|
|
|
|
@@ -4,29 +4,268 @@
|
|
|
|
|
# @summary Class contains all class parameters for confdroid_ssh
|
|
|
|
|
# @param [Array] ssh_reqpackages packages to install
|
|
|
|
|
# @param [String] pkg_ensure version to install: 'present' or 'latest'
|
|
|
|
|
# @param [Boolean] ssh_use_firewall whether to manage firewall settings
|
|
|
|
|
# @param [String] ssh_fw_rule whether set the fw rule to
|
|
|
|
|
# present or absent.
|
|
|
|
|
# @param [String] ssh_fw_port port to use for SSHD and in fw
|
|
|
|
|
# @param [String] ssh_fw_order order of firewall rule
|
|
|
|
|
# @param [String] ssh_source_range source range for firewall rule
|
|
|
|
|
# @param [Boolean] ssh_manage_config whether to manage the configuration
|
|
|
|
|
# @param [String] ssh_address_family AddressFamily setting for sshd_config
|
|
|
|
|
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
|
|
|
|
|
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
|
|
|
|
|
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
|
|
|
|
|
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
|
|
|
|
|
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
|
|
|
|
|
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
|
|
|
|
|
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
|
|
|
|
|
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile
|
|
|
|
|
# setting for sshd_config. Default is 'none' to disable this setting.
|
|
|
|
|
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config.
|
|
|
|
|
# Default is 'none' to disable this setting.
|
|
|
|
|
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
|
|
|
|
|
# Default is 'nobody' to use an unpriviledged user.
|
|
|
|
|
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
|
|
|
|
|
# @param [String] ssh_hostkey_type type of host key to use if
|
|
|
|
|
# ssh_use_specific_hostkey is true
|
|
|
|
|
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config.
