diff options
-rw-r--r-- | lib/facter/sshkeys.rb | 45 | ||||
-rw-r--r-- | manifests/base.pp | 35 | ||||
-rw-r--r-- | manifests/client.pp | 25 | ||||
-rw-r--r-- | manifests/client/base.pp | 9 | ||||
-rw-r--r-- | manifests/client/debian.pp | 5 | ||||
-rw-r--r-- | manifests/client/linux.pp | 6 | ||||
-rw-r--r-- | manifests/debian.pp | 25 | ||||
-rw-r--r-- | manifests/gentoo.pp | 5 | ||||
-rw-r--r-- | manifests/init.pp | 157 | ||||
-rw-r--r-- | manifests/linux.pp | 8 | ||||
-rw-r--r-- | manifests/openbsd.pp | 8 | ||||
-rw-r--r-- | manifests/redhat.pp | 5 | ||||
-rw-r--r-- | manifests/ssh_authorized_key.pp | 42 | ||||
-rw-r--r-- | templates/sshd_config/CentOS.erb | 97 |
14 files changed, 252 insertions, 220 deletions
diff --git a/lib/facter/sshkeys.rb b/lib/facter/sshkeys.rb new file mode 100644 index 0000000..0e94a03 --- /dev/null +++ b/lib/facter/sshkeys.rb @@ -0,0 +1,45 @@ +["/etc/ssh","/usr/local/etc/ssh","/etc","/usr/local/etc"].each { |dir| + {"SSHDSAKey_key" => "ssh_host_dsa_key.pub", + "SSHRSAKey_key" => "ssh_host_rsa_key.pub"}.each { |name,file| + Facter.add(name ) do + setcode do + value = nil + filepath = File.join(dir,file) + if FileTest.file?(filepath) + regex1 = %r{^(\S+) (\S+) (\S+)$} + regex2 = %r{^(\S+) (\S+)(\s+)$} + begin + line = File.open(filepath).read.chomp + if (match = regex1.match(line)) or (match = regex2.match(line)) + value = match[2] + end + rescue + value = nil + end + end + value + end # end of proc + end # end of add + } # end of hash each + {"SSHDSAKey_comment" => "ssh_host_dsa_key.pub", + "SSHRSAKey_comment" => "ssh_host_rsa_key.pub"}.each { |name,file| + Facter.add(name ) do + setcode do + value = nil + filepath = File.join(dir,file) + if FileTest.file?(filepath) + regex = %r{^(\S+) (\S+) (\S+)$} + begin + line = File.open(filepath).read.chomp + if match = regex.match(line) + value = match[3] + end + rescue + value = nil + end + end + value + end # end of proc + end # end of add + } # end of hash each +} # end of dir each diff --git a/manifests/base.pp b/manifests/base.pp new file mode 100644 index 0000000..2ac2385 --- /dev/null +++ b/manifests/base.pp @@ -0,0 +1,35 @@ +class sshd::base { + file { 'sshd_config': + path => '/etc/ssh/sshd_config', + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, + notify => Service[sshd], + owner => root, group => 0, mode => 600; + } + + # Now add the key, if we've got one + case $sshrsakey_key { + '': { info("no sshrsakey on $fqdn") } + default: { + @@sshkey{"$hostname.$domain": + type => ssh-rsa, + key => $sshrsakey_key, + ensure => present, + } + @@sshkey{"$ipaddress": + type => ssh-rsa, + key => $sshrsakey, + ensure => present, + } + } + } + service{'sshd': + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], + } +} diff --git a/manifests/client.pp b/manifests/client.pp index d473e3c..2fc3a84 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -10,28 +10,7 @@ class sshd::client { } } } -} - -class sshd::client::base { - - # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - mode => 0644, owner => root, group => 0; - } - - # Now collect all server keys - Sshkey <<||>> -} - -class sshd::client::linux inherits sshd::client::base { - if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } - package {'openssh-clients': - ensure => $ssh_ensure_version, - } -} - -class sshd::client::debian inherits sshd::client::linux { - Package['openssh-clients']{ - name => 'openssh-client', + if $use_shorewall{ + include shorewall::rules::out::ssh } } diff --git a/manifests/client/base.pp b/manifests/client/base.pp new file mode 100644 index 0000000..33d9f9e --- /dev/null +++ b/manifests/client/base.pp @@ -0,0 +1,9 @@ +class sshd::client::base { + # this is needed because the gid might have changed + file { '/etc/ssh/ssh_known_hosts': + owner => root, group => 0, mode => 0644; + } + + # Now collect all server keys + Sshkey <<||>> +} diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp new file mode 100644 index 0000000..2aaf3fb --- /dev/null +++ b/manifests/client/debian.pp @@ -0,0 +1,5 @@ +class sshd::client::debian inherits sshd::client::linux { + Package['openssh-clients']{ + name => 'openssh-client', + } +} diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp new file mode 100644 index 0000000..8c58ca8 --- /dev/null +++ b/manifests/client/linux.pp @@ -0,0 +1,6 @@ +class sshd::client::linux inherits sshd::client::base { + if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } + package {'openssh-clients': + ensure => $ssh_ensure_version, + } +} diff --git a/manifests/debian.pp b/manifests/debian.pp new file mode 100644 index 0000000..849d9f4 --- /dev/null +++ b/manifests/debian.pp @@ -0,0 +1,25 @@ +class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include lsb + File['sshd_config']{ + require +> Package['lsb'] + } + + Package[openssh]{ + name => 'openssh-server', + } + + $sshd_restartandstatus = $lsbdistcodename ? { + etch => false, + lenny => true, + default => false + } + + Service[sshd]{ + name => 