OP#575 finish sshd config file

.gitignore

@@ -1,39 +1,5 @@
-.git/
-.*.sw[op]
-.metadata
 .yardoc
-.yardwarns
+Gemfile.lock
+FileList
 .scannerwork
-*.iml
-/.bundle/
-/.idea/
-/.vagrant/
-/coverage/
-/bin/
-/doc/
-/Gemfile.local
-/Gemfile.lock
-/junit/
-/log/
-/pkg/
-/spec/fixtures/manifests/
-/spec/fixtures/modules/*
-/tmp/
-/vendor/
-/.vendor/
-/convert_report.txt
-/update_report.txt
-.DS_Store
-.project
-.envrc
-/inventory.yaml
-/spec/fixtures/litmus_inventory.yaml
-.resource_types
-.modules
-.task_cache.json
-.plan_cache.json
-.rerun.json
-bolt-debug.log
-.vscode
-.puppet-lint.rc
-.rspec
+.vscode

.puppet-lint.rc

@@ -0,0 +1,3 @@
+--no-variable_scope-check
+--no-top_scope_facts
+--no-140chars-check

Jenkinsfile

@@ -0,0 +1,129 @@
+pipeline {
+    agent {
+      label 'puppet'
+    }
+
+    post {
+        always {
+            deleteDir() /* clean up our workspace */
+        }
+        success {
+            updateGitlabCommitStatus state: 'success'
+        }
+        failure {
+            updateGitlabCommitStatus state: 'failed'
+            step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
+        }
+    }
+
+    options {
+          gitLabConnection('gitlab.confdroid.com')
+    }
+
+    stages {
+
+      stage('pull master') {
+        steps {
+          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                # Ensure we're on the development branch (triggered by push)
+                git checkout development
+                # Create jenkins branch from development
+                git checkout -b jenkins-build-$BUILD_NUMBER
+                # Optionally merge master into jenkins to ensure compatibility
+                git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
+            '''
+        }
+      }
+    }
+
+      stage('puppet parser') {
+        steps {
+          sh '''for file in $(find . -iname \'*.pp\'); do
+            /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
+            done;'''
+          }
+        }
+
+      stage('check templates') {
+        steps{
+          sh '''for file in $(find . -iname \'*.erb\');
+            do erb -P -x -T "-" $file | ruby -c || exit 1;
+            done;'''
+        }
+      }
+
+      stage('puppet-lint') {
+        steps {
+          sh '''/usr/local/bin/puppet-lint . \\
+                --no-variable_scope-check \\
+                || { echo "Puppet lint failed"; exit 1; }
+            '''
+          }
+        }
+
+      stage('SonarScan') {
+         steps {
+            withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
+              sh '''
+              /opt/sonar-scanner/bin/sonar-scanner \
+                -Dsonar.projectKey=confdroid_ssh \
+                -Dsonar.sources=. \
+                -Dsonar.host.url=https://sonarqube.confdroid.com \
+                -Dsonar.token=$SONAR_TOKEN
+                '''
+              }
+            }
+          }
+
+      stage('create Puppet documentation') {
+        steps {
+          sh '/opt/puppetlabs/bin/puppet strings'
+        }
+      }
+
+      stage('update repo') {
+        steps {
+          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
+                git push -o merge_request.create \
+                         -o merge_request.target=master \
+                         -o merge_request.title="Auto-merge for build $BUILD_NUMBER" \
+                         -o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \
+                         -o merge_request.merge_when_pipeline_succeeds=true \
+                         origin jenkins-build-$BUILD_NUMBER
+            '''
+        }
+      }
+    }
+      stage('Mirror to Gitea') {
+        steps {
+          withCredentials([usernamePassword(
+            credentialsId: 'Jenkins-gitea',
+            usernameVariable: 'GITEA_USER',
+            passwordVariable: 'GITEA_TOKEN')]) {
+            script {
+              // Checkout from GitLab (already done implicitly)
+                sh '''
+                  git checkout master
+                  git pull origin master
+                  git branch -D development
+                  git branch -D jenkins-build-$BUILD_NUMBER
+                  git rm -f Jenkinsfile
+                  git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                  git commit --amend --no-edit --allow-empty
+                  git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
+                  git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
+                  push master --mirror
+                  '''
+          }
+        }
+      }
+    }
+  }
+}

