confdroid/confdroid_ssh
1
0
Fork 0
Code Issues Projects Wiki Activity

Compare commits

base: confdroid:master
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026
..
compare: confdroid:761f071573e1e418e5edc0411583fb009c5f5a23
Branches Tags
confdroid:master
confdroid:1.0.1-04.2026 confdroid:1.0.0-04.2026

1 Commits
master ... 761f071573

Author SHA1 Message Date
Jenkins
761f071573 Merge branch 'jenkins-build-23' into 'master' 
Auto-merge for build 23

See merge request puppet/confdroid_ssh!23
 2026-04-13 15:53:13 +02:00
18 changed files with 938 additions and 589 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -2,5 +2,4 @@
Gemfile.lock Gemfile.lock
FileList FileList
.scannerwork .scannerwork
.vscode .vscode
.puppet-lint.rc

130
Jenkinsfile vendored
View File

@@ -1,130 +0,0 @@
pipeline {
agent {
label 'puppet'
}
post {
always {
deleteDir() /* clean up our workspace */
}
success {
updateGitlabCommitStatus state: 'success'
}
failure {
updateGitlabCommitStatus state: 'failed'
step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
}
}
options {
gitLabConnection('gitlab.confdroid.com')
}
stages {
stage('pull master') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git fetch origin
source_branch="${gitlabSourceBranch:-${BRANCH_NAME:-${GIT_LOCAL_BRANCH:-$GIT_BRANCH}}}"
source_branch="${source_branch#origin/}"
source_branch="${source_branch#refs/heads/}"
if [ -z "$source_branch" ]; then
source_branch="development"
fi
echo "Using source branch: $source_branch"
# Create an isolated build branch from the triggering branch revision.
git checkout -B jenkins-build-$BUILD_NUMBER "origin/$source_branch"
# Merge the current master into the build branch before validation.
git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
'''
}
}
}
stage('puppet parser') {
steps {
sh '''for file in $(find . -iname \'*.pp\'); do
/opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
done;'''
}
}
stage('check templates') {
steps{
sh '''for file in $(find . -iname \'*.erb\');
do erb -P -x -T "-" $file | ruby -c || exit 1;
done;'''
}
}
stage('puppet-lint') {
steps {
sh '''/usr/local/bin/puppet-lint . \\
--no-variable_scope-check \\
|| { echo "Puppet lint failed"; exit 1; }
'''
}
}
stage('SonarScan') {
steps {
withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
sh '''
/opt/sonar-scanner/bin/sonar-scanner \
-Dsonar.projectKey=confdroid_ssh \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarqube.confdroid.com \
-Dsonar.token=$SONAR_TOKEN
'''
}
}
}
stage('create Puppet documentation') {
steps {
sh '/opt/puppetlabs/bin/puppet strings'
}
}
stage('update repo') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
git fetch origin
git checkout -B master origin/master
git merge --no-ff jenkins-build-$BUILD_NUMBER -m "Merge build $BUILD_NUMBER into master"
git push origin master
'''
}
}
}
stage('Mirror to Gitea') {
steps {
withCredentials([usernamePassword(
credentialsId: 'Jenkins-gitea',
usernameVariable: 'GITEA_USER',
passwordVariable: 'GITEA_TOKEN')]) {
script {
sh '''
git fetch origin
git checkout master
git reset --hard origin/master
git remote get-url master >/dev/null 2>&1 \
&& git remote set-url master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git \
|| git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
push --force master refs/heads/master:refs/heads/master
'''
}
}
}
}
}
}

