159 lines
9.0 KiB
ObjectPascal
159 lines
9.0 KiB
ObjectPascal
## confdroid_ssh::params.pp
|
|
# Module name: confdroid_ssh
|
|
# Author: 12ww1160 (12ww1160@confdroid.com)
|
|
# @summary Class contains all class parameters for confdroid_ssh
|
|
# @param [Array] ssh_reqpackages packages to install
|
|
# @param [String] pkg_ensure version to install: 'present' or 'latest'
|
|
# @param [String] ssh_fw_rule whether set the fw rule to
|
|
# present or absent.
|
|
# @param [String] ssh_fw_port port to use for SSHD and in fw
|
|
# @param [String] ssh_fw_order order of firewall rule
|
|
# @param [String] ssh_source_range source range for firewall rule
|
|
# @param [Boolean] ssh_manage_config whether to manage the configuration
|
|
# @param [String] ssh_address_family AddressFamily setting for sshd_config
|
|
# @param [String] ssh_listen_address ListenAddress setting for sshd_config
|
|
# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
|
|
# @param [String] ssh_strict_modes StrictModes setting for sshd_config
|
|
# @param [String] ssh_max_auth_tries MaxAuthTries setting for sshd_config
|
|
# @param [String] ssh_max_sessions MaxSessions setting for sshd_config
|
|
# @param [String] ssh_pubkey_auth PubkeyAuthentication setting for sshd_config
|
|
# @param [String] ssh_auth_key_files AuthorizedKeysFile setting for sshd_config
|
|
# @param [String] ssh_authorized_principals_file AuthorizedPrincipalsFile
|
|
# setting for sshd_config. Default is 'none' to disable this setting.
|
|
# @param [String] ssh_authorized_keys_command AuthorizedKeysCommand setting for sshd_config.
|
|
# Default is 'none' to disable this setting.
|
|
# @param [String] ssh_authorized_keys_command_user AuthorizedKeysCommandUser setting for sshd_config.
|
|
# Default is 'nobody' to use an unpriviledged user.
|
|
# @param [Boolean] ssh_use_specific_hostkey whether to use a specific host key
|
|
# @param [String] ssh_hostkey_type type of host key to use if
|
|
# ssh_use_specific_hostkey is true
|
|
# @param [String] ssh_rekeylimit RekeyLimit setting for sshd_config.
|
|
# Default is 'default none'.
|
|
# @param [String] ssh_syslog_facility SyslogFacility setting for sshd_config.
|
|
# Default is 'AUTH'.
|
|
# @param [String] ssh_log_level LogLevel setting for sshd_config.
|
|
# Default is 'INFO'.
|
|
# @param [String] ssh_password_authentication PasswordAuthentication setting
|
|
# for sshd_config. Default is 'no', which requires key-based authentication.
|
|
# This is a recommended security setting, so passwords do not show up in logs,
|
|
# but can be set to 'yes' if password authentication is desired.
|
|
# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting
|
|
# for sshd_config. Default is 'no', which is a recommended security setting
|
|
# and works in connection with key-based authentication, but can be set
|
|
# to 'yes' if password authentication should be allowed and empty passwords
|
|
# should be allowed. Again, this should be used with caution if enabled.
|
|
# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
|
|
# Default is 'no', which is a recommended security setting together
|
|
# with password authentication, but can be set to 'yes' if
|
|
# keyboard-interactive authentication should be allowed. (not recommended)
|
|
# @param [String] ssh_kerberos_authentication setting for sshd_config.
|
|
# Default is 'no'. Kerberos authentication is not commonly used and
|
|
# requires a lot of other settings, so it is disabled by default, but can be
|
|
# set to 'yes' if desired.
|
|
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication is
|
|
# enabled, and should be set to 'yes' if you want to allow local password
|
|
# authentication as a fallback if Kerberos authentication fails, but can be
|
|
# set to 'no' if you want to only allow Kerberos authentication.
|
|
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
|
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
|
|
# but can be set to 'no' if you want to disable it.
|
|
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