README.md

@@ -1,6 +1,7 @@
 # Readme
 
 [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_ssh&style=plastic)](https://jenkins.confdroid.com/job/confdroid_ssh/)
+[![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_ssh&metric=security_hotspots&token=sqb_8c77823906f10af2e4f8fcf24c467fe9dc500dba)](https://sonarqube.confdroid.com/dashboard?id=confdroid_ssh)
 
 - [Readme](#readme)
   - [Synopsis](#synopsis)
@@ -25,6 +26,7 @@
 
 - install required binaries
 - manage local custom configuration based on parameters, overriding the defaults
+- manage selinux rules
 - manage service
 - (optional) manage firewall
   

manifests/firewall/iptables.pp

@@ -6,13 +6,11 @@
 class confdroid_ssh::firewall::iptables (
 
 ) inherits confdroid_ssh::params {
-  if $ssh_use_firewall {
-    firewall { "${ssh_fw_order}${ssh_fw_port} allow SSH on port ${ssh_fw_port}":
-      ensure => 'present',
-      proto  => 'tcp',
-      source => $ssh_source_range,
-      dport  => $ssh_fw_port,
-      jump   => 'accept',
-    }
+  firewall { "${ssh_fw_order}${ssh_fw_port} allow SSH on port ${ssh_fw_port}":
+    ensure => $ssh_fw_rule,
+    proto  => 'tcp',
+    source => $ssh_source_range,
+    dport  => $ssh_fw_port,
+    jump   => 'accept',
   }
 }

manifests/main/config.pp

@@ -5,5 +5,6 @@
 ##############################################################################
 class confdroid_ssh::main::config (
 ) inherits confdroid_ssh::params {
+  require confdroid_selinux
   include confdroid_ssh::main::service
 }

manifests/main/dirs.pp

@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
     path     => $ssh_etc_path,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0755',
+    mode     => '0700',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
     ensure   => directory,
     owner    => $sshd_user,
     group    => $sshd_user,
-    mode     => '0755',
+    mode     => '0700',
     selrange => s0,
     selrole  => object_r,
     seltype  => etc_t,

manifests/main/files.pp

@@ -18,6 +18,7 @@ class confdroid_ssh::main::files (
     seltype  => etc_t,
     seluser  => system_u,
     content  => template($sshd_config_erb),
+    notify   => Service[$sshd_service],
   }
 
   if $ssh_manage_config {
@@ -26,12 +27,20 @@ class confdroid_ssh::main::files (
       path     => $sshd_custom_conf,
       owner    => $sshd_user,
       group    => $sshd_user,
-      mode     => '0755',
+      mode     => '0640',
       selrange => s0,
       selrole  => object_r,
       seltype  => etc_t,
       seluser  => system_u,
       content  => template($sshd_custom_erb),
+      notify   => Service[$sshd_service],
+    }
+    # we want the default root login setting to be managed by the custom conf, 
+    # so we remove the default file if it exists
+    file { $sshd_root_login_file:
+      ensure => absent,
+      path   => $sshd_root_login_file,
+      notify => Service[$sshd_service],
     }
   }
 }

manifests/main/service.pp

@@ -6,9 +6,8 @@
 class confdroid_ssh::main::service (
 ) inherits confdroid_ssh::params {
   require confdroid_ssh::main::files
-  if $ssh_use_firewall {
-    require confdroid_ssh::firewall::iptables
-  }
+  require confdroid_ssh::selinux::semanage
+  require confdroid_ssh::firewall::iptables
 