32
README.md
View File

@@ -7,7 +7,6 @@
- [Synopsis](#synopsis) - [Synopsis](#synopsis)
- [WARNING](#warning) - [WARNING](#warning)
- [Features](#features) - [Features](#features)
- [Adding custom configurations](#adding-custom-configurations)
- [Support](#support) - [Support](#support)
- [Parameter Inheritance](#parameter-inheritance) - [Parameter Inheritance](#parameter-inheritance)
- [Module Deployment](#module-deployment) - [Module Deployment](#module-deployment)
@@ -26,34 +25,11 @@
## Features ## Features
- install required binaries - install required binaries
- manage required files and directories including selinux context - manage local custom configuration based on parameters, overriding the defaults
- manage selinux rules
- manage service - manage service
- (optional) manage firewall - (optional) manage firewall
## Adding custom configurations
Custom configuration files live in `/etc/ssh/sshd_config.d/`. IN order to create a custom config file, add a stanza like this in your control repo:
```puppet
confdroid_ssh::custom::custom_config { '30-my-custom-rule':
config_name => '30-custom-rule',
config_content => ['PasswordAuthentication no'],
}
```
This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:
```puppet
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
PasswordAuthentication no
```
Note that the value for config_content **has to be an array**, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.
## Support ## Support
- Rocky 9 (Any RHEL 9 based OS should work but has not been tested) - Rocky 9 (Any RHEL 9 based OS should work but has not been tested)
@@ -65,7 +41,7 @@ All parameters are listed in `params.pp` and inherited from there. Variable par
## Module Deployment ## Module Deployment
Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it. ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
## Tests ## Tests

24
doc/_index.html
View File

@@ -122,30 +122,6 @@
<h2>Defined Type Listing A-Z</h2>
<table>
<tr>
<td valign='top' width="33%">
<ul id="alpha_C" class="alpha">
<li class="letter">C</li>
<ul>
<li>
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</li>
</ul>
</ul>
</td>
</tr>
</table>

30
doc/file.README.html
View File

@@ -70,8 +70,6 @@
</li><li> </li><li>
<p><a href="#features">Features</a></p> <p><a href="#features">Features</a></p>
</li><li> </li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p> <p><a href="#support">Support</a></p>
</li><li> </li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p> <p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -99,35 +97,15 @@
<ul><li> <ul><li>
<p>install required binaries</p> <p>install required binaries</p>
</li><li> </li><li>
<p>manage required files and directories including selinux context</p> <p>manage local custom configuration based on parameters, overriding the defaults</p>
</li><li>
<p>manage selinux rules</p>
</li><li> </li><li>
<p>manage service</p> <p>manage service</p>
</li><li> </li><li>
<p>(optional) manage firewall</p> <p>(optional) manage firewall</p>
</li></ul> </li></ul>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2> <h2 id="label-Support">Support</h2>
<ul><li> <ul><li>
<p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p> <p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -141,7 +119,7 @@
<h2 id="label-Module+Deployment">Module Deployment</h2> <h2 id="label-Module+Deployment">Module Deployment</h2>
<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p> <p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<h2 id="label-Tests">Tests</h2> <h2 id="label-Tests">Tests</h2>
<ul><li> <ul><li>

30
doc/index.html
View File

@@ -70,8 +70,6 @@
</li><li> </li><li>
<p><a href="#features">Features</a></p> <p><a href="#features">Features</a></p>
</li><li> </li><li>
<p><a href="#adding-custom-configurations">Adding custom configurations</a></p>
</li><li>
<p><a href="#support">Support</a></p> <p><a href="#support">Support</a></p>
</li><li> </li><li>
<p><a href="#parameter-inheritance">Parameter Inheritance</a></p> <p><a href="#parameter-inheritance">Parameter Inheritance</a></p>
@@ -99,35 +97,15 @@
<ul><li> <ul><li>
<p>install required binaries</p> <p>install required binaries</p>
</li><li> </li><li>
<p>manage required files and directories including selinux context</p> <p>manage local custom configuration based on parameters, overriding the defaults</p>
</li><li>
<p>manage selinux rules</p>
</li><li> </li><li>
<p>manage service</p> <p>manage service</p>
</li><li> </li><li>
<p>(optional) manage firewall</p> <p>(optional) manage firewall</p>
</li></ul> </li></ul>
<h2 id="label-Adding+custom+configurations">Adding custom configurations</h2>
<p>Custom configuration files live in <code>/etc/ssh/sshd_config.d/</code>. IN order to create a custom config file, add a stanza like this in your control repo:</p>
<pre class="code ruby"><code class="ruby">confdroid_ssh::custom::custom_config { &#39;30-my-custom-rule&#39;:
config_name =&gt; &#39;30-custom-rule&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],
}
</code></pre>
<p>This will create a file /etc/ssh/sshd_config.d/30-custom-rule.conf with this content:</p>
<pre class="code ruby"><code class="ruby"><span class='comment'>###############################################################################
</span><span class='comment'>##### DO NOT EDIT THIS FILE MANUALLY #
</span><span class='comment'>##### This file is managed by Puppet. Any changes to this file will be #
</span><span class='comment'>##### overwritten. Update the Puppet define input instead. #
</span><span class='comment'>###############################################################################
</span><span class='const'>PasswordAuthentication</span> <span class='id identifier rubyid_no'>no</span>
</code></pre>
<p>Note that the value for config_content <strong>has to be an array</strong>, even if only one key pair is in there. This field is designed to hold multiple values, which create one line in the config file each.</p>
<h2 id="label-Support">Support</h2> <h2 id="label-Support">Support</h2>
<ul><li> <ul><li>
<p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p> <p>Rocky 9 (Any RHEL 9 based OS should work but has not been tested)</p>
@@ -141,7 +119,7 @@
<h2 id="label-Module+Deployment">Module Deployment</h2> <h2 id="label-Module+Deployment">Module Deployment</h2>
<p>Almost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p> <p>ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes <a href="https://www.theforeman.org/manuals/3.13/quickstart_guide.html">Foreman</a> as ENC, so the modules just have to be present on the master node and Foreman will take care for it.</p>
<h2 id="label-Tests">Tests</h2> <h2 id="label-Tests">Tests</h2>
<ul><li> <ul><li>

