Puppet Class: confdroid_ssh::params

Inherited by:: confdroid_ssh::main::dirs
confdroid_ssh::main::files
confdroid_ssh::main::config
confdroid_ssh::main::install
confdroid_ssh::main::service
confdroid_ssh::selinux::semanage
confdroid_ssh::firewall::iptables

Defined in:: manifests/params.pp

Summary

Class contains all class parameters for confdroid_ssh

Overview

confdroid_ssh::params.pp Module name: confdroid_ssh Author: 12ww1160 (12ww1160@confdroid.com)

Parameters:

ssh_reqpackages (Array) (defaults to: ['openssh','openssh-clients','openssh-server']) —

packages to install
pkg_ensure (String) (defaults to: 'present') —

version to install: ‘present’ or ‘latest’
ssh_fw_rule (String) (defaults to: 'present') —

whether set the fw rule to present or absent.
ssh_fw_port (String) (defaults to: '22') —

port to use for SSHD and in fw
ssh_fw_order (String) (defaults to: '50') —

order of firewall rule
ssh_source_range (String) (defaults to: '0.0.0.0/0') —

source range for firewall rule
ssh_manage_config (Boolean) (defaults to: true) —

whether to manage the configuration
ssh_address_family (String) (defaults to: 'any') —

AddressFamily setting for sshd_config
ssh_listen_address (String) (defaults to: '0.0.0.0') —

ListenAddress setting for sshd_config
ssh_root_login (String) (defaults to: 'prohibit-password') —

PermitRootLogin setting for sshd_config
ssh_strict_modes (String) (defaults to: 'yes') —

StrictModes setting for sshd_config
ssh_max_auth_tries (String) (defaults to: '6') —

MaxAuthTries setting for sshd_config
ssh_max_sessions (String) (defaults to: '10') —

MaxSessions setting for sshd_config
ssh_pubkey_auth (String) (defaults to: 'yes') —

PubkeyAuthentication setting for sshd_config
ssh_auth_key_files (String) (defaults to: '.ssh/authorized_keys') —

AuthorizedKeysFile setting for sshd_config
ssh_authorized_principals_file (String) (defaults to: 'none') —

AuthorizedPrincipalsFile setting for sshd_config. Default is ‘none’ to disable this setting.
ssh_authorized_keys_command (String) (defaults to: 'none') —

AuthorizedKeysCommand setting for sshd_config. Default is ‘none’ to disable this setting.
ssh_authorized_keys_command_user (String) (defaults to: 'nobody') —

AuthorizedKeysCommandUser setting for sshd_config. Default is ‘nobody’ to use an unpriviledged user.
ssh_use_specific_hostkey (Boolean) (defaults to: false) —

whether to use a specific host key
ssh_hostkey_type (String) (defaults to: 'rsa') —

type of host key to use if ssh_use_specific_hostkey is true
ssh_rekeylimit (String) (defaults to: 'default none') —

RekeyLimit setting for sshd_config. Default is ‘default none’.
ssh_syslog_facility (String) (defaults to: 'AUTH') —

SyslogFacility setting for sshd_config. Default is ‘AUTH’.
ssh_log_level (String) (defaults to: 'INFO') —

LogLevel setting for sshd_config. Default is ‘INFO’.
ssh_password_authentication (String) (defaults to: 'no') —

PasswordAuthentication setting for sshd_config. Default is ‘no’, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to ‘yes’ if password authentication is desired.
ssh_permit_empty_passwords (String) (defaults to: 'no') —

PermitEmptyPasswords setting for sshd_config. Default is ‘no’, which is a recommended security setting and works in connection with key-based authentication, but can be set to ‘yes’ if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.
ssh_kbd_interactive_auth (String) (defaults to: 'no') —

setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)
ssh_kerberos_authentication (String) (defaults to: 'yes') —

setting for sshd_config. Default is ‘no’. Kerberos authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to ‘yes’ if desired.
ssh_kerberos_or_local_passwd (String) (defaults to: 'yes') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to allow local password authentication as a fallback if Kerberos authentication fails, but can be set to ‘no’ if you want to only allow Kerberos authentication.
ssh_kerberos_ticket_cleanup (String) (defaults to: 'yes') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable ticket cleanup, but can be set to ‘no’ if you want to disable it.
ssh_kerberos_get_afstoken (String) (defaults to: 'no') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable AFS token retrieval, but can be set to ‘no’ if you want to disable it.
ssh_kerberos_use_kuserok (String) (defaults to: 'yes') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable userok with Kerberos, but can be set to ‘no’ if you want to disable it.
ssh_use_kerberos (Boolean) (defaults to: false) —

