From 818930af8a05dc44372b99f8e589527050120431 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 10 Sep 2015 22:38:44 -0700 Subject: sshd: let nodes change default AllowTcpForwarding --- puppet/modules/site_sshd/manifests/init.pp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 1da2f1d5..170be32c 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,6 +1,7 @@ class site_sshd { - $ssh = hiera_hash('ssh') - $hosts = hiera('hosts', '') + $ssh = hiera_hash('ssh') + $ssh_config = $ssh['config'] + $hosts = hiera('hosts', '') ## ## SETUP AUTHORIZED KEYS @@ -52,11 +53,12 @@ class site_sshd { ## SSHD SERVER CONFIGURATION ## class { '::sshd': - manage_nagios => false, - ports => [ $ssh['port'] ], - use_pam => 'yes', - hardened_ssl => 'yes', - print_motd => 'no', - manage_client => false + manage_nagios => false, + ports => [ $ssh['port'] ], + use_pam => 'yes', + hardened_ssl => 'yes', + print_motd => 'no', + tcp_forwarding => $ssh_config['AllowTcpForwarding'], + manage_client => false } } -- cgit v1.2.3 From 41a8b76828d4dfa6345a6a04f9f68621fb46fcd7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 9 Nov 2015 17:12:00 +0100 Subject: [bug] Don't limit sshd KexAlgorithms - #7591 Net::SSH::Exception: could not settle on kex algorithm We need to disable the ssh hardened mode, because it will not work together with the net-ssh gem leap_cli is pinned to. All other options that would be included by this parameter are included by '$::sshd::tail_additional_options'. --- puppet/modules/site_sshd/manifests/init.pp | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 170be32c..e92a6af7 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,3 +1,4 @@ +# configures sshd, mosh, authorized keys and known hosts class site_sshd { $ssh = hiera_hash('ssh') $ssh_config = $ssh['config'] @@ -53,12 +54,20 @@ class site_sshd { ## SSHD SERVER CONFIGURATION ## class { '::sshd': - manage_nagios => false, - ports => [ $ssh['port'] ], - use_pam => 'yes', - hardened_ssl => 'yes', - print_motd => 'no', - tcp_forwarding => $ssh_config['AllowTcpForwarding'], - manage_client => false + manage_nagios => false, + ports => [ $ssh['port'] ], + use_pam => 'yes', + print_motd => 'no', + tcp_forwarding => $ssh_config['AllowTcpForwarding'], + manage_client => false, + use_storedconfigs => true, + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' } } -- cgit v1.2.3 From d146d1525adfe1f08be9df0f72aac389e2370de5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Nov 2015 00:10:23 +0100 Subject: [bug] Use right sshd Ciphers and MACs for wheezy - Tested: [unstable.bitmask.net] --- puppet/modules/site_sshd/manifests/init.pp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index e92a6af7..5efd459f 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -50,6 +50,21 @@ class site_sshd { } } + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + # not all options are available on wheezy + if ( $::lsbdistcodename == 'wheezy' ) { + $tail_additional_options = 'Ciphers aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } else { + $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } + ## ## SSHD SERVER CONFIGURATION ## @@ -61,13 +76,6 @@ class site_sshd { tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => true, - # we cannot use the 'hardened' parameter because leap_cli uses an - # old net-ssh gem that is incompatible with the included - # "KexAlgorithms curve25519-sha256@libssh.org", - # see https://leap.se/code/issues/7591 - # therefore we don't use it here, but include all other options - # that would be applied by the 'hardened' parameter - tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' + tail_additional_options => $tail_additional_options } } -- cgit v1.2.3 From 8c7a2c7d7f84d56f395556aa893d8bb426c24178 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 28 Nov 2015 22:53:21 +0100 Subject: [bug] Don't enable storedconfig in sshd class - Related: #7615 --- puppet/modules/site_sshd/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 5efd459f..be0d3368 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -75,7 +75,7 @@ MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' print_motd => 'no', tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, - use_storedconfigs => true, + use_storedconfigs => false, tail_additional_options => $tail_additional_options } } -- cgit v1.2.3 From 47ff7f7d7e1a991b5a7889870521033ab177e3a6 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 2 Dec 2015 11:49:08 +0100 Subject: [deprec] use @ in front of erb template tags --- puppet/modules/site_sshd/templates/authorized_keys.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb index 69f4d8e6..51bdc5b3 100644 --- a/puppet/modules/site_sshd/templates/authorized_keys.erb +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -1,7 +1,7 @@ # NOTICE: This file is autogenerated by Puppet # all manually added keys will be overridden -<% keys.sort.each do |user, hash| -%> +<% @keys.sort.each do |user, hash| -%> <% if user == 'monitor' -%> command="/usr/bin/check_mk_agent",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, <%=hash['type']-%> <%=hash['key']%> <%=user%> <% else -%> -- cgit v1.2.3 From 70444eaf7b07affa832795f7e520c9ef2bd53791 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 9 Feb 2016 16:47:52 -0500 Subject: Allow ecdsa hostkeys (#7642) until we can safely transition providers to better key algorithm choices. Change-Id: I6b9ec83dbfbf15d1b65e14145bf625db6517f6b7 --- puppet/modules/site_sshd/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index be0d3368..a9202da4 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -76,6 +76,7 @@ MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => false, - tail_additional_options => $tail_additional_options + tail_additional_options => $tail_additional_options, + hostkey_type => [ 'rsa', 'dsa', 'ecdsa' ] } } -- cgit v1.2.3 From f2f2c7391056c252523730cd76ab759db9117c9c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 25 Apr 2016 13:21:48 -0300 Subject: [style] lint further more - ignore puppet lint error about inheriting from different namespace --- .../modules/site_sshd/manifests/authorized_keys.pp | 32 ++++++++++++---------- 1 file changed, 17 insertions(+), 15 deletions(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index 90a33d8d..a1fde3f6 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,20 +1,22 @@ +# We want to purge unmanaged keys from the authorized_keys file so that only +# keys added in the provider are valid. Any manually added keys will be +# overridden. +# +# In order to do this, we have to use a custom define to deploy the +# authorized_keys file because puppet's internal resource doesn't allow +# purging before populating this file. +# +# See the following for more information: +# https://tickets.puppetlabs.com/browse/PUP-1174 +# https://leap.se/code/issues/2990 +# https://leap.se/code/issues/3010 +# define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { - # We want to purge unmanaged keys from the authorized_keys file so that only - # keys added in the provider are valid. Any manually added keys will be - # overridden. - # - # In order to do this, we have to use a custom define to deploy the - # authorized_keys file because puppet's internal resource doesn't allow - # purging before populating this file. - # - # See the following for more information: - # https://tickets.puppetlabs.com/browse/PUP-1174 - # https://leap.se/code/issues/2990 - # https://leap.se/code/issues/3010 - # # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} + $owner = $ensure ? {'present' => $title, default => undef } + $group = $ensure ? {'present' => $title, default => undef } file { "${homedir}/.ssh": ensure => 'directory', @@ -23,8 +25,8 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { mode => '0700'; "${homedir}/.ssh/authorized_keys": ensure => $ensure, - owner => $ensure ? {'present' => $title, default => undef }, - group => $ensure ? {'present' => $title, default => undef }, + owner => $owner, + group => $group, mode => '0600', require => File["${homedir}/.ssh"], content => template('site_sshd/authorized_keys.erb'); -- cgit v1.2.3