4
doc/puppet_class_list.html
View File

@@ -28,10 +28,6 @@
Puppet Classes Puppet Classes
</a></span> </a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div> </div>
<div id="search">Search: <input type="text" /></div> <div id="search">Search: <input type="text" /></div>

4
doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Adirs.html
View File

@@ -141,7 +141,7 @@ class confdroid_ssh::main::dirs (
path =&gt; $ssh_etc_path, path =&gt; $ssh_etc_path,
owner =&gt; $sshd_user, owner =&gt; $sshd_user,
group =&gt; $sshd_user, group =&gt; $sshd_user,
mode =&gt; &#39;0755&#39;, mode =&gt; &#39;0700&#39;,
selrange =&gt; s0, selrange =&gt; s0,
selrole =&gt; object_r, selrole =&gt; object_r,
seltype =&gt; etc_t, seltype =&gt; etc_t,
@@ -152,7 +152,7 @@ class confdroid_ssh::main::dirs (
ensure =&gt; directory, ensure =&gt; directory,
owner =&gt; $sshd_user, owner =&gt; $sshd_user,
group =&gt; $sshd_user, group =&gt; $sshd_user,
mode =&gt; &#39;0755&#39;, mode =&gt; &#39;0700&#39;,
selrange =&gt; s0, selrange =&gt; s0,
selrole =&gt; object_r, selrole =&gt; object_r,
seltype =&gt; etc_t, seltype =&gt; etc_t,

48
doc/puppet_classes/confdroid_ssh_3A_3Amain_3A_3Afiles.html
View File

@@ -118,7 +118,30 @@
20 20
21 21
22 22
23</pre> 23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46</pre>
</td> </td>
<td> <td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span> <pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -140,6 +163,29 @@ class confdroid_ssh::main::files (
content =&gt; template($sshd_config_erb), content =&gt; template($sshd_config_erb),
notify =&gt; Service[$sshd_service], notify =&gt; Service[$sshd_service],
} }
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure =&gt; file,
path =&gt; $sshd_custom_conf,
owner =&gt; $sshd_user,
group =&gt; $sshd_user,
mode =&gt; &#39;0640&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($sshd_custom_erb),
notify =&gt; Service[$sshd_service],
}
# we want the default root login setting to be managed by the custom conf,
# so we remove the default file if it exists
file { $sshd_root_login_file:
ensure =&gt; absent,
path =&gt; $sshd_root_login_file,
notify =&gt; Service[$sshd_service],
}
}
}</pre> }</pre>
</td> </td>
</tr> </tr>

