From 0615dc635c19ea4080d071a9297cd8eb32b47122 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 3 Oct 2010 19:56:04 +0200 Subject: Actually allow enabling ChallengeResponseAuthentication on Debian Lenny. --- templates/sshd_config/Debian_lenny.erb | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 18f3e4d..3c3d562 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -173,8 +173,6 @@ AllowAgentForwarding yes AllowAgentForwarding no <%- end -%> -ChallengeResponseAuthentication no - <%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users -%> <%- end -%> -- cgit v1.2.3 From b9a8b7b3dfa10f71e10b05643e44cbdf20036f4d Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 3 Oct 2010 19:56:48 +0200 Subject: Add template for Debian Squeeze. --- templates/sshd_config/Debian_squeeze.erb | 189 +++++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 templates/sshd_config/Debian_squeeze.erb diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb new file mode 100644 index 0000000..77eacf0 --- /dev/null +++ b/templates/sshd_config/Debian_squeeze.erb @@ -0,0 +1,189 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# Change to no to disable tunnelled clear text passwords +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> -- cgit v1.2.3 From 456e42b035e53e72e1aebd4689fa1a230fb49226 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 4 Oct 2010 22:03:49 +0200 Subject: Simplify by using the config_file definition. --- README | 5 +++++ manifests/client/base.pp | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 README diff --git a/README b/README new file mode 100644 index 0000000..7bb56a8 --- /dev/null +++ b/README @@ -0,0 +1,5 @@ +# sshd module for Puppet + +## Dependencies + +- shared-common: git://labs.riseup.net/shared-common diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 33d9f9e..64d4f6f 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,7 +1,6 @@ class sshd::client::base { # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - owner => root, group => 0, mode => 0644; + config_file { '/etc/ssh/ssh_known_hosts': } # Now collect all server keys -- cgit v1.2.3 From 35bc5ea4dba21c4ddd1583e47c17464f644fc675 Mon Sep 17 00:00:00 2001 From: nadir Date: Tue, 5 Oct 2010 19:07:24 +0200 Subject: nagios-cmd is now check_ssh_port - according to shared-nagios --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 07f34e5..3352820 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -218,7 +218,7 @@ class sshd { if $use_nagios { case $nagios_check_ssh { false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { nagios::service{ "ssh_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } } + default: { nagios::service{ "ssh_port_${sshd_port}": check_command => "check_ssh_port!$sshd_port" } } } } -- cgit v1.2.3 From 060703f6a2c40e3fc6d16c1df16be6c307c60340 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 13 Oct 2010 23:48:39 +0200 Subject: sshd service has status and restart commands in post-etch Debian releases. --- manifests/debian.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/debian.pp b/manifests/debian.pp index 0cc4ede..43dc26c 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -9,8 +9,7 @@ class sshd::debian inherits sshd::linux { $sshd_restartandstatus = $lsbdistcodename ? { etch => false, - lenny => true, - default => false + default => true } Service[sshd]{ -- cgit v1.2.3 From 23efb583bf565f12361e929f1a2d1fca61f4d3bb Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 16 Oct 2010 16:01:24 +0200 Subject: Cleanup templates: sshd_port is guaranteed by init.pp not to be empty. --- templates/sshd_config/CentOS.erb | 4 ---- templates/sshd_config/Debian_etch.erb | 4 ---- templates/sshd_config/Debian_lenny.erb | 4 ---- templates/sshd_config/Debian_squeeze.erb | 4 ---- templates/sshd_config/Gentoo.erb | 4 ---- templates/sshd_config/OpenBSD.erb | 4 ---- 6 files changed, 24 deletions(-) diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index e1c8419..9d02a3f 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -16,15 +16,11 @@ # only protocol 2 Protocol 2 -<%- unless sshd_port.to_s.empty? then -%> <%- if sshd_port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> Port <%= sshd_port -%> <% end -%> -<%- else -%> -Port 22 -<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 746a447..9fef401 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -6,15 +6,11 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> <%- if sshd_port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> Port <%= sshd_port -%> <% end -%> -<%- else -%> -Port 22 -<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 3c3d562..4bb9c87 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -6,15 +6,11 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> <%- if sshd_port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> Port <%= sshd_port -%> <% end -%> -<%- else -%> -Port 22 -<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 77eacf0..0b91514 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -6,15 +6,11 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> <%- if sshd_port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> Port <%= sshd_port -%> <% end -%> -<%- else -%> -Port 22 -<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 2112f0d..291b2ea 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -14,15 +14,11 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> <%- if sshd_port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> Port <%= sshd_port -%> <% end -%> -<%- else -%> -Port 22 -<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 69e8afa..c0517f4 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -12,15 +12,11 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> <%- if sshd_port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> Port <%= sshd_port -%> <% end -%> -<%- else -%> -Port 22 -<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> -- cgit v1.2.3 From a643172a794c9a1ff7602e9b4d3b220867684f54 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 16 Oct 2010 16:05:00 +0200 Subject: New option sshd_ports that obsoletes sshd_port. Backward compatibility is preserved. --- manifests/init.pp | 22 +++++++++++++++++----- templates/sshd_config/CentOS.erb | 6 ++++-- templates/sshd_config/Debian_etch.erb | 6 ++++-- templates/sshd_config/Debian_lenny.erb | 6 ++++-- templates/sshd_config/Debian_squeeze.erb | 6 ++++-- templates/sshd_config/Gentoo.erb | 6 ++++-- templates/sshd_config/OpenBSD.erb | 6 ++++-- 7 files changed, 41 insertions(+), 17 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 4f82542..abb1490 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -118,8 +118,11 @@ # Valid Values: yes or no # Default: no # -# sshd_port: If you want to specify a different port than the default 22 -# Default: 22 +# sshd_port: Deprecated, use sshd_ports instead. +# +# sshd_ports: If you want to specify a list of ports other than the default 22 +# Default: [22] +# # # sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) # Default: AuthorizedKeysFile %h/.ssh/authorized_keys @@ -193,8 +196,14 @@ class sshd { case $sshd_permit_empty_passwords { '': { $sshd_permit_empty_passwords = 'no' } } - case $sshd_port { - '': { $sshd_port = 22 } + if ( $sshd_port != '' ) && ( $sshd_ports != []) { + err("Cannot use sshd_port and sshd_ports at the same time.") + } + if $sshd_port != '' { + $sshd_ports = [ $sshd_port ] + } + elsif $sshd_port == [] { + $sshd_ports = [ 22 ] } case $sshd_authorized_keys_file { '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } @@ -224,9 +233,12 @@ class sshd { } if $use_nagios { + define sshd::nagios { + nagios::service{ "ssh_port_${name}": check_command => "check_ssh_port!$name" } + } case $nagios_check_ssh { false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { nagios::service{ "ssh_port_${sshd_port}": check_command => "check_ssh_port!$sshd_port" } } + default: { sshd::nagios($sshd_ports:) } } } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 9d02a3f..da8bb9a 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -16,11 +16,13 @@ # only protocol 2 Protocol 2 -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port -%> <% end -%> +<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 9fef401..391328b 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -6,11 +6,13 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port -%> <% end -%> +<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 4bb9c87..13264cc 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -6,11 +6,13 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port -%> <% end -%> +<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 0b91514..439919f 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -6,11 +6,13 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port -%> <% end -%> +<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 291b2ea..9058aea 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -14,11 +14,13 @@ <%= sshd_head_additional_options %> <%- end %> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port -%> <% end -%> +<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index c0517f4..3d57097 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -12,11 +12,13 @@ <%= sshd_head_additional_options %> <%- end %> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port -%> <% end -%> +<%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> -- cgit v1.2.3 From ef093cafffb764fbedb26f7b8ce84c75329b1b7b Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 16 Oct 2010 21:54:24 +0200 Subject: bugfix --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index abb1490..33c40e9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -196,7 +196,7 @@ class sshd { case $sshd_permit_empty_passwords { '': { $sshd_permit_empty_passwords = 'no' } } - if ( $sshd_port != '' ) && ( $sshd_ports != []) { + if ( $sshd_port != '' ) and ( $sshd_ports != []) { err("Cannot use sshd_port and sshd_ports at the same time.") } if $sshd_port != '' { -- cgit v1.2.3 From 5fb8eb969bc4edb2524ff868a2b7a9bf5259c247 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 16 Oct 2010 21:55:44 +0200 Subject: bugfix --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 33c40e9..64d1be4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -238,7 +238,7 @@ class sshd { } case $nagios_check_ssh { false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { sshd::nagios($sshd_ports:) } + default: { sshd::nagios{$sshd_ports:} } } } -- cgit v1.2.3 From 8cb562f87cf5a74ffb62e1fad8e5f6d200f723ab Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 16 Oct 2010 22:32:25 +0200 Subject: Syntax fix. --- templates/sshd_config/CentOS.erb | 2 +- templates/sshd_config/Debian_etch.erb | 2 +- templates/sshd_config/Debian_lenny.erb | 2 +- templates/sshd_config/Debian_squeeze.erb | 2 +- templates/sshd_config/Gentoo.erb | 2 +- templates/sshd_config/OpenBSD.erb | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index da8bb9a..544effe 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -20,7 +20,7 @@ Protocol 2 <%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= port -%> +Port <%= port %> <% end -%> <%- end -%> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 391328b..c148d08 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -10,7 +10,7 @@ <%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= port -%> +Port <%= port %> <% end -%> <%- end -%> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 13264cc..e0b1917 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -10,7 +10,7 @@ <%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= port -%> +Port <%= port %> <% end -%> <%- end -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 439919f..950a53c 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -10,7 +10,7 @@ <%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= port -%> +Port <%= port %> <% end -%> <%- end -%> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 9058aea..768d3f5 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -18,7 +18,7 @@ <%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= port -%> +Port <%= port %> <% end -%> <%- end -%> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 3d57097..51662d3 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -16,7 +16,7 @@ <%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= port -%> +Port <%= port %> <% end -%> <%- end -%> -- cgit v1.2.3 From ceb1280177cf28edbe5a60cd4169a43870cd192f Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 18 Oct 2010 19:13:59 +0200 Subject: Bugfix --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 64d1be4..13cb359 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -202,7 +202,7 @@ class sshd { if $sshd_port != '' { $sshd_ports = [ $sshd_port ] } - elsif $sshd_port == [] { + elsif ! $sshd_ports { $sshd_ports = [ 22 ] } case $sshd_authorized_keys_file { -- cgit v1.2.3 From 988a88f4e62065b45c8e32f6f915e052ff394003 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 20 Oct 2010 20:56:15 +0200 Subject: move define to own class --- manifests/init.pp | 3 --- manifests/nagios.pp | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 manifests/nagios.pp diff --git a/manifests/init.pp b/manifests/init.pp index 13cb359..449f09f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -233,9 +233,6 @@ class sshd { } if $use_nagios { - define sshd::nagios { - nagios::service{ "ssh_port_${name}": check_command => "check_ssh_port!$name" } - } case $nagios_check_ssh { false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } default: { sshd::nagios{$sshd_ports:} } diff --git a/manifests/nagios.pp b/manifests/nagios.pp new file mode 100644 index 0000000..5a5a5ed --- /dev/null +++ b/manifests/nagios.pp @@ -0,0 +1,3 @@ +define sshd::nagios { + nagios::service{ "ssh_port_${name}": check_command => "check_ssh_port!$name" } +} -- cgit v1.2.3 From d0d3d20e1411511cccdf6fa3ae63164f2868221d Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 20 Oct 2010 21:17:16 +0200 Subject: add nagios_check_ssh_hostname to tweak the hostname which whould be monitored, as this one might actually differ --- manifests/init.pp | 13 ++++++++++--- manifests/nagios.pp | 9 +++++++-- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 449f09f..54f822a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -201,8 +201,7 @@ class sshd { } if $sshd_port != '' { $sshd_ports = [ $sshd_port ] - } - elsif ! $sshd_ports { + } elsif ! $sshd_ports { $sshd_ports = [ 22 ] } case $sshd_authorized_keys_file { @@ -235,7 +234,15 @@ class sshd { if $use_nagios { case $nagios_check_ssh { false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { sshd::nagios{$sshd_ports:} } + default: { + sshd::nagios{$sshd_ports: + check_hostname => $nagios_check_ssh_hostname ? { + '' => 'absent', + undef => 'absent', + default => $nagios_check_ssh_hostname + } + } + } } } diff --git a/manifests/nagios.pp b/manifests/nagios.pp index 5a5a5ed..890810e 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -1,3 +1,8 @@ -define sshd::nagios { - nagios::service{ "ssh_port_${name}": check_command => "check_ssh_port!$name" } +define sshd::nagios( + $check_hostname = 'absent' +) { + case $check_hostname { + 'absent': { nagios::service{ "ssh_port_${name}": check_command => "check_ssh_port!$name" } } + default: { nagios::service{"ssh_port_host_${name}_${check_hostname}": check_command => "check_ssh_port_host!${name}!${check_hostname}" } } + } } -- cgit v1.2.3 From eec9e7242525cd9909c0c54cdb7515047bac4407 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 20 Oct 2010 22:57:15 +0200 Subject: extend sshd::nagios with ensure param --- manifests/nagios.pp | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/manifests/nagios.pp b/manifests/nagios.pp index 890810e..1500a09 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -1,8 +1,19 @@ define sshd::nagios( + $ensure = 'present', $check_hostname = 'absent' ) { case $check_hostname { - 'absent': { nagios::service{ "ssh_port_${name}": check_command => "check_ssh_port!$name" } } - default: { nagios::service{"ssh_port_host_${name}_${check_hostname}": check_command => "check_ssh_port_host!${name}!${check_hostname}" } } + 'absent': { + nagios::service{"ssh_port_${name}": + ensure => $esnure, + check_command => "check_ssh_port!$name" + } + } + default: { + nagios::service{"ssh_port_host_${name}_${check_hostname}": + ensure => $esnure, + check_command => "check_ssh_port_host!${name}!${check_hostname}" + } + } } } -- cgit v1.2.3 From 28342ba418ede266526aaaad5c89834883b4b16e Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 20 Oct 2010 23:12:43 +0200 Subject: introduce that port also can't be the name, fix ensure problem --- manifests/nagios.pp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/manifests/nagios.pp b/manifests/nagios.pp index 1500a09..4971f65 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -1,18 +1,23 @@ define sshd::nagios( + $port = 'absent', $ensure = 'present', $check_hostname = 'absent' ) { + $real_port = $port ? { + 'absent' => $name, + default => $port, + } case $check_hostname { 'absent': { nagios::service{"ssh_port_${name}": - ensure => $esnure, - check_command => "check_ssh_port!