3 files changed, 92 insertions, 15 deletions
diff --git a/manifests/autossh.pp b/manifests/autossh.pp
new file mode 100644
index 0000000..5650584
--- /dev/null
+++ b/manifests/autossh.pp
@@ -0,0 +1,40 @@
+class sshd::autossh($host,
+                    $port = undef, # this should be a remote->local hash
+                    $remote_user = undef,
+                    $user = 'root',
+                    $pidfile = '/var/run/autossh.pid',
+) {
+  if $port {
+    $port_ensure = $port
+  }
+  else {
+    # random port between 10000 and 20000
+    $port_ensure = fqdn_rand(10000) + 10000
+  }
+  if $remote_user {
+    $remote_user_ensure = $remote_user
+  }
+  else {
+    $remote_user_ensure = "host-$fqdn"
+  }
+  file {
+    '/etc/init.d/autossh':
+      mode   => '0555',
+      source => 'puppet:///modules/sshd/autossh.init.d';
+    '/etc/default/autossh':
+      mode    => '0444',
+      content => "USER=$user\nPIDFILE=$pidfile\nDAEMON_ARGS='-M0 -f -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -q -N -R $port_ensure:localhost:22 $remote_user_ensure@$host'\n";
+  }
+  package { 'autossh':
+    ensure => present,
+  }
+  service { 'autossh':
+    ensure    => running,
+    enable    => true,
+    subscribe => [
+                  File['/etc/init.d/autossh'],
+                  File['/etc/default/autossh'],
+                  Package['autossh'],
+                  ],
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 0f8c472..2dfc71c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -40,7 +40,7 @@ class sshd(
     OpenBSD => '%h/.ssh/authorized_keys',
     default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
   },
-  $hardened_ssl = 'no',
+  $hardened = 'no',
   $sftp_subsystem = '',
   $head_additional_options = '',
   $tail_additional_options = '',
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp
index 7201f8b..80cb3b7 100644
--- a/manifests/ssh_authorized_key.pp
+++ b/manifests/ssh_authorized_key.pp
@@ -5,7 +5,8 @@ define sshd::ssh_authorized_key(
     $key = 'absent',
     $user = '',
     $target = undef,
-    $options = 'absent'
+    $options = 'absent',
+    $override_builtin = undef
 ){
 
   if ($ensure=='present') and ($key=='absent') {
@@ -29,20 +30,56 @@ define sshd::ssh_authorized_key(
       $real_target = $target
     }
   }
-  ssh_authorized_key{$name:
-    ensure => $ensure,
-    type   => $type,
-    key    => $key,
-    user   => $real_user,
-    target => $real_target,
-  }
 
-  case $options {
-    'absent': { info("not setting any option for ssh_authorized_key: ${name}") }
-    default: {
-      Ssh_authorized_key[$name]{
-        options => $options,
-      }
+  # The ssh_authorized_key built-in function (in 2.7.23 at least)
+  # will not write an authorized_keys file for a mortal user to
+  # a directory they don't have write permission to, puppet attempts to
+  # create the file as the user specified with the user parameter and fails.
+  # Since ssh will refuse to use authorized_keys files not owned by the
+  # user, or in files/directories that allow other users to write, this
+  # behavior is deliberate in order to prevent typical non-working
+  # configurations. However, it also prevents the case of puppet, running
+  # as root, writing a file owned by a mortal user to a common
+  # authorized_keys directory such as one might specify in sshd_config with
+  # something like
+  #  'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
+  # So we provide a way to override the built-in and instead just install
+  # via a file resource. There is no additional security risk here, it's
+  # nothing a user can't already do by writing their own file resources,
+  # we still depend on the filesystem permissions to keep things safe.
+  if $override_builtin {
+    $header = "# HEADER: This file is managed by Puppet.\n"
+
+    if $options == 'absent' {
+      info("not setting any option for ssh_authorized_key: ${name}")
+      $content = "${header}${type} ${key}\n"
+    } else {
+      $content = "${header}${options} ${type} ${key}\n"
+    }
+
+    file { $real_target:
+      ensure  => $ensure,
+      content => $content,
+      owner   => $real_user,
+      mode    => '0600',
+    }
+
+  } else {
+
+    if $options == 'absent' {
+      info("not setting any option for ssh_authorized_key: ${name}")
+    } else {
+      $real_options = $options
+    }
+
+    ssh_authorized_key{$name:
+      ensure  => $ensure,
+      type    => $type,
+      key     => $key,
+      user    => $real_user,
+      target  => $real_target,
+      options => $real_options,
     }
   }
+
 }