confdroid/confdroid_ssh
1
0
Fork 0
Code Issues Projects Wiki Activity

Compare commits

base: confdroid:master
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026
..
compare: confdroid:52d4dbc2b7ff7f4ec09c304f8a92dfcc8081006e
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026

1 Commits
master ... 52d4dbc2b7

Author SHA1 Message Date
Jenkins
52d4dbc2b7 Merge branch 'jenkins-build-19' into 'master' 
Auto-merge for build 19

See merge request puppet/confdroid_ssh!19
 2026-04-13 14:03:01 +02:00
18 changed files with 538 additions and 584 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -2,5 +2,4 @@
Gemfile.lock
FileList
.scannerwork
.vscode
.puppet-lint.rc
.vscode

130
Jenkinsfile vendored
View File

@@ -1,130 +0,0 @@
pipeline {
agent {
label 'puppet'
}
post {
always {
deleteDir() /* clean up our workspace */
}
success {
updateGitlabCommitStatus state: 'success'
}
failure {
updateGitlabCommitStatus state: 'failed'
step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
}
}
options {
gitLabConnection('gitlab.confdroid.com')
}
stages {
stage('pull master') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git fetch origin
source_branch="${gitlabSourceBranch:-${BRANCH_NAME:-${GIT_LOCAL_BRANCH:-$GIT_BRANCH}}}"
source_branch="${source_branch#origin/}"
source_branch="${source_branch#refs/heads/}"
if [ -z "$source_branch" ]; then
source_branch="development"
fi
echo "Using source branch: $source_branch"
# Create an isolated build branch from the triggering branch revision.
git checkout -B jenkins-build-$BUILD_NUMBER "origin/$source_branch"
# Merge the current master into the build branch before validation.
git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
'''
}
}
}
stage('puppet parser') {
steps {
sh '''for file in $(find . -iname \'*.pp\'); do
/opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
done;'''
}
}
stage('check templates') {
steps{
sh '''for file in $(find . -iname \'*.erb\');
do erb -P -x -T "-" $file | ruby -c || exit 1;
done;'''
}
}
stage('puppet-lint') {
steps {
sh '''/usr/local/bin/puppet-lint . \\
--no-variable_scope-check \\
|| { echo "Puppet lint failed"; exit 1; }
'''
}
}
stage('SonarScan') {
steps {
withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
sh '''
/opt/sonar-scanner/bin/sonar-scanner \
-Dsonar.projectKey=confdroid_ssh \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarqube.confdroid.com \
-Dsonar.token=$SONAR_TOKEN
'''
}
}
}
stage('create Puppet documentation') {
steps {
sh '/opt/puppetlabs/bin/puppet strings'
}
}
stage('update repo') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
git fetch origin
git checkout -B master origin/master
git merge --no-ff jenkins-build-$BUILD_NUMBER -m "Merge build $BUILD_NUMBER into master"
git push origin master
'''
}
}
}
stage('Mirror to Gitea') {
steps {
withCredentials([usernamePassword(
credentialsId: 'Jenkins-gitea',
usernameVariable: 'GITEA_USER',
passwordVariable: 'GITEA_TOKEN')]) {
script {
sh '''
git fetch origin
git checkout master
git reset --hard origin/master
git remote get-url master >/dev/null 2>&1 \
&& git remote set-url master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git \
|| git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
push --force master refs/heads/master:refs/heads/master
'''
}
}
}
}
}
}

32
README.md
View File

@@ -7,7 +7,6 @@
- [Synopsis](#synopsis)
- [WARNING](#warning)
- [Features](#features)
- [Adding custom configurations](#adding-custom-configurations)
- [Support](#support)
- [Parameter Inheritance](#parameter-inheritance)
- [Module Deployment](#module-deployment)
@@ -26,34 +25,11 @@
## Features
- install required binaries
- manage required files and directories including selinux context
- manage local custom configuration based on parameters, overriding the defaults
- manage selinux rules
- manage service
- (optional) manage firewall
## Adding custom configurations
Custom configuration files live in `/etc/ssh/sshd_config.d/`. IN order to create a custom config file, add a stanza like this in your control repo:
```puppet
confdroid_ssh::custom::custom_config { '30-my-custom-rule':
config_name => '30-custom-rule',
config_content => ['PasswordAuthentication no'],
}
```
This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:
```puppet
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
PasswordAuthentication no
```
Note that the value for config_content **has to be an array**, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.
## Support
- Rocky 9 (Any RHEL 9 based OS should work but has not been tested)
@@ -65,7 +41,7 @@ All parameters are listed in `params.pp` and inherited from there. Variable par
## Module Deployment
Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
## Tests