$name" + ensure => $ensure, + check_command => "check_ssh_port!$port" } } default: { - nagios::service{"ssh_port_host_${name}_${check_hostname}": - ensure => $esnure, - check_command => "check_ssh_port_host!${name}!${check_hostname}" + nagios::service{"ssh_port_host_${name}": + ensure => $ensure, + check_command => "check_ssh_port_host!${port}!${check_hostname}" } } } -- cgit v1.2.3 From 8f918b0e7358013e4b2d16759a73b401ab386358 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 20 Oct 2010 23:46:14 +0200 Subject: use parametrized class to pass ssh_ports to open up things --- manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 54f822a..06290a8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -247,6 +247,8 @@ class sshd { } if $use_shorewall{ - include shorewall::rules::ssh + class{'shorewall::rules::ssh': + ports => $sshd_ports, + } } } -- cgit v1.2.3 From 3200c182e1e272d49b1b3347c544a94e655e1142 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 21 Oct 2010 02:49:11 +0200 Subject: use realport --- manifests/nagios.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/nagios.pp b/manifests/nagios.pp index 4971f65..7742cdb 100644 --- a/manifests/nagios.pp +++ b/manifests/nagios.pp @@ -11,13 +11,13 @@ define sshd::nagios( 'absent': { nagios::service{"ssh_port_${name}": ensure => $ensure, - check_command => "check_ssh_port!$port" + check_command => "check_ssh_port!$real_port" } } default: { nagios::service{"ssh_port_host_${name}": ensure => $ensure, - check_command => "check_ssh_port_host!${port}!${check_hostname}" + check_command => "check_ssh_port_host!${real_port}!${check_hostname}" } } } -- cgit v1.2.3 From 7e6d3af6f8b207133b3c71f9c714e19b68a4fc4e Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 21 Oct 2010 15:31:31 +0200 Subject: lenny already has AcceptEnv by default --- templates/sshd_config/Debian_lenny.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index e0b1917..4648a22 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -136,6 +136,9 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + <%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> -- cgit v1.2.3 From 51156042b1d15e4f0e6cc072e94a6e31ff902dbd Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 11 Dec 2010 11:34:11 +0100 Subject: Mention dependency on lsb module. --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index 7bb56a8..dd7bca7 100644 --- a/README +++ b/README @@ -3,3 +3,4 @@ ## Dependencies - shared-common: git://labs.riseup.net/shared-common +- shared-lsb: git://labs.riseup.net/shared-lsb -- cgit v1.2.3 From 5c729410824c817325e3d495aac932feda7574b9 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 16 Dec 2010 16:22:24 +0100 Subject: Add a function to create ssh keys on the fly This allows you to use content of ssh keys within your manifests and generate them automatically if they don't exist yet. --- lib/puppet/parser/functions/.ssh_keygen.rb.swp | Bin 0 -> 12288 bytes lib/puppet/parser/functions/ssh_keygen.rb | 23 ++++++ spec/spec.opts | 6 ++ spec/spec_helper.rb | 16 ++++ spec/unit/parser/functions/ssh_keygen.rb | 104 +++++++++++++++++++++++++ 5 files changed, 149 insertions(+) create mode 100644 lib/puppet/parser/functions/.ssh_keygen.rb.swp create mode 100644 lib/puppet/parser/functions/ssh_keygen.rb create mode 100644 spec/spec.opts create mode 100644 spec/spec_helper.rb create mode 100644 spec/unit/parser/functions/ssh_keygen.rb diff --git a/lib/puppet/parser/functions/.ssh_keygen.rb.swp b/lib/puppet/parser/functions/.ssh_keygen.rb.swp new file mode 100644 index 0000000..b5036fa Binary files /dev/null and b/lib/puppet/parser/functions/.ssh_keygen.rb.swp differ diff --git a/lib/puppet/parser/functions/ssh_keygen.rb b/lib/puppet/parser/functions/ssh_keygen.rb new file mode 100644 index 0000000..18b006a --- /dev/null +++ b/lib/puppet/parser/functions/ssh_keygen.rb @@ -0,0 +1,23 @@ +Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc => + "Returns an array containing the ssh private and public (in this order) key + for a certain private key path. + It will generate the keypair if both do not exist. It will also generate + the directory hierarchy if required. + It accepts only fully qualified paths, everything else will fail.") do |args| + raise Puppet::ParseError, "Wrong number of arguments" unless args.to_a.length == 1 + private_key_path = args + raise Puppet::ParseError, "Only fully qualified paths are accepted" unless private_key_path =~ /^\/.+/ + public_key_path = "#{private_key_path}.pub" + raise Puppet::ParseError, "Either only the private or only the public key exists" if File.exists?(private_key_path) ^ File.exists?(public_key_path) + [private_key_path,public_key_path].each do |path| + raise Puppet::ParseError, "#{path} is a directory" if File.directory?(path) + end + + dir = File.dirname(private_key_path) + Puppet::Util.recmkdir(dir,0700) unless File.directory?(dir) + unless [private_key_path,public_key_path].all?{|path| File.exists?