18 +112,15 @@ pipeline {
usernameVariable: 'GITEA_USER',
passwordVariable: 'GITEA_TOKEN')]) {
script {
// Checkout from GitLab (already done implicitly)
sh '''
git fetch origin
git checkout master
git pull origin master
git branch -D development
git branch -D jenkins-build-$BUILD_NUMBER
git rm -f Jenkinsfile
git rm -r --cached .vscode || echo "No .vscode to remove from git"
git commit --amend --no-edit --allow-empty
git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
git reset --hard origin/master
git remote get-url master >/dev/null 2>&1 \
&& git remote set-url master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git \
|| git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
push master --mirror
push --force master refs/heads/master:refs/heads/master
'''
}
}

32
README.md
View File

@@ -7,6 +7,7 @@
- [Synopsis](#synopsis)
- [WARNING](#warning)
- [Features](#features)
- [Adding custom configurations](#adding-custom-configurations)
- [Support](#support)
- [Parameter Inheritance](#parameter-inheritance)
- [Module Deployment](#module-deployment)
@@ -25,11 +26,34 @@
## Features
- install required binaries
- manage local custom configuration based on parameters, overriding the defaults
- manage selinux rules
- manage required files and directories including selinux context
- manage service
- (optional) manage firewall
## Adding custom configurations
Custom configuration files live in `/etc/ssh/sshd_config.d/`. IN order to create a custom config file, add a stanza like this in your control repo:
```puppet
confdroid_ssh::custom::custom_config { '30-my-custom-rule':
config_name => '30-custom-rule',
config_content => ['PasswordAuthentication no'],
}
```
This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:
```puppet
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
PasswordAuthentication no
```
Note that the value for config_content **has to be an array**, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.
## Support
- Rocky 9 (Any RHEL 9 based OS should work but has not been tested)
@@ -41,7 +65,7 @@ All parameters are listed in `params.pp` and inherited from there. Variable par
## Module Deployment
ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
## Tests

24
doc/_index.html
View File

@@ -122,6 +122,30 @@
<h2>Defined Type Listing A-Z</h2>
<table>
<tr>
<td valign='top' width="33%">
<ul id="alpha_C" class="alpha">
<li class="letter">C</li>
<ul>
<li>
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</li>
</ul>
</ul>
</td>
</tr>
</table>

30
doc/file.README.html
View File

@@ -70,6 +70,8 @@
</li><li>
<p><a href="#features">Features</a></p>
</li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p>
</li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -97,15 +99,35 @@
<ul><li>
<p>install required binaries</p>
</li><li>
<p>manage local custom configuration based on parameters, overriding the defaults</p>
</li><li>
<p>manage selinux rules</p>
<p>manage required files and directories including selinux context</p>
</li><li>
<p>manage service</p>
</li><li>
<p>(optional) manage firewall</p>
</li></ul>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2>
<ul><li>
<p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -119,7 +141,7 @@
<h2 id="label-Module+Deployment">Module Deployment</h2>
<p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<h2 id="label-Tests">Tests</h2>
<ul><li>

30
doc/index.html
View File

@@ -70,6 +70,8 @@
</li><li>
<p><a href="#features">Features</a></p>
</li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p>
</li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -97,15 +99,35 @@
<ul><li>
<p>install required binaries</p>
</li><li>
<p>manage local custom configuration based on parameters, overriding the defaults</p>
</li><li>
<p>manage selinux rules</p>
<p>manage required files and directories including selinux context</p>
</li><li>
<p>manage service</p>
</li><li>
<p>(optional) manage firewall</p>
</li></ul>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2>
<ul><li>
<p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -119,7 +141,7 @@
<h2 id="label-Module+Deployment">Module Deployment</h2>
<p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<h2 id="label-Tests">Tests</h2>
<ul><li>

4
doc/puppet_class_list.html
View File

@@ -28,6 +28,10 @@
Puppet Classes
</a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div>
<div id="search">Search: <input type="text" /></div>

4
doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html
View File

@@ -141,7 +141,7 @@ class confdroid_ssh::main::dirs (
path =&gt; $ssh_etc_path,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0700&#39;,
mode =&gt; &#39;0755&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
@@ -152,7 +152,7 @@ class confdroid_ssh::main::dirs (
ensure =&gt; directory,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0700&#39;,
mode =&gt; &#39;0755&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,

