From 9ce186f5c31c4339d9a92aa73f6c895cc676a633 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 29 Sep 2008 22:37:26 +0000 Subject: merged with riseup git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2263 d66ca3ae-40d7-4aa7-90d4-87d79ca94279 --- manifests/init.pp | 130 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 123 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 95682fd..2a4c449 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,7 @@ # # ssh module # +# Copyright 2008, micah@riseup.net # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH # Marcel Härry haerry+puppet(at)puzzle.ch @@ -16,10 +17,23 @@ # # sshd-config: # -# The configuration of the sshd is rather strict and -# might not fit all needs. However there are a bunch -# of variables, which you might consider to configure. -# Checkout the following: +# The configuration of the sshd is rather strict and might not fit all +# needs. However there are a bunch of variables, which you might +# consider configuring. +# +# To set any of the following, simply set them as variables in your manifests +# before the class is included, for example: +# +# $sshd_listen_address = ['10.0.0.1 192.168.0.1'] +# $sshd_use_pam = yes +# include sshd::debian +# +# The following is a list of the currently available variables: +# +# sshd_listen_address: specify the addresses sshd should listen on +# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both +# addresses, or leave it unset to listen on all +# Default: empty -> results in listening on 0.0.0.0 # # sshd_allowed_users: list of usernames separated by spaces. # set this for example to "foobar root" @@ -38,11 +52,54 @@ # sshd_password_authentication: If you want to enable password authentication or not # Valid values: yes or no # Default: no +# +# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not +# When disabled, s/key passowords are disabled +# Valid values: yes or no +# Default: no # +# sshd_tcp_forwarding: If you want to enable TcpForwarding +# Valid Values: yes or no +# Default: no +# # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no # Default: no # +# sshd_agent_forwarding: If you want to allow ssh-agent forwarding +# Valid Values: yes or no +# Default: no +# +# sshd_pubkey_authentication: If you want to enable public key authentication +# Valid Values: yes or no +# Default: yes +# +# sshd_rsa_authentication: If you want to enable RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication +# Valid Values: yes or no +# Default: no +# +# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) +# Valid Values: yes or no +# Default: yes +# +# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords +# Valid Values: yes or no +# Default: no +# +# sshd_port: If you want to specify a different port than the default 22 +# Default: 22 +# +# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) +# Default: AuthorizedKeysFile %h/.ssh/authorized_keys +# class sshd { include sshd::client @@ -60,7 +117,11 @@ class sshd { class sshd::base { - # prepare variables to use in templates + # prepare variables to use in templates + $real_sshd_listen_address = $sshd_listen_address ? { + '' => [ '0.0.0.0', '::' ], + default => $sshd_listen_address + } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', default => $sshd_allowed_users @@ -77,17 +138,68 @@ class sshd::base { '' => 'no', default => $sshd_password_authentication } + $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? { + '' => 'no', + default => $sshd_tcp_forwarding + } $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { '' => 'no', default => $sshd_x11_forwarding } - + $real_sshd_agent_forwarding = $sshd_agent_forwarding ? { + '' => 'no', + default => $sshd_agent_forwarding + } + $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? { + '' => 'no', + default => $sshd_challenge_response_authentication + } + $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { + '' => 'yes', + default => $sshd_pubkey_authentication + } + $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { + '' => 'no', + default => $sshd_rsa_authentication + } + $real_sshd_strict_modes = $sshd_strict_modes ? { + '' => 'yes', + default => $sshd_strict_modes + } + $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? { + '' => 'yes', + default => $sshd_ignore_rhosts + } + $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? { + '' => 'no', + default => $sshd_rhosts_rsa_authentication + } + $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? { + '' => 'no', + default => $sshd_hostbased_authentication + } + $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? { + '' => 'no', + default => $sshd_permit_empty_passwords + } + $real_sshd_port = $sshd_port ? { + '' => 22, + default => $sshd_port + } + $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? { + '' => "%h/.ssh/authorized_keys", + default => $sshd_authorized_keys_file + } + file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, group => 0, mode => 600, - content => template("sshd/sshd_config/${operatingsystem}_normal.erb"), + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, notify => Service[sshd], } # Now add the key, if we've got one @@ -127,6 +239,10 @@ class sshd::gentoo inherits sshd::linux { } class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include assert_lsbdistcodename + Package[openssh]{ name => 'openssh-server', } -- cgit v1.2.3