(path) } + output = Puppet::Util.execute(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', private_key_path, '-P', '', '-q']) + raise Puppet::ParseError, "Something went wrong during key generation! Output: #{output}" unless output.empty? + end + [File.read(private_key_path),File.read(public_key_path)] +end diff --git a/spec/spec.opts b/spec/spec.opts new file mode 100644 index 0000000..91cd642 --- /dev/null +++ b/spec/spec.opts @@ -0,0 +1,6 @@ +--format +s +--colour +--loadby +mtime +--backtrace diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..6ba62e1 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,16 @@ +require 'pathname' +dir = Pathname.new(__FILE__).parent +$LOAD_PATH.unshift(dir, dir + 'lib', dir + '../lib') +require 'puppet' +gem 'rspec', '>= 1.2.9' +require 'spec/autorun' + +Dir[File.join(File.dirname(__FILE__), 'support', '*.rb')].each do |support_file| + require support_file +end + +# We need this because the RAL uses 'should' as a method. This +# allows us the same behaviour but with a different method name. +class Object + alias :must :should +end diff --git a/spec/unit/parser/functions/ssh_keygen.rb b/spec/unit/parser/functions/ssh_keygen.rb new file mode 100644 index 0000000..f830065 --- /dev/null +++ b/spec/unit/parser/functions/ssh_keygen.rb @@ -0,0 +1,104 @@ +#! /usr/bin/env ruby + + +require File.dirname(__FILE__) + '/../../../spec_helper' + +require 'mocha' +require 'fileutils' + +describe "the ssh_keygen function" do + + before :each do + @scope = Puppet::Parser::Scope.new + end + + it "should exist" do + Puppet::Parser::Functions.function("ssh_keygen").should == "function_ssh_keygen" + end + + it "should raise a ParseError if no argument is passed" do + lambda { @scope.function_ssh_keygen }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if there is more than 1 arguments" do + lambda { @scope.function_ssh_keygen("foo", "bar") }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if the argument is not fully qualified" do + lambda { @scope.function_ssh_keygen("foo") }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if the private key path is a directory" do + File.stubs(:directory?).with("/some_dir").returns(true) + lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if the public key path is a directory" do + File.stubs(:directory?).with("/some_dir.pub").returns(true) + lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError)) + end + + describe "when executing properly" do + before do + File.stubs(:directory?).with('/tmp/a/b/c').returns(false) + File.stubs(:directory?).with('/tmp/a/b/c.pub').returns(false) + File.stubs(:read).with('/tmp/a/b/c').returns('privatekey') + File.stubs(:read).with('/tmp/a/b/c.pub').returns('publickey') + end + + it "should fail if the public but not the private key exists" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(true) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + end + + it "should fail if the private but not the public key exists" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true) + lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + end + + + it "should return an array of size 2 with the right conent if the keyfiles exists" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(true) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true) + File.stubs(:directory?).with('/tmp/a/b').returns(true) + Puppet::Util.expects(:execute).never + result = @scope.function_ssh_keygen('/tmp/a/b/c') + result.length.should == 2 + result[0].should == 'privatekey' + result[1].should == 'publickey' + end + + it "should create the directory path if it does not exist" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + File.stubs(:directory?).with("/tmp/a/b").returns(false) + Puppet::Util.expects(:recmkdir).with("/tmp/a/b",0700) + Puppet::Util.expects(:execute).returns("") + result = @scope.function_ssh_keygen('/tmp/a/b/c') + result.length.should == 2 + result[0].should == 'privatekey' + result[1].should == 'publickey' + end + + it "should generate the key if the keyfiles do not exist" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + File.stubs(:directory?).with("/tmp/a/b").returns(true) + Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("") + result = @scope.function_ssh_keygen('/tmp/a/b/c') + result.length.should == 2 + result[0].should == 'privatekey' + result[1].should == 'publickey' + end + + it "should fail if something goes wrong during generation" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + File.stubs(:directory?).with("/tmp/a/b").returns(true) + Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("something is wrong") + lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + end + end +end -- cgit v1.2.3 From 93fabb2021f97f570cc2c8d48c7e7a425f7a1605 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 16 Dec 2010 17:12:56 +0100 Subject: remove stupid swap --- lib/puppet/parser/functions/.ssh_keygen.rb.swp | Bin 12288 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 lib/puppet/parser/functions/.ssh_keygen.rb.swp diff --git a/lib/puppet/parser/functions/.ssh_keygen.rb.swp b/lib/puppet/parser/functions/.ssh_keygen.rb.swp deleted file mode 100644 index b5036fa..0000000 Binary files a/lib/puppet/parser/functions/.ssh_keygen.rb.swp and /dev/null differ -- cgit v1.2.3 From 584cee72362cf5b2d822164ef6569fe4671eabf6 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 16 Dec 2010 17:15:36 +0100 Subject: made error mesage a bit more verbose --- lib/puppet/parser/functions/ssh_keygen.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/parser/functions/ssh_keygen.rb b/lib/puppet/parser/functions/ssh_keygen.rb index 18b006a..24efe62 100644 --- a/lib/puppet/parser/functions/ssh_keygen.rb +++ b/lib/puppet/parser/functions/ssh_keygen.rb @@ -6,7 +6,7 @@ Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc => It accepts only fully qualified paths, everything else will fail.") do |args| raise Puppet::ParseError, "Wrong number of arguments" unless args.to_a.length == 1 private_key_path = args - raise Puppet::ParseError, "Only fully qualified paths are accepted" unless private_key_path =~ /^\/.