24
doc/_index.html
View File

@@ -122,30 +122,6 @@
<h2>Defined Type Listing A-Z</h2>
<table>
<tr>
<td valign='top' width="33%">
<ul id="alpha_C" class="alpha">
<li class="letter">C</li>
<ul>
<li>
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</li>
</ul>
</ul>
</td>
</tr>
</table>

30
doc/file.README.html
View File

@@ -70,8 +70,6 @@
</li><li>
<p><a href="#features">Features</a></p>
</li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p>
</li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -99,35 +97,15 @@
<ul><li>
<p>install required binaries</p>
</li><li>
<p>manage required files and directories including selinux context</p>
<p>manage local custom configuration based on parameters, overriding the defaults</p>
</li><li>
<p>manage selinux rules</p>
</li><li>
<p>manage service</p>
</li><li>
<p>(optional) manage firewall</p>
</li></ul>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2>
<ul><li>
<p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -141,7 +119,7 @@
<h2 id="label-Module+Deployment">Module Deployment</h2>
<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<h2 id="label-Tests">Tests</h2>
<ul><li>

30
doc/index.html
View File

@@ -70,8 +70,6 @@
</li><li>
<p><a href="#features">Features</a></p>
</li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p>
</li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -99,35 +97,15 @@
<ul><li>
<p>install required binaries</p>
</li><li>
<p>manage required files and directories including selinux context</p>
<p>manage local custom configuration based on parameters, overriding the defaults</p>
</li><li>
<p>manage selinux rules</p>
</li><li>
<p>manage service</p>
</li><li>
<p>(optional) manage firewall</p>
</li></ul>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2>
<ul><li>
<p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -141,7 +119,7 @@
<h2 id="label-Module+Deployment">Module Deployment</h2>
<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<h2 id="label-Tests">Tests</h2>
<ul><li>

4
doc/puppet_class_list.html
View File

@@ -28,10 +28,6 @@
Puppet Classes
</a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div>
<div id="search">Search: <input type="text" /></div>

4
doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html
View File

@@ -141,7 +141,7 @@ class confdroid_ssh::main::dirs (
path =&gt; $ssh_etc_path,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0755&#39;,
mode =&gt; &#39;0700&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
@@ -152,7 +152,7 @@ class confdroid_ssh::main::dirs (
ensure =&gt; directory,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0755&#39;,
mode =&gt; &#39;0700&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,

48
doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Afiles.html
View File

@@ -118,7 +118,30 @@
20
21
22
23</pre>
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -140,6 +163,29 @@ class confdroid_ssh::main::files (
content =&gt; template($sshd_config_erb),
notify =&gt; Service[$sshd_service],
}
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure =&gt; file,
path =&gt; $sshd_custom_conf,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0640&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($sshd_custom_erb),
notify =&gt; Service[$sshd_service],
}
# we want the default root login setting to be managed by the custom conf,
# so we remove the default file if it exists
file { $sshd_root_login_file:
ensure =&gt; absent,
path =&gt; $sshd_root_login_file,
notify =&gt; Service[$sshd_service],
}
}
}</pre>
</td>
</tr>

