From 3bd90d741c35ae242befd955566e3f28cf76b81b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 16:57:59 -0400 Subject: Add the variable AllowAgentForwarding to be set, with the default of 'no', only the Debian template was adjusted for this, as my knowledge of the other operating systems is not good enough to determine the appropriate setting there --- manifests/init.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 95682fd..4e796f3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -43,6 +43,9 @@ # Valid Values: yes or no # Default: no # +# sshd_agent_forwarding: If you want to allow ssh-agent forwarding +# Valid Values: yes or no +# Default: no class sshd { include sshd::client @@ -81,6 +84,10 @@ class sshd::base { '' => 'no', default => $sshd_x11_forwarding } + $real_sshd_agent_forwarding = $sshd_agent_forwarding ? { + '' => 'no', + default => $sshd_agent_forwarding + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 51c18b6b8f71a925e3c94b459dbc257f2466c453 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:05:49 -0400 Subject: added sshd_challenge_response_authentication variable, with the default value set to no --- manifests/init.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 4e796f3..029ab95 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -38,6 +38,11 @@ # sshd_password_authentication: If you want to enable password authentication or not # Valid values: yes or no # Default: no +# +# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not +# When disabled, s/key passowords are disabled +# Valid values: yes or no +# Default: no # # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no @@ -88,6 +93,10 @@ class sshd::base { '' => 'no', default => $sshd_agent_forwarding } + $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? { + '' => 'no', + default => $sshd_challenge_response_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 6f5a865b583b1cc2c51484ce03f88be52e2c5b8d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:10:33 -0400 Subject: add sshd_pubkey_authentication variable, with the default set to yes --- manifests/init.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 029ab95..413c46a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -51,6 +51,10 @@ # sshd_agent_forwarding: If you want to allow ssh-agent forwarding # Valid Values: yes or no # Default: no +# +# sshd_pubkey_authentication: If you want to enable public key authentication +# Valid Values: yes or no +# Default: yes class sshd { include sshd::client @@ -97,6 +101,10 @@ class sshd::base { '' => 'no', default => $sshd_challenge_response_authentication } + $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { + '' => 'no', + default => $sshd_pubkey_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 19b49e80ee3b468ce1754f7b5dd62995f37b5e86 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:21:01 -0400 Subject: add the sshd_rsa_authentication option, default set to no --- manifests/init.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 413c46a..a58ee58 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -55,6 +55,10 @@ # sshd_pubkey_authentication: If you want to enable public key authentication # Valid Values: yes or no # Default: yes +# +# sshd_rsa_authentication: If you wat to enable RSA Authentication +# Valid Values: yes or no +# Default: no class sshd { include sshd::client @@ -105,6 +109,10 @@ class sshd::base { '' => 'no', default => $sshd_pubkey_authentication } + $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { + '' => 'no', + default => $sshd_rsa_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From ba8d788f89e2e8676985b40553a9f6794a322217 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:28:05 -0400 Subject: add the sshd_strict_modes variable, with the default set to yes --- manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index a58ee58..858e1b5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -56,9 +56,13 @@ # Valid Values: yes or no # Default: yes # -# sshd_rsa_authentication: If you wat to enable RSA Authentication +# sshd_rsa_authentication: If you want to enable RSA Authentication # Valid Values: yes or no # Default: no +# +# sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) +# Valid Values: yes or no +# Default: yes class sshd { include sshd::client @@ -113,6 +117,10 @@ class sshd::base { '' => 'no', default => $sshd_rsa_authentication } + $real_sshd_strict_modes = $sshd_strict_modes ? { + '' => 'yes', + default => $sshd_strict_modes + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 