From 9ce186f5c31c4339d9a92aa73f6c895cc676a633 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:37:26 +0000 Subject: merged with riseup git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2263 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/init.pp | 130 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 123 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 95682fd..2a4c449 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,7 @@ # # ssh module # +# Copyright 2008, micah@riseup.net # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH # Marcel Härry haerry+puppet(at)puzzle.ch @@ -16,10 +17,23 @@ # # sshd-config: # -# The configuration of the sshd is rather strict and -# might not fit all needs. However there are a bunch -# of variables, which you might consider to configure. -# Checkout the following: +# The configuration of the sshd is rather strict and might not fit all +# needs. However there are a bunch of variables, which you might +# consider configuring. +# +# To set any of the following, simply set them as variables in your manifests +# before the class is included, for example: +# +# $sshd_listen_address = ['10.0.0.1 192.168.0.1'] +# $sshd_use_pam = yes +# include sshd::debian +# +# The following is a list of the currently available variables: +# +# sshd_listen_address: specify the addresses sshd should listen on +# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both +# addresses, or leave it unset to listen on all +# Default: empty -> results in listening on 0.0.0.0 # # sshd_allowed_users: list of usernames separated by spaces. # set this for example to "foobar root" @@ -38,11 +52,54 @@ # sshd_password_authentication: If you want to enable password authentication or not # Valid values: yes or no # Default: no +# +# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not +# When disabled, s/key passowords are disabled +# Valid values: yes or no +# Default: no # +# sshd_tcp_forwarding: If you want to enable TcpForwarding +# Valid Values: yes or no +# Default: no +# # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no # Default: no # +# sshd_agent_forwarding: If you want to allow ssh-agent forwarding +# Valid Values: yes or no +# Default: no +# +# sshd_pubkey_authentication: If you want to enable public key authentication +# Valid Values: yes or no +# Default: yes +# +# sshd_rsa_authentication: If you want to enable RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication +# Valid Values: yes or no +# Default: no +# +# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) +# Valid Values: yes or no +# Default: yes +# +# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords +# Valid Values: yes or no +# Default: no +# +# sshd_port: If you want to specify a different port than the default 22 +# Default: 22 +# +# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) +# Default: AuthorizedKeysFile %h/.ssh/authorized_keys +# class sshd { include sshd::client @@ -60,7 +117,11 @@ class sshd { class sshd::base { - # prepare variables to use in templates + # prepare variables to use in templates + $real_sshd_listen_address = $sshd_listen_address ? { + '' => [ '0.0.0.0', '::' ], + default => $sshd_listen_address + } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', default => $sshd_allowed_users @@ -77,17 +138,68 @@ class sshd::base { '' => 'no', default => $sshd_password_authentication } + $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? { + '' => 'no', + default => $sshd_tcp_forwarding + } $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { '' => 'no', default => $sshd_x11_forwarding } - + $real_sshd_agent_forwarding = $sshd_agent_forwarding ? { + '' => 'no', + default => $sshd_agent_forwarding + } + $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? { + '' => 'no', + default => $sshd_challenge_response_authentication + } + $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { + '' => 'yes', + default => $sshd_pubkey_authentication + } + $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { + '' => 'no', + default => $sshd_rsa_authentication + } + $real_sshd_strict_modes = $sshd_strict_modes ? { + '' => 'yes', + default => $sshd_strict_modes + } + $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? { + '' => 'yes', + default => $sshd_ignore_rhosts + } + $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? { + '' => 'no', + default => $sshd_rhosts_rsa_authentication + } + $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? { + '' => 'no', + default => $sshd_hostbased_authentication + } + $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? { + '' => 'no', + default => $sshd_permit_empty_passwords + } + $real_sshd_port = $sshd_port ? { + '' => 22, + default => $sshd_port + } + $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? { + '' => "%h/.ssh/authorized_keys", + default => $sshd_authorized_keys_file + } + file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, group => 0, mode => 600, - content => template("sshd/sshd_config/${operatingsystem}_normal.erb"), + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, notify => Service[sshd], } # Now add the key, if we've got one @@ -127,6 +239,10 @@ class sshd::gentoo inherits sshd::linux { } class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include assert_lsbdistcodename + Package[openssh]{ name => 'openssh-server', } -- cgit v1.2.3 From 1afa887a2e99bc97ebae388d74185ec4e11a38ed Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:45:39 +0000 Subject: factored out the package to some subclasses as openbsd doesn't need such a package git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2265 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/client.pp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index f0b05c5..0ad85cf 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -3,15 +3,16 @@ class sshd::client { case $operatingsystem { debian: { include sshd::client::debian } - default: { include sshd::client::base } + default: { + case $kernel { + linux: { include sshd::client::linux } + default: { include sshd::client::base } + } + } } } class sshd::client::base { - package {'openssh-clients': - ensure => installed, - } - # this is needed because the gid might have changed file { '/etc/ssh/ssh_known_hosts': mode => 0644, owner => root, group => 0; @@ -21,6 +22,12 @@ class sshd::client::base { Sshkey <<||>> } +class sshd::client::linux inherits sshd::client::base { + package {'openssh-clients': + ensure => installed, + } +} + class sshd::client::debian inherits sshd::client::base { Package['openssh-clients']{ name => 'openssh-client', -- cgit v1.2.3 From f7335624697bfedb6acada341b7e82a2e2966c2a Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:48:35 +0000 Subject: moved package depency to the linux class, openbsd doesn't have this package git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2266 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 2a4c449..4e10ac9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -210,7 +210,6 @@ class sshd::base { type => ssh-rsa, key => $sshrsakey_key, ensure => present, - require => Package["openssh-clients"], } } } @@ -230,6 +229,9 @@ class sshd::linux inherits sshd::base { File[sshd_config]{ require +> Package[openssh], } + Sshkey["$hostname.$domain"]{ + require => Package["openssh-clients"], + } } class sshd::gentoo inherits sshd::linux { -- cgit v1.2.3 From 456fec72ed2d43794ed0633afba120d54c2075aa Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:50:28 +0000 Subject: remove dependency completly git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2267 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/init.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 4e10ac9..a7106b4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -229,9 +229,6 @@ class sshd::linux inherits sshd::base { File[sshd_config]{ require +> Package[openssh], } - Sshkey["$hostname.$domain"]{ - require => Package["openssh-clients"], - } } class sshd::gentoo inherits sshd::linux { -- cgit v1.2.3 From fce684ca587dd891b7d912be9448888ee18f39c0 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 30 Sep 2008 20:13:47 +0000 Subject: fix correct inheritance git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2272 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index 0ad85cf..34308b4 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -28,7 +28,7 @@ class sshd::client::linux inherits sshd::client::base { } } -class sshd::client::debian inherits sshd::client::base { +class sshd::client::debian inherits sshd::client::linux { Package['openssh-clients']{ name => 'openssh-client', } -- cgit v1.2.3