## confdroid_ssh::params.pp # Module name: confdroid_ssh # Author: 12ww1160 (12ww1160@confdroid.com) # @summary Class contains all class parameters for confdroid_ssh # @param [Array] ssh_reqpackages packages to install # @param [String] pkg_ensure version to install: 'present' or 'latest' # @param [String] ssh_fw_rule whether set the fw rule to # present or absent. # @param [String] ssh_fw_port port to use for SSHD and in fw # @param [String] ssh_fw_order order of firewall rule # @param [String] ssh_source_range source range for firewall rule # @param [Boolean] ssh_manage_config whether to manage the configuration # @param [String] ssh_address_family AddressFamily setting for sshd_config # @param [String] ssh_listen_address ListenAddress setting for sshd_config # @param [String] ssh_root_login PermitRootLogin setting for sshd_config # @param [String] ssh_strict_modes StrictModes setting for sshd_config # @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config # @param [String] ssh_max_sessions MaxSessions setting for sshd_config # @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config # @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config # @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile # setting for sshd_config. Default is 'none' to disable this setting. # @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config. # Default is 'none' to disable this setting. # @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config. # Default is 'nobody' to use an unpriviledged user. # @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key # @param [String] ssh_hostkey_type type of host key to use if # ssh_use_specific_hostkey is true # @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config. # Default is 'default none'. # @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config. # Default is 'AUTH'. # @param [String] ssh_log_level LogLevel setting for sshd_config. # Default is 'INFO'. # @param [String] ssh_password_authentication PasswordAuthentication setting # for sshd_config. Default is 'no', which requires key-based authentication. # This is a recommended security setting, so passwords do not show up in logs, # but can be set to 'yes' if password authentication is desired. # @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting # for sshd_config. Default is 'no', which is a recommended security setting # and works in connection with key-based authentication, but can be set # to 'yes' if password authentication should be allowed and empty passwords # should be allowed. Again, this should be used with caution if enabled. # @param [String] ssh_kbd_interactive_auth setting for sshd_config. # Default is 'no', which is a recommended security setting together # with password authentication, but can be set to 'yes' if # keyboard-interactive authentication should be allowed. (not recommended) # @param [String] ssh_kerberos_authentication setting for sshd_config. # Default is 'no'. Kerberos authentication is not commonly used and # requires a lot of other settings, so it is disabled by default, but can be # set to 'yes' if desired. # @param [String] ssh_kerberos_or_local_passwd setting for sshd_config. # Default is 'no'. This setting is only relevant if Kerberos authentication is # enabled, and should be set to 'yes' if you want to allow local password # authentication as a fallback if Kerberos authentication fails, but can be # set to 'no' if you want to only allow Kerberos authentication. # @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config. # Default is 'no'. This setting is only relevant if Kerberos authentication # is enabled, and should be set to 'yes' if you want to enable ticket cleanup, # but can be set to 'no' if you want to disable it. # @param [String] ssh_kerberos_get_afstoken setting for sshd_config. # Default is 'no'. This setting is only relevant if Kerberos authentication # is enabled, and should be set to 'yes' if you want to enable AFS token retrieval, # but can be set to 'no' if you want to disable it. # @param [String] ssh_kerberos_use_kuserok setting for sshd_config. # Default is 'no'. This setting is only relevant if Kerberos authentication # is enabled, and should be set to 'yes' if you want to enable userok with # Kerberos, but can be set to 'no' if you want to disable it. # @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication. # If true, the relevant Kerberos settings will be included in the sshd_config, # otherwise they will be ignored. # @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication. # If true, GSSAPI authentication will be enabled in sshd_config, otherwise it # will be disabled. GSSAPI authentication is not commonly used and requires # a lot of other settings, so it is disabled by default, but can be set to # true if desired. # @param [String] ssh_gssapi_authentication setting for sshd_config. # Default is 'no'. This setting is only relevant if GSSAPI authentication is # enabled, and should be set to 'yes' if you want to enable GSS authentication, # but can be set to 'no' if you want to disable it. # @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config. # Default is 'no'. This setting is only relevant if GSSAPI authentication is # enabled, and should be set to 'yes' if you want to enable GSS credential # cleanup, but can be set to 'no' if you want to disable it. # @param [String] ssh_gssapi_key_exchange setting for sshd_config. # Default is 'no'. This setting is