9edd2705d4c59ac8cb75a67b587d06d32cb5e6c6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:30:28 -0400 Subject: add sshd_ignore_rhosts option, default set to yes --- manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 858e1b5..cf089bc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -121,6 +121,10 @@ class sshd::base { '' => 'yes', default => $sshd_strict_modes } + $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? { + '' => 'yes', + default => $sshd_ignore_rhosts + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 06163fbb920bf7f8dbb7ae2018e1f861003ed9ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:34:09 -0400 Subject: added sshd_rhosts_rsa_authentication variable, default set to no added sshd_hostbased_authentication variable, default set to no --- manifests/init.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index cf089bc..02f2e42 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -60,6 +60,14 @@ # Valid Values: yes or no # Default: no # +# sshd_rhosts_rsa_authentication: If you want to enable rhosts RSA Authentication +# Valid Values: yes or no +# Default: no +# +# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication +# Valid Values: yes or no +# Default: no +# # sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) # Valid Values: yes or no # Default: yes @@ -125,6 +133,14 @@ class sshd::base { '' => 'yes', default => $sshd_ignore_rhosts } + $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? { + '' => 'no', + default => $sshd_rhosts_rsa_authentication + } + $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? { + '' => 'no', + default => $sshd_hostbased_authentication + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 58fef5f8092b937caa2a11648f3937e17f718d81 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:51:12 -0400 Subject: add variable sshd_permit_empty_passwords, with the default set to no --- manifests/init.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 02f2e42..5ba3e22 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -71,6 +71,11 @@ # sshd_strict_modes: If you want to set StrictModes (check file modes/ownership before accepting login) # Valid Values: yes or no # Default: yes +# +# sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords +# Valid Values: yes or no +# Default: no + class sshd { include sshd::client @@ -141,6 +146,10 @@ class sshd::base { '' => 'no', default => $sshd_hostbased_authentication } + $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? { + '' => 'no', + default => $sshd_permit_empty_passwords + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From 0b180227270cf5d1a5e2176142c2a129940f523a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 17:55:02 -0400 Subject: add sshd_allow_tcp_forwarding variable, with the default changed to no (note this is opposite of what the existing template had enabled for Debian, but this is a better setting) --- manifests/init.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 5ba3e22..af716cd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,7 @@ # # ssh module # +# Copyright 2008, micah@riseup.net # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH # Marcel Härry haerry+puppet(at)puzzle.ch @@ -44,6 +45,10 @@ # Valid values: yes or no # Default: no # +# sshd_tcp_forwarding: If you want to enable TcpForwarding +# Valid Values: yes or no +# Default: no +# # sshd_x11_forwarding: If you want to enable x11 forwarding # Valid Values: yes or no # Default: no @@ -110,6 +115,10 @@ class sshd::base { '' => 'no', default => $sshd_password_authentication } + $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? { + '' => 'no', + default => $sshd_tcp_forwarding + } $real_sshd_x11_forwarding = $sshd_x11_forwarding ? { '' => 'no', default => $sshd_x11_forwarding -- cgit v1.2.3 From e525f18d129ac3b9adc8e6df89c9e5e48367439c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 18:16:58 -0400 Subject: minor fix to indentation --- manifests/init.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index af716cd..e48524d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -159,7 +159,7 @@ class sshd::base { '' => 'no', default => $sshd_permit_empty_passwords } - + file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, @@ -181,11 +181,11 @@ class sshd::base { } } service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], } } -- cgit v1.2.3 From 26e4ac53a93c61fad4c07c44009cd180e4196d36 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 18:23:25 -0400 Subject: add sshd_port variable enabling you to set a different port for sshd, default is 22 --- manifests/init.