400
doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
View File

@@ -214,6 +214,312 @@
&mdash;
<div class='inline'>
<p>source range for firewall rule</p>
</div>
</li>
<li>
<span class='name'>ssh_manage_config</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>true</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to manage the configuration</p>
</div>
</li>
<li>
<span class='name'>ssh_address_family</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;any&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AddressFamily setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_listen_address</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;0.0.0.0&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ListenAddress setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_root_login</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;prohibit-password&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PermitRootLogin setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_strict_modes</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>StrictModes setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_max_auth_tries</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;6&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>MaxAuthTries setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_max_sessions</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;10&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>MaxSessions setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_pubkey_auth</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PubkeyAuthentication setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_auth_key_files</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;.ssh/authorized_keys&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysFile setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_principals_file</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedPrincipalsFile setting for sshd_config. Default is none to disable this setting.</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_keys_command</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysCommand setting for sshd_config. Default is none to disable this setting.</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_keys_command_user</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;nobody&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysCommandUser setting for sshd_config. Default is nobody to use an unpriviledged user.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_specific_hostkey</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use a specific host key</p>
</div>
</li>
<li>
<span class='name'>ssh_hostkey_type</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;rsa&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>type of host key to use if ssh_use_specific_hostkey is true</p>
</div>
</li>
<li>
<span class='name'>ssh_rekeylimit</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;default none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>RekeyLimit setting for sshd_config. Default is default none.</p>
</div>
</li>
<li>
<span class='name'>ssh_syslog_facility</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;AUTH&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>SyslogFacility setting for sshd_config. Default is AUTH.</p>
</div>
</li>
<li>
<span class='name'>ssh_log_level</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;INFO&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>LogLevel setting for sshd_config. Default is INFO.</p>
</div>
</li>
@@ -229,39 +535,60 @@
<pre class="lines">
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42</pre>
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 13</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 37</span>
class confdroid_ssh::params (
@@ -274,6 +601,25 @@ class confdroid_ssh::params (
String $ssh_fw_order = &#39;50&#39;,
String $ssh_source_range = &#39;0.0.0.0/0&#39;,
# sshd configuration
Boolean $ssh_manage_config = true,
String $ssh_address_family = &#39;any&#39;,
String $ssh_listen_address = &#39;0.0.0.0&#39;,
String $ssh_root_login = &#39;prohibit-password&#39;,
String $ssh_strict_modes = &#39;yes&#39;,
String $ssh_max_auth_tries = &#39;6&#39;,
String $ssh_max_sessions = &#39;10&#39;,
String $ssh_pubkey_auth = &#39;yes&#39;,
String $ssh_auth_key_files = &#39;.ssh/authorized_keys&#39;,
String $ssh_authorized_principals_file = &#39;none&#39;,
String $ssh_authorized_keys_command = &#39;none&#39;,
String $ssh_authorized_keys_command_user = &#39;nobody&#39;,
Boolean $ssh_use_specific_hostkey = false,
String $ssh_hostkey_type = &#39;rsa&#39;,
String $ssh_rekeylimit = &#39;default none&#39;,
String $ssh_syslog_facility = &#39;AUTH&#39;,
String $ssh_log_level = &#39;INFO&#39;
) {
# default facts
$fqdn = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
@@ -287,6 +633,8 @@ class confdroid_ssh::params (
$sshd_service = &#39;sshd&#39;
$sshd_config_path = &quot;${ssh_etc_path}/sshd_config&quot;
$sshd_custom_path = &quot;${ssh_etc_path}/sshd_config.d&quot;
$sshd_custom_conf = &quot;${sshd_custom_path}/10-custom.conf&quot;
$sshd_custom_erb = &#39;confdroid_ssh/sshd_custom_conf.erb&#39;
$sshd_config_erb = &#39;confdroid_ssh/sshd_config.erb&#39;
$sshd_root_login_file = &quot;${sshd_custom_path}/01-permitrootlogin.conf&quot;

54
doc/puppet_defined_type_list.html
View File

@@ -1,54 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8" />
<link rel="stylesheet" href="css/full_list.css" type="text/css" media="screen" />
<link rel="stylesheet" href="css/common.css" type="text/css" media="screen" />
<script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="js/full_list.js"></script>
<title>Defined Type List</title>
<base id="base_target" target="_parent" />
</head>
<body>
<div id="content">
<div class="fixed_header">
<h1 id="full_list_header">Defined Type List</h1>
<div id="full_list_nav">
<span><a target="_self" href="puppet_class_list.html">
Puppet Classes
</a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div>
<div id="search">Search: <input type="text" /></div>
</div>
<ul id="full_list" class="puppet_defined_type">
<li id="object_puppet_defined_types::confdroid_ssh::custom::custom_config" class="odd">
<div class="item">
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</div>
</li>
</ul>
</div>
</body>
</html>

