summaryrefslogtreecommitdiff
path: root/puppet/modules/site_sshd
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_sshd')
-rw-r--r--puppet/modules/site_sshd/manifests/authorized_keys.pp32
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp36
-rw-r--r--puppet/modules/site_sshd/templates/authorized_keys.erb2
3 files changed, 46 insertions, 24 deletions
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index 90a33d8d..a1fde3f6 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,20 +1,22 @@
+# We want to purge unmanaged keys from the authorized_keys file so that only
+# keys added in the provider are valid. Any manually added keys will be
+# overridden.
+#
+# In order to do this, we have to use a custom define to deploy the
+# authorized_keys file because puppet's internal resource doesn't allow
+# purging before populating this file.
+#
+# See the following for more information:
+# https://tickets.puppetlabs.com/browse/PUP-1174
+# https://leap.se/code/issues/2990
+# https://leap.se/code/issues/3010
+#
define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
- # We want to purge unmanaged keys from the authorized_keys file so that only
- # keys added in the provider are valid. Any manually added keys will be
- # overridden.
- #
- # In order to do this, we have to use a custom define to deploy the
- # authorized_keys file because puppet's internal resource doesn't allow
- # purging before populating this file.
- #
- # See the following for more information:
- # https://tickets.puppetlabs.com/browse/PUP-1174
- # https://leap.se/code/issues/2990
- # https://leap.se/code/issues/3010
- #
# This line allows default homedir based on $title variable.
# If $home is empty, the default is used.
$homedir = $home ? {'' => "/home/${title}", default => $home}
+ $owner = $ensure ? {'present' => $title, default => undef }
+ $group = $ensure ? {'present' => $title, default => undef }
file {
"${homedir}/.ssh":
ensure => 'directory',
@@ -23,8 +25,8 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
mode => '0700';
"${homedir}/.ssh/authorized_keys":
ensure => $ensure,
- owner => $ensure ? {'present' => $title, default => undef },
- group => $ensure ? {'present' => $title, default => undef },
+ owner => $owner,
+ group => $group,
mode => '0600',
require => File["${homedir}/.ssh"],
content => template('site_sshd/authorized_keys.erb');
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 1da2f1d5..a9202da4 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,6 +1,8 @@
+# configures sshd, mosh, authorized keys and known hosts
class site_sshd {
- $ssh = hiera_hash('ssh')
- $hosts = hiera('hosts', '')
+ $ssh = hiera_hash('ssh')
+ $ssh_config = $ssh['config']
+ $hosts = hiera('hosts', '')
##
## SETUP AUTHORIZED KEYS
@@ -48,15 +50,33 @@ class site_sshd {
}
}
+ # we cannot use the 'hardened' parameter because leap_cli uses an
+ # old net-ssh gem that is incompatible with the included
+ # "KexAlgorithms curve25519-sha256@libssh.org",
+ # see https://leap.se/code/issues/7591
+ # therefore we don't use it here, but include all other options
+ # that would be applied by the 'hardened' parameter
+ # not all options are available on wheezy
+ if ( $::lsbdistcodename == 'wheezy' ) {
+ $tail_additional_options = 'Ciphers aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+ } else {
+ $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+ }
+
##
## SSHD SERVER CONFIGURATION
##
class { '::sshd':
- manage_nagios => false,
- ports => [ $ssh['port'] ],
- use_pam => 'yes',
- hardened_ssl => 'yes',
- print_motd => 'no',
- manage_client => false
+ manage_nagios => false,
+ ports => [ $ssh['port'] ],
+ use_pam => 'yes',
+ print_motd => 'no',
+ tcp_forwarding => $ssh_config['AllowTcpForwarding'],
+ manage_client => false,
+ use_storedconfigs => false,
+ tail_additional_options => $tail_additional_options,
+ hostkey_type => [ 'rsa', 'dsa', 'ecdsa' ]
}
}
diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb
index 69f4d8e6..51bdc5b3 100644
--- a/puppet/modules/site_sshd/templates/authorized_keys.erb
+++ b/puppet/modules/site_sshd/templates/authorized_keys.erb
@@ -1,7 +1,7 @@
# NOTICE: This file is autogenerated by Puppet
# all manually added keys will be overridden
-<% keys.sort.each do |user, hash| -%>
+<% @keys.sort.each do |user, hash| -%>
<% if user == 'monitor' -%>
command="/usr/bin/check_mk_agent",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, <%=hash['type']-%> <%=hash['key']%> <%=user%>
<% else -%>