|
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
|
|
# but can be set to 'no' if you want to disable it.
|
|
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
|
# is enabled, and should be set to 'yes' if you want to enable userok with
|
|
# Kerberos, but can be set to 'no' if you want to disable it.
|
|
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
|
|
# If true, the relevant Kerberos settings will be included in the sshd_config,
|
|
# otherwise they will be ignored.
|
|
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
|
|
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
|
|
# will be disabled. GSSAPI authentication is not commonly used and requires
|
|
# a lot of other settings, so it is disabled by default, but can be set to
|
|
# true if desired.
|
|
# @param [String] ssh_gssapi_authentication setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
|
|
# but can be set to 'no' if you want to disable it.
|
|
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
# enabled, and should be set to 'yes' if you want to enable GSS credential
|
|
# cleanup, but can be set to 'no' if you want to disable it.
|
|
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
|
|
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
|
|
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
|
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
|
|
##############################################################################
|
|
class confdroid_ssh::params (
|
|
|
|
Array $ssh_reqpackages = ['openssh','openssh-clients','openssh-server'],
|
|
String $pkg_ensure = 'present',
|
|
|
|
# firewall settings
|
|
String $ssh_fw_rule = 'present',
|
|
String $ssh_fw_port = '22',
|
|
String $ssh_fw_order = '50',
|
|
String $ssh_source_range = '0.0.0.0/0',
|
|
|
|
# sshd configuration
|
|
Boolean $ssh_manage_config = true,
|
|
String $ssh_address_family = 'any',
|
|
String $ssh_listen_address = '0.0.0.0',
|
|
String $ssh_root_login = 'prohibit-password',
|
|
String $ssh_strict_modes = 'yes',
|
|
String $ssh_max_auth_tries = '6',
|
|
String $ssh_max_sessions = '10',
|
|
String $ssh_pubkey_auth = 'yes',
|
|
String $ssh_auth_key_files = '.ssh/authorized_keys',
|
|
String $ssh_authorized_principals_file = 'none',
|
|
String $ssh_authorized_keys_command = 'none',
|
|
String $ssh_authorized_keys_command_user = 'nobody',
|
|
Boolean $ssh_use_specific_hostkey = false,
|
|
String $ssh_hostkey_type = 'rsa',
|
|
String $ssh_rekeylimit = 'default none',
|
|
String $ssh_syslog_facility = 'AUTH',
|
|
String $ssh_log_level = 'INFO',
|
|
String $ssh_password_authentication = 'no',
|
|
String $ssh_permit_empty_passwords = 'no',
|
|
String $ssh_kbd_interactive_auth = 'no',
|
|
Boolean $ssh_use_kerberos = false,
|
|
String $ssh_kerberos_authentication = 'yes',
|
|
String $ssh_kerberos_or_local_passwd = 'yes',
|
|
String $ssh_kerberos_ticket_cleanup = 'yes',
|
|
String $ssh_kerberos_get_afstoken = 'no',
|
|
String $ssh_kerberos_use_kuserok = 'yes',
|
|
Boolean $ssh_use_gssapi = false,
|
|
String $ssh_gssapi_authentication = 'yes',
|
|
String $ssh_gssapi_cleanup_credentials = 'yes',
|
|
String $ssh_gssapi_key_exchange = 'no',
|
|
String $ssh_gssapi_enablek5users = 'no',
|
|
|
|
|
|
) {
|
|
# default facts
|
|
$fqdn = $facts['networking']['fqdn']
|
|
$hostname = $facts['networking']['hostname']
|
|
$domain = $facts['networking']['domain']
|
|
$os_name = $facts['os']['name']
|
|
$os_release = $facts['os']['release']['major']
|
|
|
|
$sshd_user = 'root'
|
|
$ssh_etc_path = '/etc/ssh'
|
|
$sshd_service = 'sshd'
|
|
$sshd_config_path = "${ssh_etc_path}/sshd_config"
|
|
$sshd_custom_path = "${ssh_etc_path}/sshd_config.d"
|
|
$sshd_custom_conf = "${sshd_custom_path}/10-custom.conf"
|
|
$sshd_custom_erb = 'confdroid_ssh/sshd_custom_conf.erb'
|
|
$sshd_config_erb = 'confdroid_ssh/sshd_config.erb'
|
|
$sshd_root_login_file = "${sshd_custom_path}/01-permitrootlogin.conf"
|
|
|
|
# includes must be last
|
|
include confdroid_ssh::main::config
|
|
}
|