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index e48524d..c2f318c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -80,7 +80,9 @@ # sshd_permit_empty_passwords: If you want enable PermitEmptyPasswords to allow empty passwords # Valid Values: yes or no # Default: no - +# +# sshd_port: If you want to specify a different port than the default 22 +# Default: 22 class sshd { include sshd::client @@ -159,6 +161,10 @@ class sshd::base { '' => 'no', default => $sshd_permit_empty_passwords } + $real_sshd_port = $sshd_port ? { + '' => 22, + default => $sshd_port + } file { 'sshd_config': path => '/etc/ssh/sshd_config', -- cgit v1.2.3 From ef6f137cff6cf749031423fd7384dbd0f29a7dfc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 26 Sep 2008 20:03:10 -0400 Subject: add the variable sshd_authorized_keys_file with the default set to the normal: %h/.ssh/authorized_keys --- manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index c2f318c..4841038 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -83,6 +83,10 @@ # # sshd_port: If you want to specify a different port than the default 22 # Default: 22 +# +# sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) +# Default: AuthorizedKeysFile %h/.ssh/authorized_keys +# class sshd { include sshd::client @@ -165,7 +169,11 @@ class sshd::base { '' => 22, default => $sshd_port } - + $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? { + '' => "%h/.ssh/authorized_keys", + default => $sshd_authorized_keys_file + } + file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, -- cgit v1.2.3 From 2391ef9bfe2e5960a024b68d8e19d3a0954dd48c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 13:30:52 -0400 Subject: add the ability to set the ListenAddress configuration option through sshd_listen_address --- manifests/init.pp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 4841038..0fd2dfa 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,11 @@ # of variables, which you might consider to configure. # Checkout the following: # +# sshd_listen_address: specify the addresses sshd should listen on +# set this to "10.0.0.1 192.168.0.1" to have it listen on both +# addresses, or leave it unset to listen on all +# Default: empty -> results in listening on 0.0.0.0 +# # sshd_allowed_users: list of usernames separated by spaces. # set this for example to "foobar root" # to ensure that only user foobar and root @@ -104,7 +109,11 @@ class sshd { class sshd::base { - # prepare variables to use in templates + # prepare variables to use in templates + $real_sshd_listen_address = $sshd_sshd_listen_address ? { + '' => '', + default => $sshd_sshd_listen_address + } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', default => $sshd_allowed_users -- cgit v1.2.3 From 11be1b1f8c498bca58296dd98e3c586f65c301f7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 13:39:28 -0400 Subject: fix duplicate sshd word in variable name --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 0fd2dfa..7abc2ef 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -110,9 +110,9 @@ class sshd { class sshd::base { # prepare variables to use in templates - $real_sshd_listen_address = $sshd_sshd_listen_address ? { + $real_sshd_listen_address = $sshd_listen_address ? { '' => '', - default => $sshd_sshd_listen_address + default => $sshd_listen_address } $real_sshd_allowed_users = $sshd_allowed_users ? { '' => '', -- cgit v1.2.3 From 57a0fd279ecd2b85f05797168b86b7ee1d709ed7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 15:19:43 -0400 Subject: fix the default of PubkeyAuthentication (supposed to be yes, but was set to no) --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 7abc2ef..af948f3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -147,7 +147,7 @@ class sshd::base { default => $sshd_challenge_response_authentication } $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? { - '' => 'no', + '' => 'yes', default => $sshd_pubkey_authentication } $real_sshd_rsa_authentication = $sshd_rsa_authentication ? { -- cgit v1.2.3 From 57eb2df0371c53988244094e07b1b30486529d0d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 16:42:08 -0400 Subject: Change the template naming: 1. remove the _normal suffix, as it is not used 2. add a selector to look for the variable $lsbdistcodename being set and use that in selecting a template this is useful to create a Debian_Etch.erb and a Debian_Lenny.erb which can have different values. For