|
|
|
|
|
# Default is 'default none'.
|
|
|
|
|
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
|
|
|
|
|
# Default is 'AUTH'.
|
|
|
|
|
# @param [String] ssh_log_level LogLevel setting for sshd_config.
|
|
|
|
|
# Default is 'INFO'.
|
|
|
|
|
# @param [String] ssh_password_authentication PasswordAuthentication setting
|
|
|
|
|
# for sshd_config. Default is 'no', which requires key-based authentication.
|
|
|
|
|
# This is a recommended security setting, so passwords do not show up in logs,
|
|
|
|
|
# but can be set to 'yes' if password authentication is desired.
|
|
|
|
|
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting
|
|
|
|
|
# for sshd_config. Default is 'no', which is a recommended security setting
|
|
|
|
|
# and works in connection with key-based authentication, but can be set
|
|
|
|
|
# to 'yes' if password authentication should be allowed and empty passwords
|
|
|
|
|
# should be allowed. Again, this should be used with caution if enabled.
|
|
|
|
|
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
|
|
|
|
|
# Default is 'no', which is a recommended security setting together
|
|
|
|
|
# with password authentication, but can be set to 'yes' if
|
|
|
|
|
# keyboard-interactive authentication should be allowed. (not recommended)
|
|
|
|
|
# @param [String] ssh_kerberos_authentication setting for sshd_config.
|
|
|
|
|
# Default is 'no'. Kerberos authentication is not commonly used and
|
|
|
|
|
# requires a lot of other settings, so it is disabled by default, but can be
|
|
|
|
|
# set to 'yes' if desired.
|
|
|
|
|
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication is
|
|
|
|
|
# enabled, and should be set to 'yes' if you want to allow local password
|
|
|
|
|
# authentication as a fallback if Kerberos authentication fails, but can be
|
|
|
|
|
# set to 'no' if you want to only allow Kerberos authentication.
|
|
|
|
|
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
|
|
|
|
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
|
|
|
|
|
# but can be set to 'no' if you want to disable it.
|
|
|
|
|
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
|
|
|
|
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
|
|
|
|
|
# but can be set to 'no' if you want to disable it.
|
|
|
|
|
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
|
|
|
|
# is enabled, and should be set to 'yes' if you want to enable userok with
|
|
|
|
|
# Kerberos, but can be set to 'no' if you want to disable it.
|
|
|
|
|
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
|
|
|
|
|
# If true, the relevant Kerberos settings will be included in the sshd_config,
|
|
|
|
|
# otherwise they will be ignored.
|
|
|
|
|
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
|
|
|
|
|
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
|
|
|
|
|
# will be disabled. GSSAPI authentication is not commonly used and requires
|
|
|
|
|
# a lot of other settings, so it is disabled by default, but can be set to
|
|
|
|
|
# true if desired.
|
|
|
|
|
# @param [String] ssh_gssapi_authentication setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
|
|
|
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
|
|
|
|
|
# but can be set to 'no' if you want to disable it.
|
|
|
|
|
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
|
|
|
# enabled, and should be set to 'yes' if you want to enable GSS credential
|
|
|
|
|
# cleanup, but can be set to 'no' if you want to disable it.
|
|
|
|
|
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
|
|
|
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
|
|
|
|
|
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
|
|
|
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
|
|
|
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
|
|
|
|
|
# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
|
|
|
|
|
# commonly used for SSH authentication and can introduce security risks if
|
|
|
|
|
# not configured properly, so it is disabled by default. Thi setting is
|
|
|
|
|
# related to PasswordAuthentication and KbdInteractiveAuthentication, and
|
|
|
|
|
# should be set to 'yes' only if you want to use PAM for authentication
|
|
|
|
|
# together with those settings.
|
|
|
|
|
# @param [String] ssh_allow_agent_forwarding setting for sshd_config.
|