   service { $sshd_service:
     ensure     => running,

manifests/params.pp

@@ -4,25 +4,258 @@
 # @summary Class contains all class parameters for confdroid_ssh
 # @param [Array] ssh_reqpackages packages to install
 # @param [String] pkg_ensure version to install: 'present' or 'latest'
-# @param [Boolean] ssh_use_firewall whether to manage firewall settings
+# @param [String] ssh_fw_rule whether set the fw rule to 
+#   present or absent.
 # @param [String] ssh_fw_port port to use for SSHD and in fw
 # @param [String] ssh_fw_order order of firewall rule
 # @param [String] ssh_source_range source range for firewall rule
 # @param [Boolean] ssh_manage_config whether to manage the configuration
+# @param [String] ssh_address_family AddressFamily setting for sshd_config
+# @param [String] ssh_listen_address ListenAddress setting for sshd_config
+# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
+# @param [String] ssh_strict_modes StrictModes setting for sshd_config
+# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
+# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
+# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
+# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
+# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile 
+#   setting for sshd_config. Default is 'none' to disable this setting.
+# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config. 
+#   Default is 'none' to disable this setting.
+# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
+#   Default is 'nobody' to use an unpriviledged user.
+# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
+# @param [String] ssh_hostkey_type type of host key to use if 
+#   ssh_use_specific_hostkey is true
+# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config. 
+#   Default is 'default none'.
+# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
+#   Default is 'AUTH'.
+# @param [String] ssh_log_level LogLevel setting for sshd_config.
+#   Default is 'INFO'.
+# @param [String] ssh_password_authentication PasswordAuthentication setting 
+#   for sshd_config. Default is 'no', which requires key-based authentication.
+#   This is a recommended security setting, so passwords do not show up in logs, 
+#   but can be set to 'yes' if password authentication is desired.
+# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting 
+#   for sshd_config. Default is 'no', which is a recommended security setting 
+#   and works  in connection with key-based authentication, but can be set 
+#   to 'yes' if password authentication should be allowed and empty passwords 
+#   should be allowed. Again, this should be used with caution if enabled.
+# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
+#   Default is 'no', which is a recommended security setting together 
+#   with password authentication, but can be set to 'yes' if 
+#   keyboard-interactive authentication should be allowed. (not recommended)
+# @param [String] ssh_kerberos_authentication setting for sshd_config.
+#   Default is 'no'. Kerberos authentication is not commonly used and 
+#   requires a lot of other settings, so it is disabled by default, but can be 
+#   set to 'yes' if desired.
+# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication is
+#   enabled, and should be set to 'yes' if you want to allow local password
+#   authentication as a fallback if Kerberos authentication fails, but can be
+#   set to 'no' if you want to only allow Kerberos authentication.
+# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config. 
+#   Default is 'no'. This setting is only relevant if Kerberos authentication 
+#   is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication
+#   is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication
+#   is enabled, and should be set to 'yes' if you want to enable userok with 
+#   Kerberos, but can be set to 'no' if you want to disable it.
+# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