+/ + raise Puppet::ParseError, "Only fully qualified paths are accepted (#{private_key_path})" unless private_key_path =~ /^\/.+/ public_key_path = "#{private_key_path}.pub" raise Puppet::ParseError, "Either only the private or only the public key exists" if File.exists?(private_key_path) ^ File.exists?(public_key_path) [private_key_path,public_key_path].each do |path| -- cgit v1.2.3 From fa3d9e165404a5ed686d152002e5f7fd21b21e30 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 16 Dec 2010 17:33:04 +0100 Subject: do some trickery as arguments from puppet are passed as an array --- lib/puppet/parser/functions/ssh_keygen.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/parser/functions/ssh_keygen.rb b/lib/puppet/parser/functions/ssh_keygen.rb index 24efe62..09b3d3b 100644 --- a/lib/puppet/parser/functions/ssh_keygen.rb +++ b/lib/puppet/parser/functions/ssh_keygen.rb @@ -5,7 +5,7 @@ Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc => the directory hierarchy if required. It accepts only fully qualified paths, everything else will fail.") do |args| raise Puppet::ParseError, "Wrong number of arguments" unless args.to_a.length == 1 - private_key_path = args + private_key_path = args.to_a[0] raise Puppet::ParseError, "Only fully qualified paths are accepted (#{private_key_path})" unless private_key_path =~ /^\/.+/ public_key_path = "#{private_key_path}.pub" raise Puppet::ParseError, "Either only the private or only the public key exists" if File.exists?(private_key_path) ^ File.exists?(public_key_path) -- cgit v1.2.3 From 86f31fcff9dd7ea91707f1760ef3f2000e3dd802 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 19 Feb 2011 14:12:04 -0500 Subject: Pull together a more comprehensive README, moving the configurable variables from init.pp into the README, and detailing the other features, and requirements, of the module --- README | 214 +++++++++++++++++++++++++++++++++++++++++++++++++++++- manifests/init.pp | 169 ------------------------------------------ 2 files changed, 212 insertions(+), 171 deletions(-) diff --git a/README b/README index dd7bca7..4f679e4 100644 --- a/README +++ b/README @@ -1,6 +1,216 @@ -# sshd module for Puppet +Introduction +============ -## Dependencies +This puppet module manages OpenSSH configuration and services. + +Dependencies +------------ + +This module requires puppet => 2.6, and the following modules are required +pre-dependencies: - shared-common: git://labs.riseup.net/shared-common - shared-lsb: git://labs.riseup.net/shared-lsb + +OpenSSH Server +============== + +On a node where you wish to have an openssh server installed, you should +'include sshd' on that node. If you need to configure any aspects of +sshd_config, set the variables before the include. See 'Configurable Variables' +below for what you can set. + +Nagios +------ + +To have nagios checks setup automatically for sshd services, simply set +$use_nagios = true before the class is included. If you want to disable ssh +nagios checking for a particular node (such as when ssh is firewalled), then you +can set $nagios_check_ssh to false and that node will not be monitored. + +Nagios will automatically check the ports defined in $sshd_ports, and the +hostname specified by $nagios_check_ssh_hostname. + +NOTE: this requires that you are using the shared-nagios puppet module which +supports the nagios native types via nagios::service: +git://labs.riseup.net/shared-nagios + +Firewall +-------- + +If you wish to have firewall rules setup automatically for you, using shorewall, +you will need to set: $use_shorewall = true. The $sshd_ports that you have +specified will automatically be used. + +NOTE: This requires that you are using the shared-shorewall puppet module: +git://labs.riseup.net/shared-shorewall + + +Configurable variables +---------------------- + +Configuration of sshd is strict, and may not fit all needs, however there are a +number of variables that you can consider configuring. The defaults are set to +the distribution shipped sshd_config file defaults. + +To set any of these variables, simply set them as variables in your manifests, +before the class is included, for example: + + $sshd_listen_address = ['10.0.0.1 192.168.0.1'] + $sshd_use_pam = yes + include sshd + +If you need to install a version of the ssh daemon or client package other than +the default one that would be installed by 'ensure => installed', then you can +set the following variables: + + $sshd_ensure_version = "1:5.2p2-6" + $ssh_ensure_version = "1:5.2p2-6" + +The following is a list of the currently available variables: + + $sshd_listen_address + specify the addresses sshd should listen on set this to ['10.0.0.1 + 192.168.0.1'] to have it listen on both addresses, or leave it unset to + listen on all Default: empty -> results in listening on 0.0.0.0 + + $sshd_allowed_users + list of usernames separated by spaces. set this for example to "foobar + root" to ensure that only user foobar and root might login. Default: empty + -> no restriction is set + + $sshd_allowed_groups + list of groups separated by spaces. set this for example to "wheel sftponly" + to ensure that only users in the groups wheel and sftponly might login. + Default: empty -> no restriction is set Note: This is set after + sshd_allowed_users, take care of the behaviour if you use these 2 options + together. + + $sshd_use_pam + if you want to use pam or not for authenticaton. Values: no or yes; Default: + no + + $sshd_permit_root_login + If you want to allow root logins or not. Valid values: yes, no, + without-password, forced-commands-only; Default: without-password + + $sshd_password_authentication + If you want to enable password authentication