only relevant if GSSAPI authentication is # enabled, and should be set to 'yes' if you want to enable GSS key exchange. # @param [String] ssh_gssapi_enablek5users setting for sshd_config. # Default is 'no'. This setting is only relevant if GSSAPI authentication is # enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users. # @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not # commonly used for SSH authentication and can introduce security risks if # not configured properly, so it is disabled by default. Thi setting is # related to PasswordAuthentication and KbdInteractiveAuthentication, and # should be set to 'yes' only if you want to use PAM for authentication # together with those settings. # @param [String] ssh_allow_agent_forwarding setting for sshd_config. # Default is 'yes', which allows SSH agent forwarding, but can be set to 'no' # if you want to disable this feature for security reasons. # @param [String] ssh_allow_tcp_forwarding setting for sshd_config. # Default is 'yes', which allows TCP forwarding, but can be set to 'no' # if you want to disable this feature for security reasons. # @param [String] ssh_gateway_ports setting for sshd_config. # Default is 'no', which means that remote hosts cannot connect to # forwarded ports, but can be set to 'yes' or 'clientspecified' if you want # to allow remote hosts to connect to forwarded ports. This setting should # be used with caution if enabled, as it can introduce security risks. # @param [String] ssh_x11_forwarding setting for sshd_config. # Default is 'no', which disables X11 forwarding, but can be set to 'yes' # if you want to allow X11 forwarding. This setting should be used with # caution if enabled. # @param [String] ssh_x11_display_offset setting for sshd_config. # Default is '10'. This setting is only relevant if X11 forwarding is # enabled, and specifies the first display number available for X11 # forwarding. The default of '10' means that the first forwarded display # will be :10, the second will be :11, and so on. This setting can be # adjusted if you want to use a different range of display numbers for # X11 forwarding. # @param [String] ssh_x11_use_localhost setting for sshd_config. # Default is 'yes', which means that X11 forwarding will only be # available on the loopback interface, but can be set to 'no' if you want # to allow X11 forwarding on all network interfaces. # @param [String] ssh_permit_tty setting for sshd_config. # Default is 'yes', which allows TTY allocation, but can be set to 'no' # if you want to disable TTY allocation. # @param [String] ssh_print_motd setting for sshd_config. # Default is 'yes', which means that the message of the day will be printed # when users log in, but can be set to 'no' if you want to disable this feature. # @param [String] ssh_print_lastlog setting for sshd_config. # Default is 'yes', which means that the last login information will be printed # when users log in, but can be set to 'no' if you want to disable this feature. # @param [String] ssh_tcp_keepalive setting for sshd_config. # Default is 'yes', which means that TCP keepalive messages will be sent, but # can be set to 'no' if you want to disable this feature. This setting can # be useful to disable if you have issues with dropped connections, but in # general it is recommended to keep it enabled. # @param [String] ssh_permit_user_environment setting for sshd_config. # Default is 'no', which means that user environment variables will not be # processed, but can be set to 'yes' if you want to allow users to specify # environment variables in their ~/.ssh/environment file. # @param [String] ssh_compression setting for sshd_config. # Default is 'delayed', which means that compression will be enabled after # successful authentication, but can be set to 'yes' if you want to enable # compression from the start of the connection. The 'delayed' setting is a # good compromise that allows for faster authentication while still providing # the benefits of compression for the rest of the session. # @param [String] ssh_client_alive_interval setting for sshd_config. # Default is '0', which means that no keepalive messages will be sent by the # server, but can be set to a positive integer to specify the interval in seconds # between keepalive messages sent by the server to the client. This can be useful # to detect and close stale connections, but should be used with caution as it can # cause unexpected disconnections if set too aggressively. # @param [String] ssh_client_alive_count_max setting for sshd_config. # Default is '3'. This setting is only relevant if ssh_client_alive_interval is set # to a positive integer, and specifies the number of consecutive keepalive messages # that can be sent without receiving a response from the client before the server # considers the connection to be stale and disconnects it. # @param [String] ssh_use_dns setting for sshd_config. # Default is 'no', which means that the server will not perform DNS lookups on # connecting clients, but can be set to 'yes' if you want the server to # perform DNS lookups. Disabling DNS lookups can improve connection times # and reduce the risk of DNS spoofing attacks, so it is generally # recommended to keep this setting disabled unless you have a specific need for it. # @param [String] ssh_pid_file setting for sshd_config. # Default is '/var/run/sshd.pid', which is the common location for the # sshd PID file, but can be set to a different