48
doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Afiles.html
View File

@@ -118,30 +118,7 @@
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46</pre>
23</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -163,29 +140,6 @@ class confdroid_ssh::main::files (
content =&gt; template($sshd_config_erb),
notify =&gt; Service[$sshd_service],
}
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure =&gt; file,
path =&gt; $sshd_custom_conf,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0640&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($sshd_custom_erb),
notify =&gt; Service[$sshd_service],
}
# we want the default root login setting to be managed by the custom conf,
# so we remove the default file if it exists
file { $sshd_root_login_file:
ensure =&gt; absent,
path =&gt; $sshd_root_login_file,
notify =&gt; Service[$sshd_service],
}
}
}</pre>
</td>
</tr>

710
doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
View File

@@ -214,582 +214,6 @@
&mdash;
<div class='inline'>
<p>source range for firewall rule</p>
</div>
</li>
<li>
<span class='name'>ssh_manage_config</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>true</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to manage the configuration</p>
</div>
</li>
<li>
<span class='name'>ssh_address_family</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;any&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AddressFamily setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_listen_address</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;0.0.0.0&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ListenAddress setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_root_login</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;prohibit-password&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PermitRootLogin setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_strict_modes</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>StrictModes setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_max_auth_tries</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;6&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>MaxAuthTries setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_max_sessions</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;10&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>MaxSessions setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_pubkey_auth</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PubkeyAuthentication setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_auth_key_files</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;.ssh/authorized_keys&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysFile setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_principals_file</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedPrincipalsFile setting for sshd_config. Default is none to disable this setting.</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_keys_command</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysCommand setting for sshd_config. Default is none to disable this setting.</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_keys_command_user</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;nobody&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysCommandUser setting for sshd_config. Default is nobody to use an unpriviledged user.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_specific_hostkey</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use a specific host key</p>
</div>
</li>
<li>
<span class='name'>ssh_hostkey_type</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;rsa&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>type of host key to use if ssh_use_specific_hostkey is true</p>
</div>
</li>
<li>
<span class='name'>ssh_rekeylimit</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;default none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>RekeyLimit setting for sshd_config. Default is default none.</p>
</div>
</li>
<li>
<span class='name'>ssh_syslog_facility</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;AUTH&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>SyslogFacility setting for sshd_config. Default is AUTH.</p>
</div>
</li>
<li>
<span class='name'>ssh_log_level</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;INFO&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>LogLevel setting for sshd_config. Default is INFO.</p>
</div>
</li>
<li>
<span class='name'>ssh_password_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PasswordAuthentication setting for sshd_config. Default is no, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to yes if password authentication is desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_permit_empty_passwords</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PermitEmptyPasswords setting for sshd_config. Default is no, which is a recommended security setting and works in connection with key-based authentication, but can be set to yes if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.</p>
</div>
</li>
<li>
<span class='name'>ssh_kbd_interactive_auth</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no, which is a recommended security setting together with password authentication, but can be set to yes if keyboard-interactive authentication should be allowed. (not recommended)</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. Kerberos authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to yes if desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_or_local_passwd</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to allow local password authentication as a fallback if Kerberos authentication fails, but can be set to no if you want to only allow Kerberos authentication.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_ticket_cleanup</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable ticket cleanup, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_get_afstoken</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable AFS token retrieval, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_use_kuserok</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable userok with Kerberos, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_kerberos</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use Kerberos authentication. If true, the relevant Kerberos settings will be included in the sshd_config, otherwise they will be ignored.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_gssapi</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use GSSAPI authentication. If true, GSSAPI authentication will be enabled in sshd_config, otherwise it will be disabled. GSSAPI authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to true if desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS authentication, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_cleanup_credentials</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS credential cleanup, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_key_exchange</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS key exchange.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_enablek5users</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSSAPI for k5users.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_pam</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to yes only if you want to use PAM for authentication together with those settings.</p>
</div>
</li>
@@ -805,75 +229,39 @@
<pre class="lines">
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164</pre>
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 99</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 13</span>
class confdroid_ssh::params (
@@ -886,40 +274,6 @@ class confdroid_ssh::params (
String $ssh_fw_order = &#39;50&#39;,
String $ssh_source_range = &#39;0.0.0.0/0&#39;,
# sshd configuration
Boolean $ssh_manage_config = true,
String $ssh_address_family = &#39;any&#39;,
String $ssh_listen_address = &#39;0.0.0.0&#39;,
String $ssh_root_login = &#39;prohibit-password&#39;,
String $ssh_strict_modes = &#39;yes&#39;,
String $ssh_max_auth_tries = &#39;6&#39;,
String $ssh_max_sessions = &#39;10&#39;,
String $ssh_pubkey_auth = &#39;yes&#39;,
String $ssh_auth_key_files = &#39;.ssh/authorized_keys&#39;,
String $ssh_authorized_principals_file = &#39;none&#39;,
String $ssh_authorized_keys_command = &#39;none&#39;,
String $ssh_authorized_keys_command_user = &#39;nobody&#39;,
Boolean $ssh_use_specific_hostkey = false,
String $ssh_hostkey_type = &#39;rsa&#39;,
String $ssh_rekeylimit = &#39;default none&#39;,
String $ssh_syslog_facility = &#39;AUTH&#39;,
String $ssh_log_level = &#39;INFO&#39;,
String $ssh_password_authentication = &#39;no&#39;,
String $ssh_permit_empty_passwords = &#39;no&#39;,
String $ssh_kbd_interactive_auth = &#39;no&#39;,
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = &#39;yes&#39;,
String $ssh_kerberos_or_local_passwd = &#39;yes&#39;,
String $ssh_kerberos_ticket_cleanup = &#39;yes&#39;,
String $ssh_kerberos_get_afstoken = &#39;no&#39;,
String $ssh_kerberos_use_kuserok = &#39;yes&#39;,
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = &#39;yes&#39;,
String $ssh_gssapi_cleanup_credentials = &#39;yes&#39;,
String $ssh_gssapi_key_exchange = &#39;no&#39;,
String $ssh_gssapi_enablek5users = &#39;no&#39;,
String $ssh_use_pam = &#39;no&#39;,
) {
# default facts
$fqdn = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
@@ -933,8 +287,6 @@ class confdroid_ssh::params (
$sshd_service = &#39;sshd&#39;
$sshd_config_path = &quot;${ssh_etc_path}/sshd_config&quot;
$sshd_custom_path = &quot;${ssh_etc_path}/sshd_config.d&quot;
$sshd_custom_conf = &quot;${sshd_custom_path}/10-custom.conf&quot;
$sshd_custom_erb = &#39;confdroid_ssh/sshd_custom_conf.erb&#39;
$sshd_config_erb = &#39;confdroid_ssh/sshd_config.erb&#39;
$sshd_root_login_file = &quot;${sshd_custom_path}/01-permitrootlogin.conf&quot;