example the Debian Etch version of openssh does not have the AllowAgentForwarding option, and if it is included, ssh will fail to start --- manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index af948f3..be33d7d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -188,7 +188,10 @@ class sshd::base { owner => root, group => 0, mode => 600, - content => template("sshd/sshd_config/${operatingsystem}_normal.erb"), + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + } notify => Service[sshd], } # Now add the key, if we've got one -- cgit v1.2.3 From d827a52614fc41ca98e2f2fc453da2e2ae4965ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 16:51:32 -0400 Subject: rename the templates to coincide with the downcased lsbdistcodename also add a missing comma in the content selector --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index be33d7d..519e242 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -191,7 +191,7 @@ class sshd::base { content => $lsbdistcodename ? { '' => template("sshd/sshd_config/${operatingsystem}.erb"), default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - } + }, notify => Service[sshd], } # Now add the key, if we've got one -- cgit v1.2.3 From c751cf22ede55b3dde21dbc15813c33e24bc7b3d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 27 Sep 2008 17:45:57 -0400 Subject: clarify in the example about how you can set multiple ListenAddresses with the right syntax also set the default to be 0.0.0.0 and :: which is the normal default for all IPv4 and all IPv6 addresses --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 519e242..8e6ff8b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -23,7 +23,7 @@ # Checkout the following: # # sshd_listen_address: specify the addresses sshd should listen on -# set this to "10.0.0.1 192.168.0.1" to have it listen on both +# set this to ['10.0.0.1 192.168.0.1'] to have it listen on both # addresses, or leave it unset to listen on all # Default: empty -> results in listening on 0.0.0.0 # @@ -111,7 +111,7 @@ class sshd { class sshd::base { # prepare variables to use in templates $real_sshd_listen_address = $sshd_listen_address ? { - '' => '', + '' => [ '0.0.0.0', '::' ], default => $sshd_listen_address } $real_sshd_allowed_users = $sshd_allowed_users ? { -- cgit v1.2.3 From aa3badea817c1b44af7910a83777e39868b3dfb9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 28 Sep 2008 12:38:18 -0400 Subject: add some comments to clarify how to set variables, and provide examples --- manifests/init.pp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 8e6ff8b..56f34ae 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,10 +17,18 @@ # # sshd-config: # -# The configuration of the sshd is rather strict and -# might not fit all needs. However there are a bunch -# of variables, which you might consider to configure. -# Checkout the following: +# The configuration of the sshd is rather strict and might not fit all +# needs. However there are a bunch of variables, which you might +# consider configuring. +# +# To set any of the following, simply set them as variables in your manifests +# before the class is included, for example: +# +# $sshd_listen_address = ['10.0.0.1 192.168.0.1'] +# $sshd_use_pam = yes +# include sshd::debian +# +# The following is a list of the currently available variables: # # sshd_listen_address: specify the addresses sshd should listen on # set this to ['10.0.0.1 192.168.0.1'] to have it listen on both -- cgit v1.2.3 From 16dd74a7de341c0e8bf385b7bd8d0e082f7342bb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 28 Sep 2008 13:40:35 -0400 Subject: include assert_lsbdistcodename for debian --- manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 56f34ae..96e6d08 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -239,6 +239,10 @@ class sshd::gentoo inherits sshd::linux { } class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include assert_lsbdistcodename + Package[openssh]{ name => 'openssh-server', } -- cgit v1.2.3 From 96760cc558a2e6f72b138f2fc3e16820f3bf2036 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 23 Oct 2008 14:59:42 -0400 Subject: debian has both status and restart options, in fact restart is preferable because a stop/start operation can leave sshd broken because the stop wont stop before the start is run. On the next puppet run ssh will be brought back up, but its a hair-raising few minutes while you wonder what happened --- manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 