1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
# configures sshd, mosh, authorized keys and known hosts
class site_sshd {
$ssh = hiera_hash('ssh')
$ssh_config = $ssh['config']
$hosts = hiera('hosts', '')
##
## SETUP AUTHORIZED KEYS
##
$authorized_keys = $ssh['authorized_keys']
class { 'site_sshd::deploy_authorized_keys':
keys => $authorized_keys
}
##
## SETUP KNOWN HOSTS and SSH_CONFIG
##
file {
'/etc/ssh/ssh_known_hosts':
owner => root,
group => root,
mode => '0644',
content => template('site_sshd/ssh_known_hosts.erb');
'/etc/ssh/ssh_config':
owner => root,
group => root,
mode => '0644',
content => template('site_sshd/ssh_config.erb');
}
##
## OPTIONAL MOSH SUPPORT
##
$mosh = $ssh['mosh']
if $mosh['enabled'] {
class { 'site_sshd::mosh':
ensure => present,
ports => $mosh['ports']
}
}
else {
class { 'site_sshd::mosh':
ensure => absent
}
}
# we cannot use the 'hardened' parameter because leap_cli uses an
# old net-ssh gem that is incompatible with the included
# "KexAlgorithms curve25519-sha256@libssh.org",
# see https://leap.se/code/issues/7591
# therefore we don't use it here, but include all other options
# that would be applied by the 'hardened' parameter
# not all options are available on wheezy
if ( $::lsbdistcodename == 'wheezy' ) {
$tail_additional_options = 'Ciphers aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
} else {
$tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
}
##
## SSHD SERVER CONFIGURATION
##
class { '::sshd':
manage_nagios => false,
ports => [ $ssh['port'] ],
use_pam => 'yes',
print_motd => 'no',
tcp_forwarding => $ssh_config['AllowTcpForwarding'],
manage_client => false,
use_storedconfigs => false,
tail_additional_options => $tail_additional_options
}
}
|