54
doc/puppet_defined_type_list.html Normal file
View File

@@ -0,0 +1,54 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8" />
<link rel="stylesheet" href="css/full_list.css" type="text/css" media="screen" />
<link rel="stylesheet" href="css/common.css" type="text/css" media="screen" />
<script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="js/full_list.js"></script>
<title>Defined Type List</title>
<base id="base_target" target="_parent" />
</head>
<body>
<div id="content">
<div class="fixed_header">
<h1 id="full_list_header">Defined Type List</h1>
<div id="full_list_nav">
<span><a target="_self" href="puppet_class_list.html">
Puppet Classes
</a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div>
<div id="search">Search: <input type="text" /></div>
</div>
<ul id="full_list" class="puppet_defined_type">
<li id="object_puppet_defined_types::confdroid_ssh::custom::custom_config" class="odd">
<div class="item">
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</div>
</li>
</ul>
</div>
</body>
</html>

209
doc/puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html Normal file
View File

@@ -0,0 +1,209 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Defined Type: confdroid_ssh::custom::custom_config
&mdash; Documentation by YARD 0.9.36
</title>
<link rel="stylesheet" href="../css/style.css" type="text/css" />
<link rel="stylesheet" href="../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "puppet_defined_types::confdroid_ssh::custom::custom_config";
relpath = '../';
</script>
<script type="text/javascript" charset="utf-8" src="../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../puppet_defined_type_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../_index.html">Index (c)</a> &raquo;
<span class='title'><span class='object_link'>Defined Types</span></span>
&raquo;
<span class="title">confdroid_ssh::custom::custom_config</span>
</div>
<div id="search">
<a class="full_list_link" id="puppet_class_list_link"
href="../puppet_class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Defined Type: confdroid_ssh::custom::custom_config</h1>
<div class="box_info">
<dl>
<dt>Defined in:</dt>
<dd>
manifests/custom/custom_config.pp
</dd>
</dl>
</div>
<h2>Summary</h2>
Class manages custom configurations for SSH
<h2>Overview</h2>
<div class="docstring">
<div class="discussion">
<p>confdroid_ssh::custom::custom_config.pp Module name: confdroid_ssh Author: 12ww1160 (12ww1160@confdroid.com) } this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content: PasswordAuthentication no and notify the sshd service to reload the configuration</p>
</div>
</div>
<div class="tags">
<div class="examples">
<p class="tag_title">Examples:</p>
<pre class="example code"><code>confdroid_ssh::custom::custom_config { &#39;50-test&#39;:
config_name =&gt; &#39;50-test&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],</code></pre>
</div>
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>config_name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>name of the custom configuration file (without .conf extension)</p>
</div>
</li>
<li>
<span class='name'>config_content</span>
<span class='type'>(<tt>Array[String]</tt>)</span>
&mdash;
<div class='inline'>
<p>array of configuration lines to include in the custom config</p>
</div>
</li>
</ul>
</div><div class="method_details_list">
<table class="source_code">
<tr>
<td>
<pre class="lines">
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/custom/custom_config.pp', line 17</span>
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = &#39;confdroid_ssh/custom_config.erb&#39;
$config_basename = regsubst($config_name, &#39;\\.conf$&#39;, &#39;&#39;)
$config_file = &quot;${config_name}.conf&quot;
file { &quot;${sshd_custom_path}/${config_file}&quot;:
ensure =&gt; file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0600&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($custom_config_erb),
notify =&gt; Service[$sshd_service],
}
}</pre>
</td>
</tr>
</table>
</div>
</div>
<div id="footer">
Generated by <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>.
</div>
</div>
</body>
</html>