710
doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
View File

@@ -214,6 +214,582 @@
&mdash; &mdash;
<div class='inline'> <div class='inline'>
<p>source range for firewall rule</p> <p>source range for firewall rule</p>
</div>
</li>
<li>
<span class='name'>ssh_manage_config</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>true</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to manage the configuration</p>
</div>
</li>
<li>
<span class='name'>ssh_address_family</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;any&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AddressFamily setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_listen_address</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;0.0.0.0&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ListenAddress setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_root_login</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;prohibit-password&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PermitRootLogin setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_strict_modes</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>StrictModes setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_max_auth_tries</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;6&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>MaxAuthTries setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_max_sessions</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;10&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>MaxSessions setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_pubkey_auth</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PubkeyAuthentication setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_auth_key_files</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;.ssh/authorized_keys&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysFile setting for sshd_config</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_principals_file</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedPrincipalsFile setting for sshd_config. Default is none to disable this setting.</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_keys_command</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysCommand setting for sshd_config. Default is none to disable this setting.</p>
</div>
</li>
<li>
<span class='name'>ssh_authorized_keys_command_user</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;nobody&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>AuthorizedKeysCommandUser setting for sshd_config. Default is nobody to use an unpriviledged user.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_specific_hostkey</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use a specific host key</p>
</div>
</li>
<li>
<span class='name'>ssh_hostkey_type</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;rsa&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>type of host key to use if ssh_use_specific_hostkey is true</p>
</div>
</li>
<li>
<span class='name'>ssh_rekeylimit</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;default none&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>RekeyLimit setting for sshd_config. Default is default none.</p>
</div>
</li>
<li>
<span class='name'>ssh_syslog_facility</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;AUTH&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>SyslogFacility setting for sshd_config. Default is AUTH.</p>
</div>
</li>
<li>
<span class='name'>ssh_log_level</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;INFO&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>LogLevel setting for sshd_config. Default is INFO.</p>
</div>
</li>
<li>
<span class='name'>ssh_password_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PasswordAuthentication setting for sshd_config. Default is no, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to yes if password authentication is desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_permit_empty_passwords</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>PermitEmptyPasswords setting for sshd_config. Default is no, which is a recommended security setting and works in connection with key-based authentication, but can be set to yes if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.</p>
</div>
</li>
<li>
<span class='name'>ssh_kbd_interactive_auth</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no, which is a recommended security setting together with password authentication, but can be set to yes if keyboard-interactive authentication should be allowed. (not recommended)</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. Kerberos authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to yes if desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_or_local_passwd</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to allow local password authentication as a fallback if Kerberos authentication fails, but can be set to no if you want to only allow Kerberos authentication.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_ticket_cleanup</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable ticket cleanup, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_get_afstoken</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable AFS token retrieval, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_use_kuserok</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable userok with Kerberos, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_kerberos</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use Kerberos authentication. If true, the relevant Kerberos settings will be included in the sshd_config, otherwise they will be ignored.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_gssapi</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use GSSAPI authentication. If true, GSSAPI authentication will be enabled in sshd_config, otherwise it will be disabled. GSSAPI authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to true if desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS authentication, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_cleanup_credentials</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS credential cleanup, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_key_exchange</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS key exchange.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_enablek5users</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSSAPI for k5users.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_pam</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to yes only if you want to use PAM for authentication together with those settings.</p>
</div> </div>
</li> </li>
@@ -229,39 +805,75 @@
<pre class="lines"> <pre class="lines">
13 99
14 100
15 101
16 102
17 103
18 104
19 105
20 106
21 107
22 108
23 109
24 110
25 111
26 112
27 113
28 114
29 115
30 116
31 117
32 118
33 119
34 120
35 121
36 122
37 123
38 124
39 125
40 126
41 127
42</pre> 128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164</pre>
</td> </td>
<td> <td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 13</span> <pre class="code"><span class="info file"># File 'manifests/params.pp', line 99</span>
class confdroid_ssh::params ( class confdroid_ssh::params (
@@ -274,6 +886,40 @@ class confdroid_ssh::params (
String $ssh_fw_order = &#39;50&#39;, String $ssh_fw_order = &#39;50&#39;,
String $ssh_source_range = &#39;0.0.0.0/0&#39;, String $ssh_source_range = &#39;0.0.0.0/0&#39;,
# sshd configuration
Boolean $ssh_manage_config = true,
String $ssh_address_family = &#39;any&#39;,
String $ssh_listen_address = &#39;0.0.0.0&#39;,
String $ssh_root_login = &#39;prohibit-password&#39;,
String $ssh_strict_modes = &#39;yes&#39;,
String $ssh_max_auth_tries = &#39;6&#39;,
String $ssh_max_sessions = &#39;10&#39;,
String $ssh_pubkey_auth = &#39;yes&#39;,
String $ssh_auth_key_files = &#39;.ssh/authorized_keys&#39;,
String $ssh_authorized_principals_file = &#39;none&#39;,
String $ssh_authorized_keys_command = &#39;none&#39;,
String $ssh_authorized_keys_command_user = &#39;nobody&#39;,
Boolean $ssh_use_specific_hostkey = false,
String $ssh_hostkey_type = &#39;rsa&#39;,
String $ssh_rekeylimit = &#39;default none&#39;,
String $ssh_syslog_facility = &#39;AUTH&#39;,
String $ssh_log_level = &#39;INFO&#39;,
String $ssh_password_authentication = &#39;no&#39;,
String $ssh_permit_empty_passwords = &#39;no&#39;,
String $ssh_kbd_interactive_auth = &#39;no&#39;,
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = &#39;yes&#39;,
String $ssh_kerberos_or_local_passwd = &#39;yes&#39;,
String $ssh_kerberos_ticket_cleanup = &#39;yes&#39;,
String $ssh_kerberos_get_afstoken = &#39;no&#39;,
String $ssh_kerberos_use_kuserok = &#39;yes&#39;,
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = &#39;yes&#39;,
String $ssh_gssapi_cleanup_credentials = &#39;yes&#39;,
String $ssh_gssapi_key_exchange = &#39;no&#39;,
String $ssh_gssapi_enablek5users = &#39;no&#39;,
String $ssh_use_pam = &#39;no&#39;,
) { ) {
# default facts # default facts
$fqdn = $facts[&#39;networking&#39;][&#39;fqdn&#39;] $fqdn = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
@@ -287,6 +933,8 @@ class confdroid_ssh::params (
$sshd_service = &#39;sshd&#39; $sshd_service = &#39;sshd&#39;
$sshd_config_path = &quot;${ssh_etc_path}/sshd_config&quot; $sshd_config_path = &quot;${ssh_etc_path}/sshd_config&quot;
$sshd_custom_path = &quot;${ssh_etc_path}/sshd_config.d&quot; $sshd_custom_path = &quot;${ssh_etc_path}/sshd_config.d&quot;
$sshd_custom_conf = &quot;${sshd_custom_path}/10-custom.conf&quot;
$sshd_custom_erb = &#39;confdroid_ssh/sshd_custom_conf.erb&#39;
$sshd_config_erb = &#39;confdroid_ssh/sshd_config.erb&#39; $sshd_config_erb = &#39;confdroid_ssh/sshd_config.erb&#39;
$sshd_root_login_file = &quot;${sshd_custom_path}/01-permitrootlogin.conf&quot; $sshd_root_login_file = &quot;${sshd_custom_path}/01-permitrootlogin.conf&quot;