+#   If true, the relevant Kerberos settings will be included in the sshd_config, 
+#   otherwise they will be ignored. 
+# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
+#   If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
+#   will be disabled. GSSAPI authentication is not commonly used and requires
+#   a lot of other settings, so it is disabled by default, but can be set to
+#   true if desired.
+# @param [String] ssh_gssapi_authentication setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS authentication, 
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS credential 
+#   cleanup, but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS key exchange.
+# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
+#   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
+# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
+#   commonly used for SSH authentication and can introduce security risks if 
+#   not configured properly, so it is disabled by default. Thi setting is 
+#   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
+#   should be set to 'yes' only if you want to use PAM for authentication 
+#   together with those settings.
+# @param [String] ssh_allow_agent_forwarding setting for sshd_config. 
+#   Default is 'yes', which allows SSH agent forwarding, but can be set to 'no' 
+#   if you want to disable this feature for security reasons.
+# @param [String] ssh_allow_tcp_forwarding setting for sshd_config.
+#   Default is 'yes', which allows TCP forwarding, but can be set to 'no' 
+#   if you want to disable this feature for security reasons.
+# @param [String] ssh_gateway_ports setting for sshd_config.
+#   Default is 'no', which means that remote hosts cannot connect to 
+#   forwarded ports, but can be set to 'yes' or 'clientspecified' if you want
+#   to allow remote hosts to connect to forwarded ports. This setting should 
+#   be used with caution if enabled, as  it can introduce security risks.
+# @param [String] ssh_x11_forwarding setting for sshd_config.
+#   Default is 'no', which disables X11 forwarding, but can be set to 'yes' 
+#   if you want to allow X11 forwarding. This setting should be used with 
+#   caution if enabled.
+# @param [String] ssh_x11_display_offset setting for sshd_config.
+#   Default is '10'. This setting is only relevant if X11 forwarding is 
+#   enabled, and specifies the first display number available for X11 
+#   forwarding. The default of '10' means that the first forwarded display 
+#   will be :10, the second will be :11, and so on. This setting can be 
+#   adjusted if you want to use a different range of display numbers for 
+#   X11 forwarding.  
+# @param [String] ssh_x11_use_localhost setting for sshd_config.
+#   Default is 'yes', which means that X11 forwarding will only be 
+#   available on the loopback interface, but can be set to 'no' if you want
+#   to allow X11 forwarding on all network interfaces.
+# @param [String] ssh_permit_tty setting for sshd_config.
+#   Default is 'yes', which allows TTY allocation, but can be set to 'no' 
+#   if you want to disable TTY allocation. 
+# @param [String] ssh_print_motd setting for sshd_config.
+#   Default is 'yes', which means that the message of the day will be printed
+#   when users log in, but can be set to 'no' if you want to disable this feature.
+# @param [String] ssh_print_lastlog setting for sshd_config.
+#   Default is 'yes', which means that the last login information will be printed
+#   when users log in, but can be set to 'no' if you want to disable this feature.
+# @param [String] ssh_tcp_keepalive setting for sshd_config.
+#   Default is 'yes', which means that TCP keepalive messages will be sent, but
+#   can be set to 'no' if you want to disable this feature. This setting can 
+#   be useful to disable if you have issues with dropped connections, but in 
+#   general it is recommended to keep it enabled.
+# @param [String] ssh_permit_user_environment setting for sshd_config.
