summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2011-07-17Provide a default value for $sshd_shared_ip in sshd::clientGabriel Filion
Since it's possible to "include sshd::client" without using "include sshd" (e.g. installing/managing ssh client but not the server) provide a default value for $sshd_shared_ip also in the sshd::client class. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-16Clean out $ssh_use_strong_ciphersGabriel Filion
A tentative option from rhatto using the variable named $ssh_use_strong_ciphers still has two lines in init.pp Since the same functionality is provided by the variable $ssh_hardened_ssl that was merged in the shared repository, rhatto removed his feature. But there are still two lines left, so simply remove them. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-16Enable $ssh_hardened_ssl for FreeBSDGabriel Filion
It is the only sshd_config template that didn't have this option, so copy it from the other templates. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-07-14Updating FreeBSD template for new sshd_ports variableSilvio Rhatto
2011-07-13Removing sshd_use_strong_ciphers parameter as sshd_hardened_ssl does the jobSilvio Rhatto
2011-07-13Merge branch 'master' of git://labs.riseup.net/shared-sshdSilvio Rhatto
2011-06-21Merge remote-tracking branch 'lelutin/freebsd'Micah Anderson
2011-06-21Merge branch 'feature/debian_wheezy'intrigeri
2011-06-21Add sshd_config template for Debian Wheezy.intrigeri
Currently, this is a symlink to the Debian sid's one, which I've recently resync'd. Once Wheezy is frozen, we'll want to fork its own template.
2011-06-21New opt-in support to only use strong SSL ciphers and MACs.intrigeri
The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git.
2011-02-23Changing strong cipher to aes128-crtSilvio Rhatto
2011-02-23Adding sshd_use_strong_ciphers to all sshd_config templatesSilvio Rhatto
2011-02-23Changing parameter name sshd_perfect_forward_secrecy to ↵Silvio Rhatto
sshd_use_strong_ciphers as sshd already does PFS
2011-02-22Merge remote-tracking branch 'lelutin/ubuntu'Micah Anderson
2011-02-21FreeBSD: Use variables for the Kerberos optionsGabriel Filion
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-02-21remove HostbasedUsesNameFromPacketOnly yes from Debian sshd_config ↵Micah Anderson
templates. This is not set in the Debian templates by default, and the default is actually no, not yes. If someone wishes to make a configuration variable they can, otherwise head/tail_additional options can be used
2011-02-21Resync Debian sid template with the Squeeze's one.intrigeri
Currently, the only difference is LoginGraceTime, that defaults to 600 in sid.
2011-02-21Merge remote branch 'lelutin/debian_template'intrigeri
2011-02-19Updating lucid template with new ssh port schemeSilvio Rhatto
2011-02-19Merge branch 'master' of git://labs.riseup.net/shared-sshdSilvio Rhatto
Conflicts: templates/sshd_config/Debian_squeeze.erb
2011-02-19Update README to include the ssh_keygen functionMicah Anderson
2011-02-19Pull together a more comprehensive README, moving the configurable variables ↵Micah Anderson
from init.pp into the README, and detailing the other features, and requirements, of the module
2011-02-14Merge remote branch 'shared/master'intrigeri
Conflicts: templates/sshd_config/Debian_squeeze.erb I always picked the shared repository version when conflicts arose. The only exception to this rule was: I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order to be consistent with existing Etch and Lenny templates. This is not the default Debian setting, but I would find it weird if a host had this setting changed by Puppet after upgrading to Squeeze. The right way to proceed would probably be to make this configurable.
2011-02-14Merge remote branch 'immerda/master'intrigeri
2011-02-13Perfect forward secrecy config at squeeze templateSilvio Rhatto
2011-02-13Merge branch 'master' of git://labs.riseup.net/shared-sshdSilvio Rhatto
2011-01-30Enable support for UbuntuGabriel Filion
The sshd class currently has a mechanism to make resources for Ubuntu similar to the ones for Debian, but the sshd::client class doesn't. Also, There are no templates for sshd_config on Ubuntu so provide for them. Since Ubuntu releases almost all use ssh versions that are as recent as the Debian squeeze one, and the default sshd_config file is usually the same as on Debian, add a default (Ubuntu.erb) template so that it fits all Ubuntu releases. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30Add sshd_config template for Debian sidGabriel Filion
Debian's unstable branch currently has no template for sshd_config, and thus cannot use the sshd class. Add a template for Debian sid. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30Finish fixing ChallengeResponseAuthenticationGabriel Filion
This value was hardcoded in both the Debian lenny and etch templates. The lenny template was fixed with commit 167cf532711ac88 but the etch template was left out. Fix the etch template so that the ChallengeResponseAuthentication instruction is not overridden. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30ssh_authorized_key: use $name for user by defaultGabriel Filion
Currently ssh_authorized_key has some logic about $user being false or '', but it sets its value to default to 'root'. So, in order to use the name as the user's name, one has to clear the user parameter, which is totally redundant. Since it is sometimes useful to publish multiple keys for a user, the $user parameter is useful. To make using ssh_authorized_key for one-key normal users simpler, make $user default to being empty (which will use $name as the user name). 'root' can always be specified either via the name or by the $user paramter. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30Fix ssh_authorized_keyGabriel Filion
When one uses the $name to define the user that should receive an SSH key, setting $user to a negative value, ssh_authorized_key currently creates the authorized_keys file under /home/.ssh/authorized_keys Fix this by changing ${user} to ${real_user} in the key's path. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30Add an sshd_config template for FreeBSDGabriel Filion
Since there is no "catch-all" default configuration file for sshd, we need to add for each OS. Add a template for FreeBSD so that sshd can be configured on this OS. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2011-01-30Fix inclusion for default osGabriel Filion
When the os of a client is not one of those that use a specialized class, (e.g. FreeBSD) the inclusion is currently broken: it tries to include sshd::default which does not exist. Change this to include sshd::base instead. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
2010-12-20fix debian squeeze sshd_config template to add a missing newlineMicah Anderson
2010-12-16Introducing perfect forward secrecy for SSHSilvio Rhatto
2010-12-16do some trickery as arguments from puppet are passed as an arraymh
2010-12-16made error mesage a bit more verbosemh
2010-12-16remove stupid swapmh
2010-12-16Add a function to create ssh keys on the flymh
This allows you to use content of ssh keys within your manifests and generate them automatically if they don't exist yet.
2010-12-15remote KerberosGetAFSToken, its actually not a functional configuration ↵Micah Anderson
option, even though it is listed in the man page, and commented out in the default config file. I filed a bug with debian (#607238)
2010-12-14"ChallengeResponseAuthentication no" was being hardcoded later in the Debian ↵Micah Anderson
Lenny sshd_config template, even though we offer it as a variable. With this commit, the variable will actually work, rather than be overriden
2010-12-14add Debian Squeeze sshd template. Enabled kerberos and gssapi options, using ↵Micah Anderson
the defaults when not specified
2010-12-11Mention dependency on lsb module.intrigeri
2010-10-21lenny already has AcceptEnv by defaultmh
2010-10-21use realportmh
2010-10-20use parametrized class to pass ssh_ports to open up thingsmh
2010-10-20introduce that port also can't be the name, fix ensure problemmh
2010-10-20extend sshd::nagios with ensure parammh
2010-10-20add nagios_check_ssh_hostname to tweak the hostname which whould be ↵mh
monitored, as this one might actually differ
2010-10-20move define to own classmh