54
doc/puppet_defined_type_list.html
View File

@@ -1,54 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8" />
<link rel="stylesheet" href="css/full_list.css" type="text/css" media="screen" />
<link rel="stylesheet" href="css/common.css" type="text/css" media="screen" />
<script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="js/full_list.js"></script>
<title>Defined Type List</title>
<base id="base_target" target="_parent" />
</head>
<body>
<div id="content">
<div class="fixed_header">
<h1 id="full_list_header">Defined Type List</h1>
<div id="full_list_nav">
<span><a target="_self" href="puppet_class_list.html">
Puppet Classes
</a></span>
<span><a target="_self" href="puppet_defined_type_list.html">
Defined Types
</a></span>
</div>
<div id="search">Search: <input type="text" /></div>
</div>
<ul id="full_list" class="puppet_defined_type">
<li id="object_puppet_defined_types::confdroid_ssh::custom::custom_config" class="odd">
<div class="item">
<span class='object_link'><a href="puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html" title="puppet_defined_types::confdroid_ssh::custom::custom_config (puppet_defined_type)">confdroid_ssh::custom::custom_config</a></span>
</div>
</li>
</ul>
</div>
</body>
</html>

209
doc/puppet_defined_types/confdroid_ssh_3A_3Acustom_3A_3Acustom_config.html
View File

