diff options
| author | Antoine Beaupré <anarcat+gitlab@anarc.at> | 2015-04-17 18:43:16 +0000 |
|---|---|---|
| committer | Antoine Beaupré <anarcat+gitlab@anarc.at> | 2015-04-17 18:43:16 +0000 |
| commit | d4923b2c3ad74d813a9a2e5b39b6fa171ee95bc0 (patch) | |
| tree | d5827edd094604c5b73630fc0be7a5dd3bd7a833 | |
| parent | 953ad0f7773da4ba90df9e049eaa6e61cdcaaffe (diff) | |
| parent | 5c9ce49321f4ea5d502eca98d9e9a23bae57b1da (diff) | |
Merge branch 'hostkey_type' into 'master'
Hostkey type
This is the pull request associated with: https://labs.riseup.net/code/issues/8285
See merge request !6
| -rw-r--r-- | lib/facter/ssh_version.rb | 5 | ||||
| -rw-r--r-- | lib/puppet/parser/functions/ssh_keygen.rb | 1 | ||||
| -rw-r--r-- | manifests/init.pp | 4 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS_7.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_etch.erb | 4 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_jessie.erb | 7 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_sid.erb | 7 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_wheezy.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/FreeBSD.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/Ubuntu.erb | 6 | ||||
| -rw-r--r-- | templates/sshd_config/Ubuntu_lucid.erb | 6 |
12 files changed, 41 insertions, 21 deletions
diff --git a/lib/facter/ssh_version.rb b/lib/facter/ssh_version.rb new file mode 100644 index 0000000..51d8a00 --- /dev/null +++ b/lib/facter/ssh_version.rb @@ -0,0 +1,5 @@ +Facter.add("ssh_version") do + setcode do + ssh_version = Facter::Util::Resolution.exec('ssh -V 2>&1 1>/dev/null').chomp.split(' ')[0].split('_')[1] + end +end diff --git a/lib/puppet/parser/functions/ssh_keygen.rb b/lib/puppet/parser/functions/ssh_keygen.rb index 87a3452..e304f24 100644 --- a/lib/puppet/parser/functions/ssh_keygen.rb +++ b/lib/puppet/parser/functions/ssh_keygen.rb @@ -27,3 +27,4 @@ Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc => end [File.read(private_key_path),File.read(public_key_path)] end + diff --git a/manifests/init.pp b/manifests/init.pp index 666b5ac..0f8c472 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -49,6 +49,10 @@ class sshd( $shorewall_source = 'net', $sshkey_ipaddress = $::ipaddress, $manage_client = true, + $hostkey_type = versioncmp($::ssh_version, '6.5') ? { + /(^1|0)/ => [ 'rsa', 'ed25519' ], + /-1/ => [ 'rsa', 'dsa' ] + } ) { validate_bool($manage_shorewall) diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 1a2e339..7db2277 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -35,9 +35,9 @@ ListenAddress <%= address %> # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index ef4a5d1..104e641 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -20,6 +20,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index d717856..033f409 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -22,10 +22,9 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index d717856..033f409 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -22,10 +22,9 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index befd25f..0ba323f 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -22,8 +22,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index 70bb4bf..cd4bf48 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -22,8 +22,9 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index 090149b..d4cd9b5 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -40,8 +40,9 @@ Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index befd25f..0ba323f 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -22,8 +22,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index cc6e921..cff95a7 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -20,8 +20,10 @@ ListenAddress <%= address %> <% end -%> Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%> +HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key +<% end -%> + #Privilege Separation is turned on for security UsePrivilegeSeparation yes |