55a2714..aaf068e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -247,7 +247,8 @@ class sshd::debian inherits sshd::linux { } Service[sshd]{ name => 'ssh', - hasstatus => false, + hasstatus => true, + hasrestart => true, } } class sshd::ubuntu inherits sshd::debian {} -- cgit v1.2.3 From 1b2dcaf51031582fbd30185a7384f7816ad35eb1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 23 Oct 2008 15:04:47 -0400 Subject: update formatting to be consistent with upstream puppet emacs mode, if this is different from the vim mode, then there is a difference between these two editor's formatting that needs to be resolved --- manifests/init.pp | 307 +++++++++++++++++++++++++++--------------------------- 1 file changed, 154 insertions(+), 153 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 459088f..02f5e45 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -119,186 +119,187 @@ # Default: empty -> not added. class sshd { - include sshd::client - - case $operatingsystem { - gentoo: { include sshd::gentoo } - redhat: { include sshd::redhat } - centos: { include sshd::centos } - openbsd: { include sshd::openbsd } - debian: { include sshd::debian } - ubuntu: { include sshd::ubuntu } - default: { include sshd::default } - } + include sshd::client + + case $operatingsystem { + gentoo: { include sshd::gentoo } + redhat: { include sshd::redhat } + centos: { include sshd::centos } + openbsd: { include sshd::openbsd } + debian: { include sshd::debian } + ubuntu: { include sshd::ubuntu } + default: { include sshd::default } + } } class sshd::base { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - case $sshd_port { - '': { $sshd_port = 22 } - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } - } - - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey_key { - '': { info("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], - } + # prepare variables to use in templates + case $sshd_listen_address { + '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } + } + case $sshd_allowed_users { + '': { $sshd_allowed_users = '' } + } + case $sshd_allowed_groups { + '': { $sshd_allowed_groups = '' } + } + case $sshd_use_pam { + '': { $sshd_use_pam = 'no' } + } + case $sshd_permit_root_login { + '': { $sshd_permit_root_login = 'without-password' } + } + case $sshd_password_authentication { + '': { $sshd_password_authentication = 'no' } + } + case $sshd_tcp_forwarding { + '': { $sshd_tcp_forwarding = 'no' } + } + case $sshd_x11_forwarding { + '': { $sshd_x11_forwarding = 'no' } + } + case $sshd_agent_forwarding { + '': { $sshd_agent_forwarding = 'no' } + } + case $sshd_challenge_response_authentication { + '': { $sshd_challenge_response_authentication = 'no' } + } + case $sshd_pubkey_authentication { + '': { $sshd_pubkey_authentication = 'yes' } + } + case $sshd_rsa_authentication { + '': { $sshd_rsa_authentication = 'no' } + } + case $sshd_strict_modes { + '': { $sshd_strict_modes = 'yes' } + } + case $sshd_ignore_rhosts { + '': { $sshd_ignore_rhosts = 'yes' } + } + case $sshd_rhosts_rsa_authentication { + '': { $sshd_rhosts_rsa_authentication = 'no' } + } + case $sshd_hostbased_authentication { + '': { $sshd_hostbased_authentication = 'no' } + } + case $sshd_permit_empty_passwords { + '': { $sshd_permit_empty_passwords = 'no' } + } + case $sshd_port { + '': { $sshd_port = 22 } + } + case $sshd_authorized_keys_file { + '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } + } + case $sshd_sftp_subsystem { + '': { $sshd_sftp_subsystem = '' } + } + case $sshd_additional_options { + '': { $sshd_additional_options = '' } + } + + file { 'sshd_config': + path => '/etc/ssh/sshd_config', + owner => root, + group => 0, + mode => 600, + content => $lsbdistcodename ? { + '' => template("sshd/sshd_config/${operatingsystem}.erb"), + default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), + }, + notify => Service[sshd], + } + # Now add the key, if we've got one + case $sshrsakey_key { + '': { info("no sshrsakey on $fqdn") } + default: { + @@sshkey{"$hostname.