@@ -1,209 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Defined Type: confdroid_ssh::custom::custom_config
&mdash; Documentation by YARD 0.9.36
</title>
<link rel="stylesheet" href="../css/style.css" type="text/css" />
<link rel="stylesheet" href="../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "puppet_defined_types::confdroid_ssh::custom::custom_config";
relpath = '../';
</script>
<script type="text/javascript" charset="utf-8" src="../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../puppet_defined_type_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../_index.html">Index (c)</a> &raquo;
<span class='title'><span class='object_link'>Defined Types</span></span>
&raquo;
<span class="title">confdroid_ssh::custom::custom_config</span>
</div>
<div id="search">
<a class="full_list_link" id="puppet_class_list_link"
href="../puppet_class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Defined Type: confdroid_ssh::custom::custom_config</h1>
<div class="box_info">
<dl>
<dt>Defined in:</dt>
<dd>
manifests/custom/custom_config.pp
</dd>
</dl>
</div>
<h2>Summary</h2>
Class manages custom configurations for SSH
<h2>Overview</h2>
<div class="docstring">
<div class="discussion">
<p>confdroid_ssh::custom::custom_config.pp Module name: confdroid_ssh Author: 12ww1160 (12ww1160@confdroid.com) } this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content: PasswordAuthentication no and notify the sshd service to reload the configuration</p>
</div>
</div>
<div class="tags">
<div class="examples">
<p class="tag_title">Examples:</p>
<pre class="example code"><code>confdroid_ssh::custom::custom_config { &#39;50-test&#39;:
config_name =&gt; &#39;50-test&#39;,
config_content =&gt; [&#39;PasswordAuthentication no&#39;],</code></pre>
</div>
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>config_name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>name of the custom configuration file (without .conf extension)</p>
</div>
</li>
<li>
<span class='name'>config_content</span>
<span class='type'>(<tt>Array[String]</tt>)</span>
&mdash;
<div class='inline'>
<p>array of configuration lines to include in the custom config</p>
</div>
</li>
</ul>
</div><div class="method_details_list">
<table class="source_code">
<tr>
<td>
<pre class="lines">
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/custom/custom_config.pp', line 17</span>
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = &#39;confdroid_ssh/custom_config.erb&#39;
$config_basename = regsubst($config_name, &#39;\\.conf$&#39;, &#39;&#39;)
$config_file = &quot;${config_name}.conf&quot;
file { &quot;${sshd_custom_path}/${config_file}&quot;:
ensure =&gt; file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0600&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; etc_t,
seluser =&gt; system_u,
content =&gt; template($custom_config_erb),
notify =&gt; Service[$sshd_service],
}
}</pre>
</td>
</tr>
</table>
</div>
</div>
<div id="footer">
Generated by <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>.
</div>
</div>
</body>
</html>

41
manifests/custom/custom_config.pp
View File

@@ -1,41 +0,0 @@
## confdroid_ssh::custom::custom_config.pp
# Module name: confdroid_ssh
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages custom configurations for SSH
# @param [String] config_name name of the custom configuration file
# (without .conf extension)
# @param [Array[String]] config_content array of configuration lines to
# include in the custom config
# @example
# confdroid_ssh::custom::custom_config { '50-test':
# config_name => '50-test',
# config_content => ['PasswordAuthentication no'],
# }
# this will create a file called /etc/ssh/sshd_config.d/50-test.conf with the content:
# PasswordAuthentication no and notify the sshd service to reload the configuration
##############################################################################
define confdroid_ssh::custom::custom_config (
String $config_name,
Array[String] $config_content,
) {
$sshd_custom_path = $confdroid_ssh::params::sshd_custom_path
$sshd_service = $confdroid_ssh::params::sshd_service
$custom_config_erb = 'confdroid_ssh/custom_config.erb'
$config_basename = regsubst($config_name, '\\.conf$', '')
$config_file = "${config_name}.conf"
file { "${sshd_custom_path}/${config_file}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($custom_config_erb),
notify => Service[$sshd_service],
}
}