209
doc/puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html
View File

@@ -1,209 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Defined Type: confdroid_ssh::custom::custom_config
&mdash; Documentation by YARD 0.9.36
</title>
<link rel="stylesheet" href="../css/style.css" type="text/css" />
<link rel="stylesheet" href="../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "puppet_defined_types::confdroid_ssh::custom::custom_config";
relpath = '../';
</script>
<script type="text/javascript" charset="utf-8" src="../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../puppet_defined_type_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../_index.html">Index (c)</a> &raquo;
<span class='title'><span class='object_link'>Defined Types</span></span>
&raquo;
<span class="title">confdroid_ssh::custom::custom_config</span>
</div>
<div id="search">
<a class="full_list_link" id="puppet_class_list_link"
href="../puppet_class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Defined Type: confdroid_ssh::custom::custom_config</h1>
<div class="box_info">
<dl>
<dt>Defined in:</dt>
<dd>
manifests/custom/custom_config.pp
</dd>
</dl>
</div>
<h2>Summary</h2>
Class manages custom configurations for SSH
<h2>Overview</h2>
<div class="docstring">
<div class="discussion">
<p>confdroid_ssh::custom::custom_config.pp Module name: confdroid_ssh Author: 12ww1160 (12ww1160@confdroid.com) } this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content: PasswordAuthentication no and notify the sshd service to reload the configuration</p>
</div>
</div>
<div class="tags">
<div class="examples">
<p class="tag_title">Examples:</p>
<pre class="example code"><code>confdroid_ssh::custom::custom_config { &#39;50-test&#39;:
config_name =&gt; &#39;50-test&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],</code></pre>
</div>
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>config_name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>name of the custom configuration file (without .conf extension)</p>
</div>
</li>
<li>
<span class='name'>config_content</span>
<span class='type'>(<tt>Array[String]</tt>)</span>
&mdash;
<div class='inline'>
<p>array of configuration lines to include in the custom config</p>
</div>
</li>
</ul>
</div><div class="method_details_list">
<table class="source_code">
<tr>
<td>
<pre class="lines">
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/custom/custom_config.pp', line 17</span>
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = &#39;confdroid_ssh/custom_config.erb&#39;
$config_basename = regsubst($config_name, &#39;\\.conf$&#39;, &#39;&#39;)
$config_file = &quot;${config_name}.conf&quot;
file { &quot;${sshd_custom_path}/${config_file}&quot;:
ensure =&gt; file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0600&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($custom_config_erb),
notify =&gt; Service[$sshd_service],
}
}</pre>
</td>
</tr>
</table>
</div>
</div>
<div id="footer">
Generated by <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>.
</div>
</div>
</body>
</html>

41
manifests/custom/custom_config.pp
View File

@@ -1,41 +0,0 @@
## confdroid_ssh::custom::custom_config.pp
# Module name: confdroid_ssh
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages custom configurations for SSH
# @param [String] config_name name of the custom configuration file
# (without .conf extension)
# @param [Array[String]] config_content array of configuration lines to
# include in the custom config
# @example
# confdroid_ssh::custom::custom_config { '50-test':
# config_name => '50-test',
# config_content => ['PasswordAuthentication no'],
# }
# this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content:
# PasswordAuthentication no and notify the sshd service to reload the configuration
##############################################################################
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = 'confdroid_ssh/custom_config.erb'
$config_basename = regsubst($config_name, '\\.conf$', '')
$config_file = "${config_name}.conf"
file { "${sshd_custom_path}/${config_file}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($custom_config_erb),
notify => Service[$sshd_service],
}
}

4
manifests/main/dirs.pp
View File

@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
path => $ssh_etc_path,
owner => $sshd_user,
group => $sshd_user,
mode => '0755',
mode => '0700',
selrange => s0,
selrole => object_r,
seltype => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
ensure => directory,
owner => $sshd_user,
group => $sshd_user,
mode => '0755',
mode => '0700',
selrange => s0,
selrole => object_r,
seltype => etc_t,