or not. Valid values: yes or + no; Default: no + + $sshd_kerberos_authentication + If you want the password that is provided by the user to be validated + through the Kerberos KDC. To use this option the server needs a Kerberos + servtab which allows the verification of the KDC's identity. Valid values: + yes or no; Default: no + + $sshd_kerberos_orlocalpasswd + If password authentication through Kerberos fails, then the password will be + validated via any additional local mechanism. Valid values: yes or no; + Default: yes + + $sshd_kerberos_ticketcleanup + Destroy the user's ticket cache file on logout? Valid values: yes or no; + Default: yes + + $sshd_gssapi_authentication + Authenticate users based on GSSAPI? Valid values: yes or no; Default: no + + $sshd_gssapi_cleanupcredentials + Destroy user's credential cache on logout? Valid values: yes or no; Default: + yes + + $sshd_challenge_response_authentication + If you want to enable ChallengeResponseAuthentication or not When disabled, + s/key passowords are disabled Valid values: yes or no; Default: no + + $sshd_tcp_forwarding + If you want to enable TcpForwarding. Valid Values: yes or no; Default: no + + $sshd_x11_forwarding + If you want to enable x11 forwarding. Valid Values: yes or no; Default: no + + $sshd_agent_forwarding + If you want to allow ssh-agent forwarding. Valid Values: yes or no; Default: + no + + $sshd_pubkey_authentication + If you want to enable public key authentication. Valid Values: yes or no; + Default: yes + + $sshd_rsa_authentication + If you want to enable RSA Authentication. Valid Values: yes or no; Default: + no + + $sshd_rhosts_rsa_authentication + If you want to enable rhosts RSA Authentication. Valid Values: yes or no; + Default: no + + $sshd_hostbased_authentication + If you want to enable HostbasedAuthentication. Valid Values: yes or no; + Default: no + + $sshd_strict_modes + If you want to set StrictModes (check file modes/ownership before accepting + login). Valid Values: yes or no; Default: yes + + $sshd_permit_empty_passwords + If you want enable PermitEmptyPasswords to allow empty passwords. Valid + Values: yes or no; Default: no + + $sshd_port + Deprecated, use sshd_ports instead. + + $sshd_ports + If you want to specify a list of ports other than the default 22; Default: + [22] + + $sshd_authorized_keys_file + Set this to the location of the AuthorizedKeysFile + (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile + %h/.ssh/authorized_keys + + $sshd_sftp_subsystem + Set a different sftp-subystem than the default one. Might be interesting for + sftponly usage. Default: empty -> no change of the default + + $sshd_head_additional_options + Set this to any additional sshd_options which aren't listed above. Anything + set here will be added to the beginning of the sshd_config file. This option + might be useful to define complicated Match Blocks. This string is going to + be included, like it is defined. So take care! Default: empty -> not added. + + $sshd_tail_additional_options + + Set this to any additional sshd_options which aren't listed above. Anything + set here will be added to the end of the sshd_config file. This option might + be useful to define complicated Match Blocks. This string is going to be + included, like it is defined. So take care! Default: empty -> not added. + + +Defines +------- + +Deploy authorized_keys file with the define sshd::ssh_authorized_key + +Client +====== + +On a node where you wish to have the ssh client managed, you can do 'include +sshd::client' in the node definition. This will install the appropriate package. + + +License +======= + +# Copyright 2008-2011, Riseup Labs micah@riseup.net +# Copyright 2008, admin(at)immerda.ch +# Copyright 2008, Puzzle ITC GmbH +# Marcel Härry haerry+puppet(at)puzzle.ch +# Simon Josi josi+puppet(at)puzzle.ch +# +# This program is free software; you can redistribute +# it and/or modify it under the terms of the GNU +# General Public License version 3 as published by +# the Free Software Foundation. +# diff --git a/manifests/init.pp b/manifests/init.pp index 76ee107..991fbba 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,172 +1,3 @@ -# -# ssh module -# -# Copyright 2008-2009, micah@riseup.net -# Copyright 2008, admin(at)immerda.ch -# Copyright 2008, Puzzle ITC GmbH -# Marcel Härry haerry+puppet(at)puzzle.ch -# Simon Josi josi+puppet(at)puzzle.ch -# -# This program is free software; you can redistribute -# it and/or modify it under the terms of the GNU -# General Public License version 3 as published by -# the Free Software Foundation. -# -# Deploy authorized_keys file with the define -# sshd::ssh_authorized_key -# -# sshd-config: -# -# The configuration of the sshd is rather strict and might not fit all -# needs. However there are a bunch of variables, which you might -# consider configuring. -# -# To set any of the following, simply set them as variables in your manifests -# before the class is included, for example: -# -# $sshd_listen_address = ['10.0.0.1 192.168.0.1'] -# $sshd_use_pam = yes -# include sshd -# -# If you need to install a version of the ssh daemon or client package other than -# the default one that would be installed by 'ensure => installed', then you can -# set the following variables: -# -# $sshd_ensure_version = "1:5.2p2-6" -# $ssh_ensure_version = "1:5.2p2-6" -# -# To have nagios checks setup automatically for sshd services, simply -# set $use_nagios = true before the class is included. If you want to -# disable ssh nagios checking for a particular node (such as when ssh -# is firewalled), then you can set $nagios_check_ssh to false and