4
manifests/main/dirs.pp
View File

@@ -12,7 +12,7 @@ class confdroid_ssh::main::dirs (
path => $ssh_etc_path, path => $ssh_etc_path,
owner => $sshd_user, owner => $sshd_user,
group => $sshd_user, group => $sshd_user,
mode => '0755', mode => '0700',
selrange => s0, selrange => s0,
selrole => object_r, selrole => object_r,
seltype => etc_t, seltype => etc_t,
@@ -23,7 +23,7 @@ class confdroid_ssh::main::dirs (
ensure => directory, ensure => directory,
owner => $sshd_user, owner => $sshd_user,
group => $sshd_user, group => $sshd_user,
mode => '0755', mode => '0700',
selrange => s0, selrange => s0,
selrole => object_r, selrole => object_r,
seltype => etc_t, seltype => etc_t,

23
manifests/main/files.pp
View File

@@ -20,4 +20,27 @@ class confdroid_ssh::main::files (
content => template($sshd_config_erb), content => template($sshd_config_erb),
notify => Service[$sshd_service], notify => Service[$sshd_service],
} }
if $ssh_manage_config {
file { $sshd_custom_conf:
ensure => file,
path => $sshd_custom_conf,
owner => $sshd_user,
group => $sshd_user,
mode => '0640',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($sshd_custom_erb),
notify => Service[$sshd_service],
}
# we want the default root login setting to be managed by the custom conf,
# so we remove the default file if it exists
file { $sshd_root_login_file:
ensure => absent,
path => $sshd_root_login_file,
notify => Service[$sshd_service],
}
}
} }

124
manifests/params.pp
View File

@@ -9,7 +9,93 @@
# @param [String] ssh_fw_port port to use for SSHD and in fw # @param [String] ssh_fw_port port to use for SSHD and in fw
# @param [String] ssh_fw_order order of firewall rule # @param [String] ssh_fw_order order of firewall rule
# @param [String] ssh_source_range source range for firewall rule # @param [String] ssh_source_range source range for firewall rule
############################################################################### # @param [Boolean] ssh_manage_config whether to manage the configuration
# @param [String] ssh_address_family AddressFamily setting for sshd_config
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile
# setting for sshd_config. Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config.
# Default is 'none' to disable this setting.
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
# Default is 'nobody' to use an unpriviledged user.
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
# @param [String] ssh_hostkey_type type of host key to use if
# ssh_use_specific_hostkey is true
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config.
# Default is 'default none'.
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
# Default is 'AUTH'.
# @param [String] ssh_log_level LogLevel setting for sshd_config.
# Default is 'INFO'.
# @param [String] ssh_password_authentication PasswordAuthentication setting
# for sshd_config. Default is 'no', which requires key-based authentication.
# This is a recommended security setting, so passwords do not show up in logs,
# but can be set to 'yes' if password authentication is desired.
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting
# for sshd_config. Default is 'no', which is a recommended security setting
# and works in connection with key-based authentication, but can be set
# to 'yes' if password authentication should be allowed and empty passwords
# should be allowed. Again, this should be used with caution if enabled.
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
# Default is 'no', which is a recommended security setting together
# with password authentication, but can be set to 'yes' if
# keyboard-interactive authentication should be allowed. (not recommended)
# @param [String] ssh_kerberos_authentication setting for sshd_config.
# Default is 'no'. Kerberos authentication is not commonly used and
# requires a lot of other settings, so it is disabled by default, but can be
# set to 'yes' if desired.
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication is
# enabled, and should be set to 'yes' if you want to allow local password
# authentication as a fallback if Kerberos authentication fails, but can be
# set to 'no' if you want to only allow Kerberos authentication.
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable userok with
# Kerberos, but can be set to 'no' if you want to disable it.
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
# If true, the relevant Kerberos settings will be included in the sshd_config,
# otherwise they will be ignored.
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
# will be disabled. GSSAPI authentication is not commonly used and requires
# a lot of other settings, so it is disabled by default, but can be set to
# true if desired.
# @param [String] ssh_gssapi_authentication setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS credential
# cleanup, but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
# commonly used for SSH authentication and can introduce security risks if
# not configured properly, so it is disabled by default. Thi setting is
# related to PasswordAuthentication and KbdInteractiveAuthentication, and
# should be set to 'yes' only if you want to use PAM for authentication
# together with those settings.
##############################################################################
class confdroid_ssh::params ( class confdroid_ssh::params (
Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'], Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],
@@ -21,6 +107,40 @@ class confdroid_ssh::params (
String $ssh_fw_order = '50', String $ssh_fw_order = '50',
String $ssh_source_range = '0.0.0.0/0', String $ssh_source_range = '0.0.0.0/0',
# sshd configuration
Boolean $ssh_manage_config = true,
String $ssh_address_family = 'any',
String $ssh_listen_address = '0.0.0.0',
String $ssh_root_login = 'prohibit-password',
String $ssh_strict_modes = 'yes',
String $ssh_max_auth_tries = '6',
String $ssh_max_sessions = '10',
String $ssh_pubkey_auth = 'yes',
String $ssh_auth_key_files = '.ssh/authorized_keys',
String $ssh_authorized_principals_file = 'none',
String $ssh_authorized_keys_command = 'none',
String $ssh_authorized_keys_command_user = 'nobody',
Boolean $ssh_use_specific_hostkey = false,
String $ssh_hostkey_type = 'rsa',
String $ssh_rekeylimit = 'default none',
String $ssh_syslog_facility = 'AUTH',
String $ssh_log_level = 'INFO',
String $ssh_password_authentication = 'no',
String $ssh_permit_empty_passwords = 'no',
String $ssh_kbd_interactive_auth = 'no',
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = 'yes',
String $ssh_kerberos_or_local_passwd = 'yes',
String $ssh_kerberos_ticket_cleanup = 'yes',
String $ssh_kerberos_get_afstoken = 'no',
String $ssh_kerberos_use_kuserok = 'yes',
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = 'yes',
String $ssh_gssapi_cleanup_credentials = 'yes',
String $ssh_gssapi_key_exchange = 'no',
String $ssh_gssapi_enablek5users = 'no',
String $ssh_use_pam = 'no',
) { ) {
# default facts # default facts
$fqdn = $facts['networking']['fqdn'] $fqdn = $facts['networking']['fqdn']
@@ -34,6 +154,8 @@ class confdroid_ssh::params (
$sshd_service = 'sshd' $sshd_service = 'sshd'
$sshd_config_path = "${ssh_etc_path}/sshd_config" $sshd_config_path = "${ssh_etc_path}/sshd_config"
$sshd_custom_path = "${ssh_etc_path}/sshd_config.d" $sshd_custom_path = "${ssh_etc_path}/sshd_config.d"
$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"
$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'
$sshd_config_erb = 'confdroid_ssh/sshd_config.erb' $sshd_config_erb = 'confdroid_ssh/sshd_config.erb'
$sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf" $sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf"