+#   Default is 'no', which means that user environment variables will not be
+#   processed, but can be set to 'yes' if you want to allow users to specify 
+#   environment variables in their ~/.ssh/environment file.
+# @param [String] ssh_compression setting for sshd_config.
+#   Default is 'delayed', which means that compression will be enabled after
+#   successful authentication, but can be set to 'yes' if you want to enable
+#   compression from the start of the connection. The 'delayed' setting is a
+#   good compromise that allows for faster authentication while still providing
+#   the benefits of compression for the rest of the session.
+# @param [String] ssh_client_alive_interval setting for sshd_config.
+#   Default is '0', which means that no keepalive messages will be sent by the
+#   server, but can be set to a positive integer to specify the interval in seconds
+#   between keepalive messages sent by the server to the client. This can be useful
+#   to detect and close stale connections, but should be used with caution as it can
+#   cause unexpected disconnections if set too aggressively.
+# @param [String] ssh_client_alive_count_max setting for sshd_config.
+#   Default is '3'. This setting is only relevant if ssh_client_alive_interval is set
+#   to a positive integer, and specifies the number of consecutive keepalive messages
+#   that can be sent without receiving a response from the client before the server
+#   considers the connection to be stale and disconnects it.
+# @param [String] ssh_use_dns setting for sshd_config.
+#   Default is 'no', which means that the server will not perform DNS lookups on
+#   connecting clients, but can be set to 'yes' if you want the server to 
+#   perform DNS lookups. Disabling DNS lookups can improve connection times 
+#   and reduce the risk of DNS  spoofing attacks, so it is generally 
+#   recommended to keep this setting disabled unless you have a specific need for it.
+# @param [String] ssh_pid_file setting for sshd_config.
+#   Default is '/var/run/sshd.pid', which is the common location for the 
+#   sshd PID file, but can be set to a different path if desired. 
+#   This setting specifies the location of the sshd PID file.
+# @param [String] ssh_max_startups setting for sshd_config.
+#   Default is '10:30:100', which means that the server will allow up to 10 
+#   concurrent unauthenticated connections, and will start dropping connections 
+#   with a probability that increases linearly.
+# @param [String] ssh_permit_tunnel setting for sshd_config.
+#   Default is 'no', which means that tunneling is not allowed, but can be
+#   set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow 
+#   only point-to-point tunneling. This setting should be used with caution if enabled.
+# @param [String] ssh_chroot_directory setting for sshd_config.
+#   Default is 'none', which means that no chroot directory will be used, but
+#   can be set to a valid directory path if you want to use chroot for SSH
+#   sessions. 
+# @param [String] ssh_version_addendum setting for sshd_config.
+#   Default is 'none', which means that no version addendum will be included in
+#   the SSH banner, but can be set to a custom string if you want to include
+#   additional information in the SSH version banner. This can be used for
+#   branding purposes, but should be used with caution as it can potentially
+#   leak information about the server that could be useful to attackers.
+# @param [String] ssh_banner setting for sshd_config.
+#   Default is 'none', which means that no banner will be displayed to users
+#   when they connect, but can be set to a valid file path if you want to
+#   display a custom banner message to users when they connect. This can be used
+#   to display legal notices, security warnings, or other information to users when
+#   they connect to the SSH server.
 ##############################################################################
 class confdroid_ssh::params (
 
