diff options
| -rw-r--r-- | files/.git_placeholder | 1 | ||||
| -rw-r--r-- | manifests/init.pp | 150 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS_normal.erb | 18 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_normal.erb | 21 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo_normal.erb | 21 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD_normal.erb | 21 |
6 files changed, 164 insertions, 68 deletions
diff --git a/files/.git_placeholder b/files/.git_placeholder new file mode 100644 index 0000000..89cb1fe --- /dev/null +++ b/files/.git_placeholder @@ -0,0 +1 @@ +# file needed for git - don't remove it diff --git a/manifests/init.pp b/manifests/init.pp index b040e75..4539dd6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,8 +1,48 @@ -# modules/ssh/manifests/init.pp - manage ssh stuff -# Copyright (C) 2007 admin@immerda.ch # - -#modules_dir { "sshd": } +# ssh module +# +# Copyright 2008, admin(at)immerda.ch +# Copyright 2008, Puzzle ITC GmbH +# Marcel Härry haerry+puppet(at)puzzle.ch +# Simon Josi josi+puppet(at)puzzle.ch +# +# This program is free software; you can redistribute +# it and/or modify it under the terms of the GNU +# General Public License version 3 as published by +# the Free Software Foundation. +# +# Deploy authorized_keys file with the define +# sshd::deploy_auth_key +# +# shdd-config: +# +# The configuration of the sshd is rather strict and +# might not fit all needs. However there are a bunch +# of variables, which you might consider to configure. +# Checkout the following: +# +# sshd_allowed_users: list of usernames separated by spaces. +# set this for example to "foobar root" +# to ensure that only user foobar and root +# might login. +# Default: empty -> no restriction is set +# +# sshd_use_pam: if you want to use pam or not for authenticaton +# Values: no or yes. +# Default: no +# +# sshd_permit_root_login: If you want to allow root logins or not. +# Valid values: yes, no, without-password, forced-commands-only +# Default: without-password +# +# sshd_password_authentication: If you want to enable password authentication or not +# Valid values: yes or no +# Default: no +# +# sshd_x11_forwarding: If you want to enable x11 forwarding +# Valid Values: yes or no +# Default: no +# class sshd { case $operatingsystem { @@ -18,14 +58,26 @@ class sshd { class sshd::base { - $real_sshd_config_source = $sshd_config_source ? { - '' => "sshd/sshd_config/${operatingsystem}_normal.erb", - default => $source, - } - + # prepare variables to use in templates $real_sshd_allowed_users = $sshd_allowed_users ? { - '' => 'root', - default => $sshd_allowed_users, + '' => '', + default => $sshd_allowed_users + } + $real_sshd_use_pam = $sshd_use_pam ? { + '' => 'no', + default => $sshd_use_pam + } + $real_sshd_permit_root_login = $sshd_permit_root_login ? { + '' => 'without-password', + default => $sshd_permit_root_login + } + $real_sshd_password_authentication = $sshd_password_authentication ? { + '' => 'no', + default => $sshd_password_authentication + } + $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { + '' => 'no', + default => $sshd_x11_forwarding } file { 'sshd_config': @@ -33,17 +85,24 @@ class sshd::base { owner => root, group => 0, mode => 600, - content => template("${real_sshd_config_source}"), + content => template("sshd/sshd_config/${operatingsystem}_normal.erb"), + notify => Service[sshd], } + service{'sshd': + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], + } } class sshd::linux inherits sshd::base { package{openssh: ensure => present, } - include sshd::service File[sshd_config]{ - notify => Service[sshd], + require +> Package[openssh], } } @@ -57,6 +116,10 @@ class sshd::debian inherits sshd::linux { Package[openssh]{ name => 'openssh-server', } + Service[sshd]{ + name => 'ssh', + hasstatus => false, + } } class sshd::ubuntu inherits sshd::debian {} @@ -68,77 +131,42 @@ class sshd::redhat inherits sshd::linux { class sshd::centos inherits sshd::redhat {} class sshd::openbsd inherits sshd::base { - exec{sshd_refresh: - command => "/bin/kill -HUP `/bin/cat /var/run/sshd.pid`", - refreshonly => true, - } - File[sshd_config]{ - notify => Exec[sshd_refresh], - } -} - -### service stuff -class sshd::service { - case $operatingsystem { - debian: { include sshd::service::debian } - ubuntu: { include sshd::service::ubuntu } - default: { include sshd::service::base } - } -} - -class sshd::service::base { - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => Package[openssh], - } -} - -class sshd::service::debian inherits sshd::service::base { Service[sshd]{ - name => 'ssh', + restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', hasstatus => false, } } -class sshd::service::ubuntu inherits sshd::service::debian {} ### defines define sshd::deploy_auth_key( - $source = '', $user = 'root', $target_dir = '/root/.ssh/', - $group = '' ) { + $group = 0 ) { $real_target = $target_dir ? { '' => "/home/$user/.ssh/", default => $target_dir, } - $real_group = $group ? { - '' => 0, - default => $group, - } - - $real_source = $source ? { - '' => [ "puppet://$server/files/sshd/authorized_keys/${name}", - "puppet://$server/sshd/authorized_keys/${name}" ], - default => "puppet://$server/$source", - } - file {$real_target: ensure => directory, owner => $user, - group => $real_group, + group => $group, mode => 700, } file {"authorized_keys_${user}": path => "$real_target/authorized_keys", owner => $user, - group => $real_group, + group => $group, mode => 600, - source => $real_source, + source => [ "puppet://$server/files/sshd/authorized_keys/${name}", + "puppet://$server/files/sshd/authorized_keys/${fqdn}", + "puppet://$server/files/sshd/authorized_keys/default", + "puppet://$server/sshd/authorized_keys/${name}", + "puppet://$server/sshd/authorized_keys/${fqdn}", + "puppet://$server/sshd/authorized_keys/default" ], } } diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb index 739d43b..a14120f 100644 --- a/templates/sshd_config/CentOS_normal.erb +++ b/templates/sshd_config/CentOS_normal.erb @@ -36,7 +36,11 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> PermitRootLogin without-password +<%- end %> #StrictModes yes #MaxAuthTries 6 @@ -55,7 +59,11 @@ PermitRootLogin without-password #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> PasswordAuthentication no +<%- end %> #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -83,7 +91,11 @@ GSSAPICleanupCredentials yes # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> UsePAM no +<%- end %> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES @@ -92,7 +104,11 @@ AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> X11Forwarding no +<%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes @@ -115,4 +131,6 @@ X11Forwarding no # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server +<%- unless real_sshd_allowed_users.to_s.empty? then %> AllowUsers <%= real_sshd_allowed_users %> +<%- end %> diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb index 746cc0b..c969836 100644 --- a/templates/sshd_config/Debian_normal.erb +++ b/templates/sshd_config/Debian_normal.erb @@ -2,7 +2,7 @@ # See the sshd(8) manpage for defails # What ports, IPs and protocols we listen for -Port 22 +# Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 @@ -27,7 +27,11 @@ LogLevel INFO # Authentication: LoginGraceTime 600 +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> PermitRootLogin without-password +<%- end %> StrictModes yes RSAAuthentication yes @@ -52,8 +56,11 @@ PermitEmptyPasswords no #ChallengeResponseAuthentication no # To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> PasswordAuthentication no - +<%- end %> # To change Kerberos options #KerberosAuthentication no @@ -64,7 +71,11 @@ PasswordAuthentication no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> X11Forwarding no +<%- end %> X11DisplayOffset 10 PrintMotd no PrintLastLog no @@ -77,11 +88,17 @@ KeepAlive yes #Subsystem sftp /usr/lib/sftp-server +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> UsePAM no +<%- end %> HostbasedUsesNameFromPacketOnly yes AllowTcpForwarding yes ChallengeResponseAuthentication no +<%- unless real_sshd_allowed_users.to_s.empty? then %> AllowUsers <%= real_sshd_allowed_users %> +<%- end %> diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb index be78eb9..aa98ae8 100644 --- a/templates/sshd_config/Gentoo_normal.erb +++ b/templates/sshd_config/Gentoo_normal.erb @@ -40,6 +40,11 @@ Protocol 2 #LoginGraceTime 2m PermitRootLogin without-password #StrictModes yes +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> #MaxAuthTries 6 #RSAAuthentication yes @@ -57,7 +62,11 @@ PermitRootLogin without-password #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> PasswordAuthentication no +<%- end %> #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -84,11 +93,19 @@ PasswordAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. +<%- if real_sshd_use_pam.to_s == 'yes' then %> +UsePAM yes +<%- else %> UsePAM no +<%- end %> #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes @@ -117,4 +134,6 @@ Subsystem sftp /usr/lib/misc/sftp-server # AllowTcpForwarding no # ForceCommand cvs server +<%- unless real_sshd_allowed_users.to_s.empty? then %> AllowUsers <%= real_sshd_allowed_users %> +<%- end %> diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb index dbf18c8..0b84d25 100644 --- a/templates/sshd_config/OpenBSD_normal.erb +++ b/templates/sshd_config/OpenBSD_normal.erb @@ -8,8 +8,7 @@ # possible, but leave them commented. Uncommented options change a # default value. -Port 22 -Port 2222 +#Port 22 #Protocol 2,1 #AddressFamily any #ListenAddress 0.0.0.0 @@ -33,7 +32,11 @@ Port 2222 # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +<%- unless real_sshd_permit_root_login.to_s.empty? then %> +PermitRootLogin <%= real_sshd_permit_root_login %> +<%- else %> +PermitRootLogin without-password +<%- end %> #StrictModes yes #MaxAuthTries 6 @@ -52,7 +55,11 @@ Port 2222 #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! +<%- if real_sshd_password_authentication.to_s == 'yes' then %> +PasswordAuthentication yes +<%- else %> PasswordAuthentication no +<%- end %> #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -70,7 +77,11 @@ PasswordAuthentication no #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +<%- if real_sshd_x11_forwarding.to_s == 'yes' then %> +X11Forwarding yes +<%- else %> +X11Forwarding no +<%- end %> #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes @@ -93,7 +104,9 @@ PasswordAuthentication no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +<%- unless real_sshd_allowed_users.to_s.empty? then %> AllowUsers <%= real_sshd_allowed_users %> +<%- end %> # Example of overriding settings on a per-user basis #Match User anoncvs |