|
|
|
|
# Default is 'yes', which allows SSH agent forwarding, but can be set to 'no'
|
|
|
|
|
# if you want to disable this feature for security reasons.
|
|
|
|
|
# @param [String] ssh_allow_tcp_forwarding setting for sshd_config.
|
|
|
|
|
# Default is 'yes', which allows TCP forwarding, but can be set to 'no'
|
|
|
|
|
# if you want to disable this feature for security reasons.
|
|
|
|
|
# @param [String] ssh_gateway_ports setting for sshd_config.
|
|
|
|
|
# Default is 'no', which means that remote hosts cannot connect to
|
|
|
|
|
# forwarded ports, but can be set to 'yes' or 'clientspecified' if you want
|
|
|
|
|
# to allow remote hosts to connect to forwarded ports. This setting should
|
|
|
|
|
# be used with caution if enabled, as it can introduce security risks.
|
|
|
|
|
# @param [String] ssh_x11_forwarding setting for sshd_config.
|
|
|
|
|
# Default is 'no', which disables X11 forwarding, but can be set to 'yes'
|
|
|
|
|
# if you want to allow X11 forwarding. This setting should be used with
|
|
|
|
|
# caution if enabled.
|
|
|
|
|
# @param [String] ssh_x11_display_offset setting for sshd_config.
|
|
|
|
|
# Default is '10'. This setting is only relevant if X11 forwarding is
|
|
|
|
|
# enabled, and specifies the first display number available for X11
|
|
|
|
|
# forwarding. The default of '10' means that the first forwarded display
|
|
|
|
|
# will be :10, the second will be :11, and so on. This setting can be
|
|
|
|
|
# adjusted if you want to use a different range of display numbers for
|
|
|
|
|
# X11 forwarding.
|
|
|
|
|
# @param [String] ssh_x11_use_localhost setting for sshd_config.
|
|
|
|
|
# Default is 'yes', which means that X11 forwarding will only be
|
|
|
|
|
# available on the loopback interface, but can be set to 'no' if you want
|
|
|
|
|
# to allow X11 forwarding on all network interfaces.
|
|
|
|
|
# @param [String] ssh_permit_tty setting for sshd_config.
|
|
|
|
|
# Default is 'yes', which allows TTY allocation, but can be set to 'no'
|
|
|
|
|
# if you want to disable TTY allocation.
|
|
|
|
|
# @param [String] ssh_print_motd setting for sshd_config.
|
|
|
|
|
# Default is 'yes', which means that the message of the day will be printed
|
|
|
|
|
# when users log in, but can be set to 'no' if you want to disable this feature.
|
|
|
|
|
# @param [String] ssh_print_lastlog setting for sshd_config.
|
|
|
|
|
# Default is 'yes', which means that the last login information will be printed
|
|
|
|
|
# when users log in, but can be set to 'no' if you want to disable this feature.
|
|
|
|
|
# @param [String] ssh_tcp_keepalive setting for sshd_config.
|
|
|
|
|
# Default is 'yes', which means that TCP keepalive messages will be sent, but
|
|
|
|
|
# can be set to 'no' if you want to disable this feature. This setting can
|
|
|
|
|
# be useful to disable if you have issues with dropped connections, but in
|
|
|
|
|
# general it is recommended to keep it enabled.
|
|
|
|
|
# @param [String] ssh_permit_user_environment setting for sshd_config.
|
|
|
|
|
# Default is 'no', which means that user environment variables will not be
|
|
|
|
|
# processed, but can be set to 'yes' if you want to allow users to specify
|
|
|
|
|
# environment variables in their ~/.ssh/environment file.
|
|
|
|
|
# @param [String] ssh_compression setting for sshd_config.
|
|
|
|
|
# Default is 'delayed', which means that compression will be enabled after
|
|
|
|
|
# successful authentication, but can be set to 'yes' if you want to enable
|
|
|
|
|
# compression from the start of the connection. The 'delayed' setting is a
|
|
|
|
|
# good compromise that allows for faster authentication while still providing
|
|
|
|
|
# the benefits of compression for the rest of the session.
|
|
|
|
|
# @param [String] ssh_client_alive_interval setting for sshd_config.
|
|
|
|
|
# Default is '0', which means that no keepalive messages will be sent by the
|
|
|
|
|
# server, but can be set to a positive integer to specify the interval in seconds
|
|
|
|
|
# between keepalive messages sent by the server to the client. This can be useful
|
|
|
|
|
# to detect and close stale connections, but should be used with caution as it can
|
|
|
|
|
# cause unexpected disconnections if set too aggressively.
|
|
|
|
|
