From 3290e4b6c0655616c1a4374595af3a2eb95c85d8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 May 2014 14:06:39 -0400 Subject: clarify comments in site_sshd::authorized_keys Change-Id: I679dfe8dff90b7c86ab0ffff43e13958f1ec2c99 --- puppet/modules/site_sshd/manifests/authorized_keys.pp | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index f36fe20f..90a33d8d 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,7 +1,17 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { - # We use a custom define here to deploy the authorized_keys file - # cause puppet doesn't allow purgin before populating this file - # (see https://tickets.puppetlabs.com/browse/PUP-1174) + # We want to purge unmanaged keys from the authorized_keys file so that only + # keys added in the provider are valid. Any manually added keys will be + # overridden. + # + # In order to do this, we have to use a custom define to deploy the + # authorized_keys file because puppet's internal resource doesn't allow + # purging before populating this file. + # + # See the following for more information: + # https://tickets.puppetlabs.com/browse/PUP-1174 + # https://leap.se/code/issues/2990 + # https://leap.se/code/issues/3010 + # # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} -- cgit v1.2.3 From 120cbfd46b79cfec36c17ae6deb7fc51f9094594 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 May 2014 15:11:45 -0400 Subject: Switch away from site_config::sshd and instead just include site_sshd The existing site_config::sshd had a non-functioning 'include sshd' line in it that was not doing what was expected (this was supposed to include the sshd module, but due to scoping was including itself). It seemed better to eliminate some of the unused pieces and consolidate into one config location. Change-Id: I79dd904e696ca646180a09abbb03b5361dfc8ab9 --- puppet/modules/site_sshd/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d9bc1d51..e81780ef 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -22,6 +22,7 @@ class site_sshd { group => root, mode => '0644', content => template('site_sshd/ssh_known_hosts.erb'); + '/etc/ssh/ssh_config': owner => root, group => root, -- cgit v1.2.3 From 382d1cb4aea6e4a2e6fb101346e46bb8a01dbc10 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 May 2014 19:45:00 -0400 Subject: Add missing scope to top-level sshd class, passing necessary parameters for configuration (#3108) Change-Id: I4f94a47d47a40bfc6835359e7781707f96e91db0 --- puppet/modules/site_sshd/manifests/init.pp | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_sshd') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index e81780ef..400c21ea 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,5 @@ class site_sshd { - $ssh = hiera_hash('ssh') + $ssh = hiera_hash('ssh') $hosts = hiera('hosts', '') ## @@ -24,9 +24,9 @@ class site_sshd { content => template('site_sshd/ssh_known_hosts.erb'); '/etc/ssh/ssh_config': - owner => root, - group => root, - mode => '0644', + owner => root, + group => root, + mode => '0644', content => template('site_sshd/ssh_config.erb'); } @@ -47,4 +47,16 @@ class site_sshd { ensure => absent } } + + ## + ## SSHD SERVER CONFIGURATION + ## + class { '::sshd': + manage_nagios => 'no', + ports => $ssh['port'], + use_pam => 'yes', + hardened_ssl => 'yes', + print_motd => 'no', + manage_client => false + } } -- cgit v1.2.3