'ssh', + pattern => 'sshd', + hasstatus => $sshd_restartandstatus, + hasrestart => $sshd_restartandstatus, + } +} diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp new file mode 100644 index 0000000..631f3d1 --- /dev/null +++ b/manifests/gentoo.pp @@ -0,0 +1,5 @@ +class sshd::gentoo inherits sshd::linux { + Package[openssh]{ + category => 'net-misc', + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 386bd77..83b26c1 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -133,22 +133,7 @@ # Default: empty -> not added. class sshd { - include sshd::client - - case $operatingsystem { - gentoo: { include sshd::gentoo } - redhat: { include sshd::redhat } - centos: { include sshd::centos } - openbsd: { include sshd::openbsd } - debian: { include sshd::debian } - ubuntu: { include sshd::ubuntu } - default: { include sshd::default } - } -} - - -class sshd::base { - # prepare variables to use in templates + # prepare variables to use in templates case $sshd_listen_address { '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } } @@ -219,41 +204,17 @@ class sshd::base { '': { $sshd_ensure_version = "present" } } - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey { - '': { warning("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey, - ensure => present, - } - @@sshkey{"$ipaddress": - type => ssh-rsa, - key => $sshrsakey, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], + include sshd::client + + case $operatingsystem { + gentoo: { include sshd::gentoo } + redhat,centos: { include sshd::redhat } + centos: { include sshd::centos } + openbsd: { include sshd::openbsd } + debian,ubuntu: { include sshd::debian } + default: { include sshd::default } } - + if $use_nagios { case $nagios_check_ssh { 'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) } @@ -261,99 +222,3 @@ class sshd::base { } } } - -class sshd::linux inherits sshd::base { - if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } - package {'openssh': - ensure => $sshd_ensure_version, - } - File[sshd_config]{ - require +> Package[openssh], - } -} - -class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } -} - -class sshd::debian inherits sshd::linux { - - # the templates for Debian need lsbdistcodename - include assert_lsbdistcodename - - Package[openssh]{ - name => 'openssh-server', - } - - $sshd_restartandstatus = $lsbdistcodename ? { - etch => false, - lenny => true, - default => false - } - - Service[sshd]{ - name => 'ssh', - pattern => 'sshd', - hasstatus => $sshd_restartandstatus, - hasrestart => $sshd_restartandstatus, - } -} -class sshd::ubuntu inherits sshd::debian {} - -class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } -} -class sshd::centos inherits sshd::redhat {} - -class sshd::openbsd inherits sshd::base { - Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, - } -} - -### defines -# wrapper to have some defaults. -define sshd::ssh_authorized_key( - $type = 'ssh-dss', - $key, - $user = '', - $target = undef, - $options = 'absent' - ) -{ - $real_user = $user ? { - false => $name, - "" => $name, - default => $user, - } - case $target { - undef: { - $real_target = "/home/$real_user/.ssh/authorized_keys" - } - default: { - $real_target = $target - } - } - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $real_user, - target => $real_target, - } - - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } - } -} diff --git a/manifests/linux.pp b/manifests/linux.pp new file mode 100644 index 0000000..a1f4e2a --- /dev/null +++ b/manifests/linux.pp @@ -0,0 +1,8 @@ +class sshd::linux inherits sshd::base { + package{openssh: + ensure => $sshd_ensure_version, + } + File[sshd_config]{ + require +> Package[openssh], + } +} diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp new file mode 100644 index 0000000..f1379d7 --- /dev/null +++ b/manifests/openbsd.pp @@ -0,0 +1,8 @@ +class sshd::openbsd inherits sshd::base { + Service[sshd]{ + restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', + hasstatus => false, + } +} diff --git a/manifests/redhat.pp b/manifests/redhat.pp new file mode 100644 index 0000000..e9bf1d1 --- /dev/null +++ b/manifests/redhat.pp @@ -0,0 +1,5 @@ +class sshd::redhat inherits sshd::linux { + Package[openssh]{ + name => 'openssh-server', + } +} diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp new file mode 100644 index 0000000..9374e15 --- /dev/null +++ b/manifests/ssh_authorized_key.pp @@ -0,0 +1,42 @@ +# wrapper to have some defaults. +define sshd::ssh_authorized_key( + $type = 'ssh-dss', + $key, + $user = 'root', + $target = undef, + $options = 'absent' +){ + + $real_user = $user ? { + false => $name, + "" => $name, + default => $user, + } + + case $target { + undef: { + case $user { + 'root': { $real_target = '/root/.ssh/authorized_keys' } + default: { $real_target = "/home/${user}/.ssh/authorized_keys" } + } + } + default: { + $real_target = $target + } + } + ssh_authorized_key{$name: + type => $type, + key => $key, + user => $real_user, + target => $real_target, + } + + case $options { + 'absent': { info("not setting any option for ssh_authorized_key: $name") } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } + } + } +} diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index bc5256a..a253029 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -28,9 +28,7 @@ Port 22 <% for address in sshd_listen_address -%> ListenAddress <%= address %> <% end -%> -#AddressFamily any -#Protocol 2,1 -Protocol 2 + # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 @@ -50,49 +48,49 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -<%- unless sshd_permit_root_login.to_s.empty? then %> +<%- unless sshd_permit_root_login.to_s.empty? then -%> PermitRootLogin <%= sshd_permit_root_login %> -<%- else %> +<%- else -%> PermitRootLogin without-password -<%- end %> +<%- end -%> -<%- if sshd_strict_modes.to_s == 'yes' then %> +<%- if sshd_strict_modes.to_s == 'yes' then -%> StrictModes yes -<%- else %> +<%- else -%> StrictModes no -<%- end %> +<%- end -%> #MaxAuthTries 6 -<%- if sshd_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> RSAAuthentication yes -<%- else %> +<%- else -%> RSAAuthentication no -<%- end %> +<%- end -%> -<%- if sshd_pubkey_authentication.to_s == 'yes' then %> +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> PubkeyAuthentication yes -<%- else %> +<%- else -%> PubkeyAuthentication no -<%- end %> +<%- end -%> -<%- unless sshd_authorized_keys_file.to_s.empty? then %> +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> AuthorizedKeysFile <%= sshd_authorized_keys_file %> -<%- else %> +<%- else -%> AuthorizedKeysFile %h/.ssh/authorized_keys -<%- end %> +<%- end -%> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then %> +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> RhostsRSAAuthentication yes -<%- else %> +<%- else -%> RhostsRSAAuthentication no <% end -%> # similar for protocol version 2 -<%- if sshd_hostbased_authentication.to_s == 'yes' then %> +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> HostbasedAuthentication yes -<%- else %> +<%- else -%> HostbasedAuthentication no <% end -%> @@ -101,32 +99,32 @@ HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -<%- if sshd_ignore_rhosts.to_s == 'yes' then %> +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> IgnoreRhosts yes -<%- else %> +<%- else -%> IgnoreRhosts no <% end -%> # To disable tunneled clear text passwords, change to no here! -<%- if sshd_password_authentication.to_s == 'yes' then %> +<%- if sshd_password_authentication.to_s == 'yes' then -%> PasswordAuthentication yes -<%- else %> +<%- else -%> PasswordAuthentication no -<%- end %> +<%- end -%> # To enable empty passwords, change to yes (NOT RECOMMENDED) -<%- if sshd_permit_empty_passwords.to_s == 'yes' then %> +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> PermitEmptyPasswords yes <% else -%> PermitEmptyPasswords no <% end -%> # Change to no to disable s/key passwords -<%- if sshd_challenge_response_authentication.to_s == 'yes' then %> +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> ChallengeResponseAuthentication yes -<%- else %> +<%- else -%> ChallengeResponseAuthentication no -<%- end %> +<%- end -%> # Kerberos options #KerberosAuthentication no @@ -136,9 +134,7 @@ ChallengeResponseAuthentication no # GSSAPI options #GSSAPIAuthentication no -GSSAPIAuthentication yes #GSSAPICleanupCredentials yes -GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -149,30 +145,30 @@ GSSAPICleanupCredentials yes # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -<%- if sshd_use_pam.to_s == 'yes' then %> +<%- if sshd_use_pam.to_s == 'yes' then -%> UsePAM yes -<%- else %> +<%- else -%> UsePAM no -<%- end %> +<%- end -%> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL -<%- if sshd_tcp_forwarding.to_s == 'yes' then %> +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes -<%- else %> +<%- else -%> AllowTcpForwarding no -<%- end %> +<%- end -%> #GatewayPorts no #X11Forwarding no -<%- if sshd_x11_forwarding.to_s == 'yes' then %> +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> X11Forwarding yes -<%- else %> +<%- else -%> X11Forwarding no -<%- end %> +<%- end -%> #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes @@ -189,26 +185,25 @@ X11Forwarding no #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no +#ChrootDirectory none # no default banner path #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> +<%- if sshd_sftp_subsystem.to_s.empty? then -%> Subsystem sftp /usr/libexec/openssh/sftp-server -<%- else %> +<%- else -%> Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +<%- end -%> -<%- unless sshd_allowed_users.to_s.empty? then %> +<%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users %> -<%- end %> -<%- unless sshd_allowed_groups.to_s.empty? then %> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then -%> AllowGroups <%= sshd_allowed_groups %> -<%- end %> - +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - |