summaryrefslogtreecommitdiff
path: root/puppet/modules/site_sshd/manifests/init.pp
blob: 7d5c728a6bfd53fa86cb05f742585f7bbbbce8a4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# configures sshd, mosh, authorized keys and known hosts
class site_sshd {
  $ssh        = hiera_hash('ssh')
  $ssh_config = $ssh['config']
  $hosts      = hiera('hosts', '')

  ##
  ## SETUP AUTHORIZED KEYS
  ##

  $authorized_keys = $ssh['authorized_keys']

  class { 'site_sshd::deploy_authorized_keys':
    keys => $authorized_keys
  }

  ##
  ## SETUP KNOWN HOSTS and SSH_CONFIG
  ##

  file {
    '/etc/ssh/ssh_known_hosts':
      owner   => root,
      group   => root,
      mode    => '0644',
      content => template('site_sshd/ssh_known_hosts.erb');

    '/etc/ssh/ssh_config':
      owner   => root,
      group   => root,
      mode    => '0644',
      content => template('site_sshd/ssh_config.erb');
  }

  ##
  ## OPTIONAL MOSH SUPPORT
  ##

  $mosh = $ssh['mosh']

  if $mosh['enabled'] {
    class { 'site_sshd::mosh':
      ensure => present,
      ports  => $mosh['ports']
    }
  }
  else {
    class { 'site_sshd::mosh':
      ensure => absent
    }
  }

  # we cannot use the 'hardened' parameter because leap_cli uses an
  # old net-ssh gem that is incompatible with the included
  # "KexAlgorithms curve25519-sha256@libssh.org",
  # see https://leap.se/code/issues/7591
  # therefore we don't use it here, but include all other options
  # that would be applied by the 'hardened' parameter
  # not all options are available on wheezy
  $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'

  ##
  ## SSHD SERVER CONFIGURATION
  ##
  class { '::sshd':
    manage_nagios           => false,
    ports                   => [ $ssh['port'] ],
    use_pam                 => 'yes',
    print_motd              => 'no',
    tcp_forwarding          => $ssh_config['AllowTcpForwarding'],
    manage_client           => false,
    use_storedconfigs       => false,
    tail_additional_options => $tail_additional_options,
    hostkey_type            => [ 'rsa', 'dsa', 'ecdsa' ]
  }
}