23
manifests/main/files.pp
View File

@@ -20,4 +20,27 @@ class confdroid_ssh::main::files (
content => template($sshd_config_erb),
notify => Service[$sshd_service],
}
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure => file,
path => $sshd_custom_conf,
owner => $sshd_user,
group => $sshd_user,
mode => '0640',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($sshd_custom_erb),
notify => Service[$sshd_service],
}
# we want the default root login setting to be managed by the custom conf,
# so we remove the default file if it exists
file { $sshd_root_login_file:
ensure => absent,
path => $sshd_root_login_file,
notify => Service[$sshd_service],
}
}
}

47
manifests/params.pp
View File

@@ -9,7 +9,31 @@
# @param [String] ssh_fw_port port to use for SSHD and in fw
# @param [String] ssh_fw_order order of firewall rule
# @param [String] ssh_source_range source range for firewall rule
###############################################################################
# @param [Boolean] ssh_manage_config whether to manage the configuration
# @param [String] ssh_address_family AddressFamily setting for sshd_config
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile
# setting for sshd_config. Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config.
# Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
# Default is 'nobody' to use an unpriviledged user.
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
# @param [String] ssh_hostkey_type type of host key to use if
# ssh_use_specific_hostkey is true
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config.
# Default is 'default none'.
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
# Default is 'AUTH'.
# @param [String] ssh_log_level LogLevel setting for sshd_config.
# Default is 'INFO'.
##############################################################################
class confdroid_ssh::params (
Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],
@@ -21,6 +45,25 @@ class confdroid_ssh::params (
String $ssh_fw_order = '50',
String $ssh_source_range = '0.0.0.0/0',
# sshd configuration
Boolean $ssh_manage_config = true,
String $ssh_address_family = 'any',
String $ssh_listen_address = '0.0.0.0',
String $ssh_root_login = 'prohibit-password',
String $ssh_strict_modes = 'yes',
String $ssh_max_auth_tries = '6',
String $ssh_max_sessions = '10',
String $ssh_pubkey_auth = 'yes',
String $ssh_auth_key_files = '.ssh/authorized_keys',
String $ssh_authorized_principals_file = 'none',
String $ssh_authorized_keys_command = 'none',
String $ssh_authorized_keys_command_user = 'nobody',
Boolean $ssh_use_specific_hostkey = false,
String $ssh_hostkey_type = 'rsa',
String $ssh_rekeylimit = 'default none',
String $ssh_syslog_facility = 'AUTH',
String $ssh_log_level = 'INFO'
) {
# default facts
$fqdn = $facts['networking']['fqdn']
@@ -34,6 +77,8 @@ class confdroid_ssh::params (
$sshd_service = 'sshd'
$sshd_config_path = "${ssh_etc_path}/sshd_config"
$sshd_custom_path = "${ssh_etc_path}/sshd_config.d"
$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"
$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'
$sshd_config_erb = 'confdroid_ssh/sshd_config.erb'
$sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf"

8
templates/custom_config.erb
View File

@@ -1,8 +0,0 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
<% @config_content.each do |config_line| -%>
<%= config_line %>
<% end -%>

31
templates/sshd_custom_conf.erb Normal file
View File

@@ -0,0 +1,31 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. The file is built via parameters, so any changes should #
##### be made in the Puppet manifest parameters. #
###############################################################################
Port <%= @ssh_fw_port %>
AddressFamily <%= @ssh_address_family %>
ListenAddress <%= @ssh_listen_address %>
<% if @ssh_use_specific_hostkey -%>
HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
<% end -%>
RekeyLimit <%= @ssh_rekeylimit %>
SyslogFacility <%= @ssh_syslog_facility %>
LogLevel <%= @ssh_log_level %>
PermitRootLogin <%= @ssh_root_login %>
StrictModes <%= @ssh_strict_modes %>
MaxAuthTries <%= @ssh_max_auth_tries %>
MaxSessions <%= @ssh_max_sessions %>
PubkeyAuthentication <%= @ssh_pubkey_auth %>
AuthorizedKeysFile <%= @ssh_auth_key_files %>
AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>