8
templates/custom_config.erb
View File

@@ -1,8 +0,0 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. Update the Puppet define input instead. #
###############################################################################
<% @config_content.each do |config_line| -%>
<%= config_line %>
<% end -%>

49
templates/sshd_custom_conf.erb Normal file
View File

@@ -0,0 +1,49 @@
###############################################################################
##### DO NOT EDIT THIS FILE MANUALLY #
##### This file is managed by Puppet. Any changes to this file will be #
##### overwritten. The file is built via parameters, so any changes should #
##### be made in the Puppet manifest parameters. #
###############################################################################
Port <%= @ssh_fw_port %>
AddressFamily <%= @ssh_address_family %>
ListenAddress <%= @ssh_listen_address %>
<% if @ssh_use_specific_hostkey -%>
HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
<% end -%>
RekeyLimit <%= @ssh_rekeylimit %>
SyslogFacility <%= @ssh_syslog_facility %>
LogLevel <%= @ssh_log_level %>
PermitRootLogin <%= @ssh_root_login %>
StrictModes <%= @ssh_strict_modes %>
MaxAuthTries <%= @ssh_max_auth_tries %>
MaxSessions <%= @ssh_max_sessions %>
PubkeyAuthentication <%= @ssh_pubkey_auth %>
AuthorizedKeysFile <%= @ssh_auth_key_files %>
AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
PasswordAuthentication <%= @ssh_password_authentication %>
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
UsePAM <%= @ssh_use_pam %>
<% if @ssh_use_kerberos -%>
KerberosAuthentication <%= @ssh_kerberos_authentication %>
KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
<% end -%>
<% if @ssh_use_gssapi -%>
GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
<% end -%>