41
manifests/custom/custom_config.pp Normal file
View File

@@ -0,0 +1,41 @@
## confdroid_ssh::custom::custom_config.pp
# Module name: confdroid_ssh
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages custom configurations for SSH
# @param [String] config_name name of the custom configuration file
# (without .conf extension)
# @param [Array[String]] config_content array of configuration lines to
# include in the custom config
# @example
# confdroid_ssh::custom::custom_config { '50-test':
# config_name => '50-test',
# config_content => ['PasswordAuthentication no'],
# }
# this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content:
# PasswordAuthentication no and notify the sshd service to reload the configuration
##############################################################################
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = 'confdroid_ssh/custom_config.erb'
$config_basename = regsubst($config_name, '\\.conf$', '')
$config_file = "${config_name}.conf"
file { "${sshd_custom_path}/${config_file}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($custom_config_erb),
notify => Service[$sshd_service],
}
}

4
manifests/main/dirs.pp
View File

@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
path => $ssh_etc_path,
owner => $sshd_user,
group => $sshd_user,
mode => '0700',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
ensure => directory,
owner => $sshd_user,
group => $sshd_user,
mode => '0700',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => etc_t,

23
manifests/main/files.pp
View File

@@ -20,27 +20,4 @@ class confdroid_ssh::main::files (
content => template($sshd_config_erb),
notify => Service[$sshd_service],
}
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure => file,
path => $sshd_custom_conf,
owner => $sshd_user,
group => $sshd_user,
mode => '0640',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($sshd_custom_erb),
notify => Service[$sshd_service],
}
# we want the default root login setting to be managed by the custom conf,
# so we remove the default file if it exists
file { $sshd_root_login_file:
ensure => absent,
path => $sshd_root_login_file,
notify => Service[$sshd_service],
}
}
}