# @param [String] ssh_client_alive_count_max setting for sshd_config.
|
|
|
|
|
# Default is '3'. This setting is only relevant if ssh_client_alive_interval is set
|
|
|
|
|
# to a positive integer, and specifies the number of consecutive keepalive messages
|
|
|
|
|
# that can be sent without receiving a response from the client before the server
|
|
|
|
|
# considers the connection to be stale and disconnects it.
|
|
|
|
|
# @param [String] ssh_use_dns setting for sshd_config.
|
|
|
|
|
# Default is 'no', which means that the server will not perform DNS lookups on
|
|
|
|
|
# connecting clients, but can be set to 'yes' if you want the server to
|
|
|
|
|
# perform DNS lookups. Disabling DNS lookups can improve connection times
|
|
|
|
|
# and reduce the risk of DNS spoofing attacks, so it is generally
|
|
|
|
|
# recommended to keep this setting disabled unless you have a specific need for it.
|
|
|
|
|
# @param [String] ssh_pid_file setting for sshd_config.
|
|
|
|
|
# Default is '/var/run/sshd.pid', which is the common location for the
|
|
|
|
|
# sshd PID file, but can be set to a different path if desired.
|
|
|
|
|
# This setting specifies the location of the sshd PID file.
|
|
|
|
|
# @param [String] ssh_max_startups setting for sshd_config.
|
|
|
|
|
# Default is '10:30:100', which means that the server will allow up to 10
|
|
|
|
|
# concurrent unauthenticated connections, and will start dropping connections
|
|
|
|
|
# with a probability that increases linearly.
|
|
|
|
|
# @param [String] ssh_permit_tunnel setting for sshd_config.
|
|
|
|
|
# Default is 'no', which means that tunneling is not allowed, but can be
|
|
|
|
|
# set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow
|
|
|
|
|
# only point-to-point tunneling. This setting should be used with caution if enabled.
|
|
|
|
|
# @param [String] ssh_chroot_directory setting for sshd_config.
|
|
|
|
|
# Default is 'none', which means that no chroot directory will be used, but
|
|
|
|
|
# can be set to a valid directory path if you want to use chroot for SSH
|
|
|
|
|
# sessions.
|
|
|
|
|
# @param [String] ssh_version_addendum setting for sshd_config.
|
|
|
|
|
# Default is 'none', which means that no version addendum will be included in
|
|
|
|
|
# the SSH banner, but can be set to a custom string if you want to include
|
|
|
|
|
# additional information in the SSH version banner. This can be used for
|
|
|
|
|
# branding purposes, but should be used with caution as it can potentially
|
|
|
|
|
# leak information about the server that could be useful to attackers.
|
|
|
|
|
# @param [String] ssh_banner setting for sshd_config.
|
|
|
|
|
# Default is 'none', which means that no banner will be displayed to users
|
|
|
|
|
# when they connect, but can be set to a valid file path if you want to
|
|
|
|
|
# display a custom banner message to users when they connect. This can be used
|
|
|
|
|
# to display legal notices, security warnings, or other information to users when
|
|
|
|
|
# they connect to the SSH server.
|
|
|
|
|
# @param [String] ssh_login_grace_time setting for sshd_config.
|
|
|
|
|
# Default is '2m', which means that users have 2 minutes to successfully
|
|
|
|
|
# authenticate before the server disconnects them, but can be set to a different
|
|
|
|
|
# time interval if desired. This setting can be used to limit the amount of time
|
|
|
|
|
# that attackers have to attempt to brute-force authentication, but should be set
|
|
|
|
|
# to a reasonable value to avoid disconnecting legitimate users who may need more time to log
|
|
|
|
|
# @param [String] ssh_custom_ensure whether the custom configuration file
|
|
|
|
|
# should be file or absent.
|
|
|
|
|
##############################################################################
|
|
|
|
|
class confdroid_ssh::params (
|
|
|
|
|
|
|
|
|
|
Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],
|
|
|
|
|
String $pkg_ensure = 'present',
|
|
|
|
|
Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],
|
|
|
|
|
String $pkg_ensure = 'present',
|
|
|
|
|
|
|
|
|
|
# firewall settings
|
|
|
|
|
Boolean $ssh_use_firewall = true,
|
|
|
|
|
String $ssh_fw_port = '22',
|
|
|
|
|
String $ssh_fw_order = '50',
|
|
|
|
|
String $ssh_source_range = '0.0.0.0/0',
|
|
|
|
|
String $ssh_fw_rule = 'present',