-  Array $ssh_reqpackages  = ['openssh','openssh-clients','openssh-server'],
-  String $pkg_ensure      = 'present',
+  Array $ssh_reqpackages                    = ['openssh','openssh-clients','openssh-server'],
+  String $pkg_ensure                        = 'present',
 
   # firewall settings
-  Boolean $ssh_use_firewall  = true,
-  String $ssh_fw_port        = '22',
-  String $ssh_fw_order       = '50',
-  String $ssh_source_range   = '0.0.0.0/0',
+  String $ssh_fw_rule                       = 'present',
+  String $ssh_fw_port                       = '22',
+  String $ssh_fw_order                      = '50',
+  String $ssh_source_range                  = '0.0.0.0/0',
 
-  # main configuration 
-  Boolean $ssh_manage_config = true,
+  # sshd configuration 
+  Boolean $ssh_manage_config                = true,
+  String  $ssh_address_family               = 'any',
+  String  $ssh_listen_address               = '0.0.0.0',
+  String  $ssh_root_login                   = 'prohibit-password',
+  String  $ssh_strict_modes                 = 'yes',
+  String  $ssh_max_auth_tries               = '6',
+  String  $ssh_max_sessions                 = '10',
+  String  $ssh_pubkey_auth                  = 'yes',
+  String  $ssh_auth_key_files               = '.ssh/authorized_keys',
+  String  $ssh_authorized_principals_file   = 'none',
+  String  $ssh_authorized_keys_command      = 'none',
+  String  $ssh_authorized_keys_command_user = 'nobody',
+  Boolean $ssh_use_specific_hostkey         = false,
+  String  $ssh_hostkey_type                 = 'rsa',
+  String  $ssh_rekeylimit                   = 'default none',
+  String  $ssh_syslog_facility              = 'AUTH',
+  String  $ssh_log_level                    = 'INFO',
+  String  $ssh_password_authentication      = 'no',
+  String  $ssh_permit_empty_passwords       = 'no',
+  String  $ssh_kbd_interactive_auth         = 'no',
+  Boolean $ssh_use_kerberos                 = false,
+  String  $ssh_kerberos_authentication      = 'yes',
+  String  $ssh_kerberos_or_local_passwd     = 'yes',
+  String  $ssh_kerberos_ticket_cleanup      = 'yes',
+  String  $ssh_kerberos_get_afstoken        = 'no',
+  String  $ssh_kerberos_use_kuserok         = 'yes',
+  Boolean $ssh_use_gssapi                   = false,
+  String  $ssh_gssapi_authentication        = 'yes',
+  String  $ssh_gssapi_cleanup_credentials   = 'yes',
+  String  $ssh_gssapi_key_exchange          = 'no',
+  String  $ssh_gssapi_enablek5users         = 'no',
+  String  $ssh_use_pam                      = 'no',
+  String  $ssh_allow_agent_forwarding       = 'yes',
+  String  $ssh_allow_tcp_forwarding         = 'yes',
+  String  $ssh_gateway_ports                = 'no',
+  String  $ssh_x11_forwarding               = 'no',
+  String  $ssh_x11_display_offset           = '10',
+  String  $ssh_x11_use_localhost            = 'yes',
+  String  $ssh_permit_tty                   = 'yes',
+  String  $ssh_print_motd                   = 'yes',
+  String  $ssh_print_lastlog                = 'yes',
+  String  $ssh_tcp_keepalive                = 'yes',
+  String  $ssh_permit_user_environment      = 'no',
+  String  $ssh_compression                  = 'delayed',
+  String  $ssh_client_alive_interval        = '0',
+  String  $ssh_client_alive_count_max       = '3',
+  String  $ssh_use_dns                      = 'no',
+  String  $ssh_pid_file                     = '/var/run/sshd.pid',
+  String  $ssh_max_startups                 = '10:30:100',
+  String  $ssh_permit_tunnel                = 'no',
+  String  $ssh_chroot_directory             = 'none',
+  String  $ssh_version_addendum             = 'none',
+  String  $ssh_banner                       = 'none',
 
 ) {
 # default facts
@@ -32,14 +265,15 @@ class confdroid_ssh::params (
   $os_name                  = $facts['os']['name']
   $os_release               = $facts['os']['release']['major']
 
-  $sshd_user          = 'root'
-  $ssh_etc_path       = '/etc/ssh'
-  $sshd_service       = 'sshd'
-  $sshd_config_path   = "${ssh_etc_path}/sshd_config"
-  $sshd_custom_path   = "${ssh_etc_path}/sshd_config.d"
-  $sshd_custom_conf   = "${sshd_custom_path}/10-custom.conf"
-  $sshd_custom_erb    = 'confdroid_ssh/ssh_custom_conf.erb'
-  $sshd_config_erb    = 'confdroid_ssh/ssh_config.erb'
+  $sshd_user                = 'root'
+  $ssh_etc_path             = '/etc/ssh'
+  $sshd_service             = 'sshd'
+  $sshd_config_path         = "${ssh_etc_path}/sshd_config"
+  $sshd_custom_path         = "${ssh_etc_path}/sshd_config.d"
+  $sshd_custom_conf         = "${sshd_custom_path}/10-custom.conf"
+  $sshd_custom_erb          = 'confdroid_ssh/sshd_custom_conf.erb'
+  $sshd_config_erb          = 'confdroid_ssh/sshd_config.erb'
+  $sshd_root_login_file     = "${sshd_custom_path}/01-permitrootlogin.conf"
 