path if desired. # This setting specifies the location of the sshd PID file. # @param [String] ssh_max_startups setting for sshd_config. # Default is '10:30:100', which means that the server will allow up to 10 # concurrent unauthenticated connections, and will start dropping connections # with a probability that increases linearly. # @param [String] ssh_permit_tunnel setting for sshd_config. # Default is 'no', which means that tunneling is not allowed, but can be # set to 'yes' if you want to allow tunneling, or 'point-to-point' to allow # only point-to-point tunneling. This setting should be used with caution if enabled. # @param [String] ssh_chroot_directory setting for sshd_config. # Default is 'none', which means that no chroot directory will be used, but # can be set to a valid directory path if you want to use chroot for SSH # sessions. # @param [String] ssh_version_addendum setting for sshd_config. # Default is 'none', which means that no version addendum will be included in # the SSH banner, but can be set to a custom string if you want to include # additional information in the SSH version banner. This can be used for # branding purposes, but should be used with caution as it can potentially # leak information about the server that could be useful to attackers. # @param [String] ssh_banner setting for sshd_config. # Default is 'none', which means that no banner will be displayed to users # when they connect, but can be set to a valid file path if you want to # display a custom banner message to users when they connect. This can be used # to display legal notices, security warnings, or other information to users when # they connect to the SSH server. # @param [String] ssh_login_grace_time setting for sshd_config. # Default is '2m', which means that users have 2 minutes to successfully # authenticate before the server disconnects them, but can be set to a different # time interval if desired. This setting can be used to limit the amount of time # that attackers have to attempt to brute-force authentication, but should be set # to a reasonable value to avoid disconnecting legitimate users who may need more time to log # @param [String] ssh_custom_ensure whether the custom configuration file # should be file or absent. ############################################################################## class confdroid_ssh::params ( Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'], String $pkg_ensure = 'present', # firewall settings String $ssh_fw_rule = 'present', String $ssh_fw_port = '22', String $ssh_fw_order = '50', String $ssh_source_range = '0.0.0.0/0', # sshd configuration String $ssh_custom_ensure = 'file', Boolean $ssh_manage_config = true, String $ssh_address_family = 'any', String $ssh_listen_address = '0.0.0.0', String $ssh_login_grace_time = '2m', String $ssh_root_login = 'prohibit-password', String $ssh_strict_modes = 'yes', String $ssh_max_auth_tries = '6', String $ssh_max_sessions = '10', String $ssh_pubkey_auth = 'yes', String $ssh_auth_key_files = '.ssh/authorized_keys', String $ssh_authorized_principals_file = 'none', String $ssh_authorized_keys_command = 'none', String $ssh_authorized_keys_command_user = 'nobody', Boolean $ssh_use_specific_hostkey = false, String $ssh_hostkey_type = 'rsa', String $ssh_rekeylimit = 'default none', String $ssh_syslog_facility = 'AUTH', String $ssh_log_level = 'INFO', String $ssh_password_authentication = 'yes', String $ssh_permit_empty_passwords = 'no', String $ssh_kbd_interactive_auth = 'yes', Boolean $ssh_use_kerberos = false, String $ssh_kerberos_authentication = 'yes', String $ssh_kerberos_or_local_passwd = 'yes', String $ssh_kerberos_ticket_cleanup = 'yes', String $ssh_kerberos_get_afstoken = 'no', String $ssh_kerberos_use_kuserok = 'yes', Boolean $ssh_use_gssapi = false, String $ssh_gssapi_authentication = 'yes', String $ssh_gssapi_cleanup_credentials = 'yes', String $ssh_gssapi_key_exchange = 'no', String $ssh_gssapi_enablek5users = 'no', String $ssh_use_pam = 'no', String $ssh_allow_agent_forwarding = 'yes', String $ssh_allow_tcp_forwarding = 'yes', String $ssh_gateway_ports = 'no', String $ssh_x11_forwarding = 'no', String $ssh_x11_display_offset = '10', String $ssh_x11_use_localhost = 'yes', String $ssh_permit_tty = 'yes', String $ssh_print_motd = 'yes', String $ssh_print_lastlog = 'yes', String $ssh_tcp_keepalive = 'yes', String $ssh_permit_user_environment = 'no', String $ssh_compression = 'delayed', String $ssh_client_alive_interval = '0', String $ssh_client_alive_count_max = '3', String $ssh_use_dns = 'no', String $ssh_pid_file = '/var/run/sshd.pid', String $ssh_max_startups = '10:30:100', String $ssh_permit_tunnel = 'no', String $ssh_chroot_directory = 'none', String $ssh_version_addendum = 'none', String $ssh_banner = 'none', ) { # default facts $fqdn = $facts['networking']['fqdn'] $hostname = $facts['networking']['hostname'] $domain = $facts['networking']['domain'] $os_name = $facts['os']['name'] $os_release = $facts['os']['release']['major'] $sshd_user = 'root' $ssh_etc_path = '/etc/ssh' $sshd_service = 'sshd' $sshd_config_path = "${ssh_etc_path}/sshd_config" $sshd_custom_path = "${ssh_etc_path}/sshd_config.d" $sshd_custom_conf = "${sshd_custom_path}/10-custom.conf" $sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb' $sshd_config_erb = 'confdroid_ssh/sshd_config.erb' $sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf" # includes must be last include confdroid_ssh::main::config }