|
|
|
|
|
String $ssh_fw_port = '22',
|
|
|
|
|
String $ssh_fw_order = '50',
|
|
|
|
|
String $ssh_source_range = '0.0.0.0/0',
|
|
|
|
|
|
|
|
|
|
# main configuration
|
|
|
|
|
Boolean $ssh_manage_config = true,
|
|
|
|
|
String $ssh_address_family = 'any',
|
|
|
|
|
String $ssh_listen_address = '0.0.0.0',
|
|
|
|
|
# sshd configuration
|
|
|
|
|
String $ssh_custom_ensure = 'absent',
|
|
|
|
|
Boolean $ssh_manage_config = true,
|
|
|
|
|
String $ssh_address_family = 'any',
|
|
|
|
|
String $ssh_listen_address = '0.0.0.0',
|
|
|
|
|
String $ssh_login_grace_time = '2m',
|
|
|
|
|
String $ssh_root_login = 'prohibit-password',
|
|
|
|
|
String $ssh_strict_modes = 'yes',
|
|
|
|
|
String $ssh_max_auth_tries = '6',
|
|
|
|
|
String $ssh_max_sessions = '10',
|
|
|
|
|
String $ssh_pubkey_auth = 'yes',
|
|
|
|
|
String $ssh_auth_key_files = '.ssh/authorized_keys',
|
|
|
|
|
String $ssh_authorized_principals_file = 'none',
|
|
|
|
|
String $ssh_authorized_keys_command = 'none',
|
|
|
|
|
String $ssh_authorized_keys_command_user = 'nobody',
|
|
|
|
|
Boolean $ssh_use_specific_hostkey = false,
|
|
|
|
|
String $ssh_hostkey_type = 'rsa',
|
|
|
|
|
String $ssh_rekeylimit = 'default none',
|
|
|
|
|
String $ssh_syslog_facility = 'AUTH',
|
|
|
|
|
String $ssh_log_level = 'INFO',
|
|
|
|
|
String $ssh_password_authentication = 'yes',
|
|
|
|
|
String $ssh_permit_empty_passwords = 'no',
|
|
|
|
|
String $ssh_kbd_interactive_auth = 'yes',
|
|
|
|
|
Boolean $ssh_use_kerberos = false,
|
|
|
|
|
String $ssh_kerberos_authentication = 'yes',
|
|
|
|
|
String $ssh_kerberos_or_local_passwd = 'yes',
|
|
|
|
|
String $ssh_kerberos_ticket_cleanup = 'yes',
|
|
|
|
|
String $ssh_kerberos_get_afstoken = 'no',
|
|
|
|
|
String $ssh_kerberos_use_kuserok = 'yes',
|
|
|
|
|
Boolean $ssh_use_gssapi = false,
|
|
|
|
|
String $ssh_gssapi_authentication = 'yes',
|
|
|
|
|
String $ssh_gssapi_cleanup_credentials = 'yes',
|
|
|
|
|
String $ssh_gssapi_key_exchange = 'no',
|
|
|
|
|
String $ssh_gssapi_enablek5users = 'no',
|
|
|
|
|
String $ssh_use_pam = 'no',
|
|
|
|
|
String $ssh_allow_agent_forwarding = 'yes',
|
|
|
|
|
String $ssh_allow_tcp_forwarding = 'yes',
|
|
|
|
|
String $ssh_gateway_ports = 'no',
|
|
|
|
|
String $ssh_x11_forwarding = 'no',
|
|
|
|
|
String $ssh_x11_display_offset = '10',
|
|
|
|
|
String $ssh_x11_use_localhost = 'yes',
|
|
|
|
|
String $ssh_permit_tty = 'yes',
|
|
|
|
|
String $ssh_print_motd = 'yes',
|
|
|
|
|
String $ssh_print_lastlog = 'yes',
|
|
|
|
|
String $ssh_tcp_keepalive = 'yes',
|
|
|
|
|
String $ssh_permit_user_environment = 'no',
|
|
|
|
|
String $ssh_compression = 'delayed',
|
|
|
|
|
String $ssh_client_alive_interval = '0',
|
|
|
|
|
String $ssh_client_alive_count_max = '3',
|
|
|
|
|
String $ssh_use_dns = 'no',
|
|
|
|
|
String $ssh_pid_file = '/var/run/sshd.pid',
|
|
|
|
|
String $ssh_max_startups = '10:30:100',
|
|
|
|
|
String $ssh_permit_tunnel = 'no',
|
|
|
|
|
String $ssh_chroot_directory = 'none',
|
|
|
|
|
String $ssh_version_addendum = 'none',
|
|
|
|
|
String $ssh_banner = 'none',
|
|
|
|
|
|
|
|
|
|
) {
|
|
|
|
|
# default facts
|
|
|
|
|
@@ -36,14 +275,15 @@ class confdroid_ssh::params (
|
|
|
|
|
$os_name = $facts['os']['name']
|
|
|
|
|
$os_release = $facts['os']['release']['major']
|
|
|
|
|
|
|
|
|
|
$sshd_user = 'root'
|
|
|
|
|
$ssh_etc_path = '/etc/ssh'
|
|
|
|
|
$sshd_service = 'sshd'
|
|
|
|
|
$sshd_config_path = "${ssh_etc_path}/sshd_config"
|
|
|
|
|
$sshd_custom_path = "${ssh_etc_path}/sshd_config.d"
|
|
|
|
|
$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"
|
|
|
|
|
$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'
|
|
|
|
|
$sshd_config_erb = 'confdroid_ssh/sshd_config.erb'
|
|
|
|
|
$sshd_user = 'root'
|
|
|
|
|
$ssh_etc_path = '/etc/ssh'
|
|
|
|
|
$sshd_service = 'sshd'
|
|
|
|
|
$sshd_config_path = "${ssh_etc_path}/sshd_config"
|
|
|
|
|
$sshd_custom_path = "${ssh_etc_path}/sshd_config.d"
|
|
|
|
|
$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"
|
|
|
|
|
$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'
|
|
|
|
|
$sshd_config_erb = 'confdroid_ssh/sshd_config.erb'
|
|
|
|
|
$sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf"
|
|
|
|
|
|
|
|
|
|
# includes must be last
|
|
|
|
|
include confdroid_ssh::main::config
|
|
|
|
|
|