   # includes must be last
   include confdroid_ssh::main::config

manifests/selinux/semanage.pp

@@ -0,0 +1,13 @@
+## confdroid_ssh::selinux::semanage.pp
+# Module name: confdroid_ssh
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages SELinux semanage settings
+##############################################################################
+class confdroid_ssh::selinux::semanage (
+) inherits confdroid_ssh::params {
+  exec { 'semanage_port_ssh':
+    command => "semanage port -a -t ssh_port_t -p tcp ${ssh_fw_port}",
+    unless  => "semanage port -l | grep '^ssh_port_t' | grep 'tcp' | grep '${ssh_fw_port}'",
+    path    => ['/usr/bin', '/usr/sbin'],
+  }
+}

templates/ssh_custom_conf.erb

@@ -1,7 +0,0 @@
-###############################################################################    
-##### DO NOT EDIT THIS FILE MANUALLY                                          #
-##### This file is managed by Puppet. Any changes to this file will be        #
-##### overwritten. The file is built via parameters, so any changes should    #
-##### be made in the Puppet manifest parameters.                              #
-###############################################################################
-

templates/sshd_custom_conf.erb

@@ -0,0 +1,72 @@
+###############################################################################    
+##### DO NOT EDIT THIS FILE MANUALLY                                          #
+##### This file is managed by Puppet. Any changes to this file will be        #
+##### overwritten. The file is built via parameters, so any changes should    #
+##### be made in the Puppet manifest parameters.                              #
+###############################################################################
+
+Port <%= @ssh_fw_port %>
+AddressFamily <%= @ssh_address_family %>
+ListenAddress <%= @ssh_listen_address %> 
+<% if @ssh_use_specific_hostkey -%>
+HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
+<% end -%>
+RekeyLimit <%= @ssh_rekeylimit %>
+
+SyslogFacility <%= @ssh_syslog_facility %>
+LogLevel <%= @ssh_log_level %>
+
+PermitRootLogin <%= @ssh_root_login %>
+StrictModes <%= @ssh_strict_modes %>
+MaxAuthTries <%= @ssh_max_auth_tries %>
+MaxSessions <%= @ssh_max_sessions %>
+
+PubkeyAuthentication <%= @ssh_pubkey_auth %>
+AuthorizedKeysFile	<%= @ssh_auth_key_files %>
+
+AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
+AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
+AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
+
+PasswordAuthentication <%= @ssh_password_authentication %>
+PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
+KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+UsePAM <%= @ssh_use_pam %>
+
+<% if @ssh_use_kerberos -%>
+KerberosAuthentication <%= @ssh_kerberos_authentication %>
+KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
+KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
+KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
+KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
+<% end -%>
+
+<% if @ssh_use_gssapi -%>
+GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
+GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
+GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
+GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
+<% end -%>
+
+AllowAgentForwarding <%= @ssh_allow_agent_forwarding %>
+AllowTcpForwarding <%= @ssh_allow_tcp_forwarding %>
+GatewayPorts <%= @ssh_gateway_ports %>
+X11Forwarding <%= @ssh_x11_forwarding %>
+X11DisplayOffset <%= @ssh_x11_display_offset %>
+X11UseLocalhost <%= @ssh_x11_use_localhost %>
+PermitTTY <%= @ssh_permit_tty %>
+PrintMotd <%= @ssh_print_motd %>
+PrintLastLog <%= @ssh_print_lastlog %>
+TCPKeepAlive <%= @ssh_tcp_keepalive %>
+PermitUserEnvironment <%= @ssh_permit_user_environment %>
+Compression <%= @ssh_compression %>
+ClientAliveInterval <%= @ssh_client_alive_interval %>
+ClientAliveCountMax <%= @ssh_client_alive_count_max %>
+UseDNS <%= @ssh_use_dns %>
+PidFile <%= @ssh_pid_file %>
+MaxStartups <%= @ssh_max_startups %>
+PermitTunnel <%= @ssh_permit_tunnel %>
+ChrootDirectory <%= @ssh_chroot_directory %>
+VersionAddendum <%= @ssh_version_addendum %>
+
+Banner <%= @ssh_banner %>