124
manifests/params.pp
View File

@@ -9,93 +9,7 @@
# @param [String] ssh_fw_port port to use for SSHD and in fw
# @param [String] ssh_fw_order order of firewall rule
# @param [String] ssh_source_range source range for firewall rule
# @param [Boolean] ssh_manage_config whether to manage the configuration
# @param [String] ssh_address_family AddressFamily setting for sshd_config
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile
# setting for sshd_config. Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config.
# Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
# Default is 'nobody' to use an unpriviledged user.
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
# @param [String] ssh_hostkey_type type of host key to use if
# ssh_use_specific_hostkey is true
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config.
# Default is 'default none'.
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
# Default is 'AUTH'.
# @param [String] ssh_log_level LogLevel setting for sshd_config.
# Default is 'INFO'.
# @param [String] ssh_password_authentication PasswordAuthentication setting
# for sshd_config. Default is 'no', which requires key-based authentication.
# This is a recommended security setting, so passwords do not show up in logs,
# but can be set to 'yes' if password authentication is desired.
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting
# for sshd_config. Default is 'no', which is a recommended security setting
# and works in connection with key-based authentication, but can be set
# to 'yes' if password authentication should be allowed and empty passwords
# should be allowed. Again, this should be used with caution if enabled.
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
# Default is 'no', which is a recommended security setting together
# with password authentication, but can be set to 'yes' if
# keyboard-interactive authentication should be allowed. (not recommended)
# @param [String] ssh_kerberos_authentication setting for sshd_config.
# Default is 'no'. Kerberos authentication is not commonly used and
# requires a lot of other settings, so it is disabled by default, but can be
# set to 'yes' if desired.
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication is
# enabled, and should be set to 'yes' if you want to allow local password
# authentication as a fallback if Kerberos authentication fails, but can be
# set to 'no' if you want to only allow Kerberos authentication.
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable userok with
# Kerberos, but can be set to 'no' if you want to disable it.
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
# If true, the relevant Kerberos settings will be included in the sshd_config,
# otherwise they will be ignored.
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
# will be disabled. GSSAPI authentication is not commonly used and requires
# a lot of other settings, so it is disabled by default, but can be set to
# true if desired.
# @param [String] ssh_gssapi_authentication setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS credential
# cleanup, but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
# commonly used for SSH authentication and can introduce security risks if
# not configured properly, so it is disabled by default. Thi setting is
# related to PasswordAuthentication and KbdInteractiveAuthentication, and
# should be set to 'yes' only if you want to use PAM for authentication
# together with those settings.
##############################################################################
###############################################################################
class confdroid_ssh::params (
Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],
@@ -107,40 +21,6 @@ class confdroid_ssh::params (
String $ssh_fw_order = '50',
String $ssh_source_range = '0.0.0.0/0',
# sshd configuration
Boolean $ssh_manage_config = true,
String $ssh_address_family = 'any',
String $ssh_listen_address = '0.0.0.0',
String $ssh_root_login = 'prohibit-password',
String $ssh_strict_modes = 'yes',
String $ssh_max_auth_tries = '6',
String $ssh_max_sessions = '10',
String $ssh_pubkey_auth = 'yes',
String $ssh_auth_key_files = '.ssh/authorized_keys',
String $ssh_authorized_principals_file = 'none',
String $ssh_authorized_keys_command = 'none',
String $ssh_authorized_keys_command_user = 'nobody',
Boolean $ssh_use_specific_hostkey = false,
String $ssh_hostkey_type = 'rsa',
String $ssh_rekeylimit = 'default none',
String $ssh_syslog_facility = 'AUTH',
String $ssh_log_level = 'INFO',
String $ssh_password_authentication = 'no',
String $ssh_permit_empty_passwords = 'no',
String $ssh_kbd_interactive_auth = 'no',
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = 'yes',
String $ssh_kerberos_or_local_passwd = 'yes',
String $ssh_kerberos_ticket_cleanup = 'yes',
String $ssh_kerberos_get_afstoken = 'no',
String $ssh_kerberos_use_kuserok = 'yes',
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = 'yes',
String $ssh_gssapi_cleanup_credentials = 'yes',
String $ssh_gssapi_key_exchange = 'no',
String $ssh_gssapi_enablek5users = 'no',
String $ssh_use_pam = 'no',
) {
# default facts
$fqdn = $facts['networking']['fqdn']
@@ -154,8 +34,6 @@ class confdroid_ssh::params (
$sshd_service = 'sshd'
$sshd_config_path = "${ssh_etc_path}/sshd_config"
$sshd_custom_path = "${ssh_etc_path}/sshd_config.d"
$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"
$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'
$sshd_config_erb = 'confdroid_ssh/sshd_config.erb'
$sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf"

8
templates/custom_config.erb Normal file
View File

@@ -0,0 +1,8 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
<% @config_content.each do |config_line| -%>
<%= config_line %>
<% end -%>

49
templates/sshd_custom_conf.erb
View File

@@ -1,49 +0,0 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. The file is built via parameters, so any changes should #
##### be made in the Puppet manifest parameters. #
###############################################################################
Port <%= @ssh_fw_port %>
AddressFamily <%= @ssh_address_family %>
ListenAddress <%= @ssh_listen_address %>
<% if @ssh_use_specific_hostkey -%>
HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
<% end -%>
RekeyLimit <%= @ssh_rekeylimit %>
SyslogFacility <%= @ssh_syslog_facility %>
LogLevel <%= @ssh_log_level %>
PermitRootLogin <%= @ssh_root_login %>
StrictModes <%= @ssh_strict_modes %>
MaxAuthTries <%= @ssh_max_auth_tries %>
MaxSessions <%= @ssh_max_sessions %>
PubkeyAuthentication <%= @ssh_pubkey_auth %>
AuthorizedKeysFile <%= @ssh_auth_key_files %>
AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
PasswordAuthentication <%= @ssh_password_authentication %>
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
UsePAM <%= @ssh_use_pam %>
<% if @ssh_use_kerberos -%>
KerberosAuthentication <%= @ssh_kerberos_authentication %>
KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
<% end -%>
<% if @ssh_use_gssapi -%>
GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
<% end -%>