whether to use Kerberos authentication. If true, the relevant Kerberos settings will be included in the sshd_config, otherwise they will be ignored.
ssh_use_gssapi (Boolean) (defaults to: false) —

whether to use GSSAPI authentication. If true, GSSAPI authentication will be enabled in sshd_config, otherwise it will be disabled. GSSAPI authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to true if desired.
ssh_gssapi_authentication (String) (defaults to: 'yes') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS authentication, but can be set to ‘no’ if you want to disable it.
ssh_gssapi_cleanup_credentials (String) (defaults to: 'yes') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS credential cleanup, but can be set to ‘no’ if you want to disable it.
ssh_gssapi_key_exchange (String) (defaults to: 'no') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS key exchange.
ssh_gssapi_enablek5users (String) (defaults to: 'no') —

setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.

# File 'manifests/params.pp', line 93

class confdroid_ssh::params (

  Array $ssh_reqpackages                    = ['openssh','openssh-clients','openssh-server'],
  String $pkg_ensure                        = 'present',

  # firewall settings
  String $ssh_fw_rule                       = 'present',
  String $ssh_fw_port                       = '22',
  String $ssh_fw_order                      = '50',
  String $ssh_source_range                  = '0.0.0.0/0',

  # sshd configuration 
  Boolean $ssh_manage_config                = true,
  String  $ssh_address_family               = 'any',
  String  $ssh_listen_address               = '0.0.0.0',
  String  $ssh_root_login                   = 'prohibit-password',
  String  $ssh_strict_modes                 = 'yes',
  String  $ssh_max_auth_tries               = '6',
  String  $ssh_max_sessions                 = '10',
  String  $ssh_pubkey_auth                  = 'yes',
  String  $ssh_auth_key_files               = '.ssh/authorized_keys',
  String  $ssh_authorized_principals_file   = 'none',
  String  $ssh_authorized_keys_command      = 'none',
  String  $ssh_authorized_keys_command_user = 'nobody',
  Boolean $ssh_use_specific_hostkey         = false,
  String  $ssh_hostkey_type                 = 'rsa',
  String  $ssh_rekeylimit                   = 'default none',
  String  $ssh_syslog_facility              = 'AUTH',
  String  $ssh_log_level                    = 'INFO',
  String  $ssh_password_authentication      = 'no',
  String  $ssh_permit_empty_passwords       = 'no',
  String  $ssh_kbd_interactive_auth         = 'no',
  Boolean $ssh_use_kerberos                 = false,
  String  $ssh_kerberos_authentication      = 'yes',
  String  $ssh_kerberos_or_local_passwd     = 'yes',
  String  $ssh_kerberos_ticket_cleanup      = 'yes',
  String  $ssh_kerberos_get_afstoken        = 'no',
  String  $ssh_kerberos_use_kuserok         = 'yes',
  Boolean $ssh_use_gssapi                   = false,
  String  $ssh_gssapi_authentication         = 'yes',
  String  $ssh_gssapi_cleanup_credentials    = 'yes',
  String  $ssh_gssapi_key_exchange           = 'no',
  String  $ssh_gssapi_enablek5users          = 'no',


) {
# default facts
  $fqdn                     = $facts['networking']['fqdn']
  $hostname                 = $facts['networking']['hostname']
  $domain                   = $facts['networking']['domain']
  $os_name                  = $facts['os']['name']
  $os_release               = $facts['os']['release']['major']

  $sshd_user                = 'root'
  $ssh_etc_path             = '/etc/ssh'
  $sshd_service             = 'sshd'
  $sshd_config_path         = "${ssh_etc_path}/sshd_config"
  $sshd_custom_path         = "${ssh_etc_path}/sshd_config.d"
  $sshd_custom_conf         = "${sshd_custom_path}/10-custom.conf"
  $sshd_custom_erb          = 'confdroid_ssh/sshd_custom_conf.erb'
  $sshd_config_erb          = 'confdroid_ssh/sshd_config.erb'
  $sshd_root_login_file     = "${sshd_custom_path}/01-permitrootlogin.conf"

  # includes must be last
  include confdroid_ssh::main::config
}