that -# node will not be monitored. -# NOTE: this requires that you are using the nagios puppet module -# which supports the nagios native types via nagios::service -# -# The following is a list of the currently available variables: -# -# sshd_listen_address: specify the addresses sshd should listen on -# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both -# addresses, or leave it unset to listen on all -# Default: empty -> results in listening on 0.0.0.0 -# -# sshd_allowed_users: list of usernames separated by spaces. -# set this for example to "foobar root" -# to ensure that only user foobar and root -# might login. -# Default: empty -> no restriction is set -# -# sshd_allowed_groups list of groups separated by spaces. -# set this for example to "wheel sftponly" -# to ensure that only users in the groups -# wheel and sftponly might login. -# Default: empty -> no restriction is set -# Note: This is set after sshd_allowed_users, -# take care of the behaviour if you use -# these 2 options together. -# -# sshd_use_pam: if you want to use pam or not for authenticaton -# Values: no or yes. -# Default: no -# -# sshd_permit_root_login: If you want to allow root logins or not. -# Valid values: yes, no, without-password, forced-commands-only -# Default: without-password -# -# sshd_password_authentication: If you want to enable password authentication or not -# Valid values: yes or no -# Default: no -# -# sshd_kerberos_authentication: If you want the password that is provided by the user to be -# validated through the Kerberos KDC. To use this option the -# server needs a Kerberos servtab which allows the verification of -# the KDC's identity. -# Valid values: yes or no -# Default: no -# -# sshd_kerberos_orlocalpasswd: If password authentication through Kerberos fails, then the password -# will be validated via any additional local mechanism. -# Valid values: yes or no -# Default: yes -# -# sshd_kerberos_ticketcleanup: Destroy the user's ticket cache file on logout? -# Valid values: yes or no -# Default: yes -# -# sshd_gssapi_authentication: Authenticate users based on GSSAPI? -# Valid values: yes or no -# Default: no -# -# sshd_gssapi_cleanupcredentials: Destroy user's credential cache on logout? -# Valid values: yes or no -# Default: yes -# -# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not -# When disabled, s/key passowords are disabled -# Valid values: yes or no -# Default: no -# -# sshd_tcp_forwarding: If you want to enable TcpForwarding -# Valid Values: yes or no -# Default: no -# -# sshd_x11_forwarding: If you want to enable x11 forwarding -# Valid Values: yes or no -# Default: no -# -# sshd_agent_forwarding: If you want to allow ssh-agent forwarding -# Valid Values: yes or no -# Default: no -# -# sshd_pubkey_authentication: If you want to enable public key authentication -# Valid Values: yes or no -# Default: yes -# -# sshd_rsa_authentication: If you want to enable RSA Authentication -# Valid Values: yes or no -# Default: no -# -# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication -# Valid Values: yes or no -# Default: no -# -# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication -# Valid Values: yes or no -# Default: no -# -# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) -# Valid Values: yes or no -# Default: yes -# -# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords -# Valid Values: yes or no -# Default: no -# -# sshd_port: Deprecated, use sshd_ports instead. -# -# sshd_ports: If you want to specify a list of ports other than the default 22 -# Default: [22] -# -# -# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) -# Default: AuthorizedKeysFile %h/.ssh/authorized_keys -# -# sshd_sftp_subsystem: Set a different sftp-subystem than the default one. -# Might be interesting for sftponly usage -# Default: empty -> no change of the default -# -# sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above. -# Anything set here will be added to the beginning of the sshd_config file. -# This option might be useful to define complicated Match Blocks -# This string is going to be included, like it is defined. So take care! -# Default: empty -> not added. -# -# sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above. -# Anything set here will be added to the end of the sshd_config file. -# This option might be useful to define complicated Match Blocks -# This string is going to be included, like it is defined. So take care! -# Default: empty -> not added. - class sshd { # prepare variables to use in templates case $sshd_listen_address { -- cgit v1.2.3 From e0d3cdbd36bf1d06984240da216b4492efc4e69d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 19 Feb 2011 14:18:02 -0500 Subject: Update README to include the ssh_keygen function --- README | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/README b/README index 4f679e4..fa4214d 100644 --- a/README +++ b/README @@ -188,10 +188,20 @@ The following is a list of the currently available variables: included, like it is defined. So take care! Default: empty -> not added. -Defines -------- +Defines and functions +--------------------- + +Deploy authorized_keys file with the define sshd::ssh_authorized_key. + +Generate a public/private keypair with the ssh_keygen function. For example, the +following will generate ssh keys and put the different parts of the key into +variables: + +$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${fqdn}/${backup_host}") +$public_key = split($ssh_keys[1],' ') +$sshkey_type => $public_key[0] +$sshkey => $public_key[1] -Deploy authorized_keys file with the define sshd::ssh_authorized_key Client ====== -- cgit v1.2.3