$domain": + type => ssh-rsa, + key => $sshrsakey_key, + ensure => present, + } + } + } + service{'sshd': + name => 'sshd', + enable => true, + ensure => running, + hasstatus => true, + require => File[sshd_config], + } } class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, - } - File[sshd_config]{ - require +> Package[openssh], - } + package{openssh: + ensure => present, + } + File[sshd_config]{ + require +> Package[openssh], + } } class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } + Package[openssh]{ + category => 'net-misc', + } } class sshd::debian inherits sshd::linux { - + # the templates for Debian need lsbdistcodename include assert_lsbdistcodename - Package[openssh]{ - name => 'openssh-server', - } - Service[sshd]{ - name => 'ssh', - hasstatus => true, - hasrestart => true, - } + Package[openssh]{ + name => 'openssh-server', + } + Service[sshd]{ + name => 'ssh', + hasstatus => true, + hasrestart => true, + } } class sshd::ubuntu inherits sshd::debian {} class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } + Package[openssh]{ + name => 'openssh-server', + } } class sshd::centos inherits sshd::redhat {} class sshd::openbsd inherits sshd::base { - Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, - } + Service[sshd]{ + restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', + hasstatus => false, + } } ### defines # wrapper to have some defaults. define sshd::ssh_authorized_key( - $type = 'ssh-dss', - $key, - $user = 'root', - $target = undef, - $options = 'absent' -){ - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $user, - target => $target, - } - - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } - } + $type = 'ssh-dss', + $key, + $user = 'root', + $target = undef, + $options = 'absent' + ) +{ + ssh_authorized_key{$name: + type => $type, + key => $key, + user => $user, + target => $target, + } + + case $options { + 'absent': { info("not setting any option for ssh_authorized_key: $name") } + default: { + Ssh_authorized_key[$name]{ + options => $options, + } + } + } } -- cgit v1.2.3 From 98ddbe8ef56d5a3552e4dd812d1a01cbae211eaf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 26 Oct 2008 12:39:45 -0400 Subject: change the debian 'hasrestart' option to a selector based on which $debian_version is detected, etch does not have a ssh restart option in the initscript, but lenny does --- manifests/init.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 02f5e45..d4d775f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -253,10 +253,17 @@ class sshd::debian inherits sshd::linux { Package[openssh]{ name => 'openssh-server', } + + $ssh_hasrestart = $debian_version ? { + etch => false, + lenny => true, + default => false + } + Service[sshd]{ name => 'ssh', hasstatus => true, - hasrestart => true, + hasrestart => $ssh_hasrestart, } } class sshd::ubuntu inherits sshd::debian {} -- cgit v1.2.3 From 49d840dab4c7cfeff8ca21d1ef0728832046f205 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2008 16:20:26 -0400 Subject: lsbdistcodename is the proper variable to check for if the system is debian or lenny --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index d4d775f..32b7109 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -254,7 +254,7 @@ class sshd::debian inherits sshd::linux { name => 'openssh-server', } - $ssh_hasrestart = $debian_version ? { + $ssh_hasrestart = $lsbdistcodename ? { etch => false, lenny => true, default => false -- cgit v1.2.3 From 6fb10939afd72a8e1243681f1ae9062abf0975fa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2008 17:00:39 -0400 Subject: In debian, the daemon is run as 'sshd', but the initscript is /etc/init.d/ssh, which means that name needs to be set to 'ssh', and pattern needs to be set to 'sshd', and then we set the hassstatus and hasrestart depending on the lsbdistcodename --- manifests/init.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 32b7109..1ac65f5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -254,7 +254,7 @@ class sshd::debian inherits sshd::linux { name => 'openssh-server', } - $ssh_hasrestart = $lsbdistcodename ? { + $sshd_restartandstatus = $lsbdistcodename ? { etch => false, lenny => true, default => false @@ -262,8 +262,9 @@ class sshd::debian inherits sshd::linux { Service[sshd]{ name => 'ssh', - hasstatus => true, - hasrestart => $ssh_hasrestart, + pattern => 'sshd', + hasstatus => $sshd_restartandstatus, + hasrestart => $sshd_restartandstatus, } } class sshd::ubuntu inherits sshd::debian {} -- cgit v1.2.3 From fa072188dc8f1b475d4000fe61ea4fcf5e82cf98 Mon Sep 17 00:00:00 2001 From: Antoine Beaupre Date: Tue, 2 Dec 2008 16:56:19 -0500 Subject: make saner defaults for authorized_keys note that this removes the user => root default --- manifests/init.pp | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 1ac65f5..20dd1fb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -290,16 +290,29 @@ class sshd::openbsd inherits sshd::base { define sshd::ssh_authorized_key( $type = 'ssh-dss', $key, - $user = 'root', + $user = '', $target = undef, $options = 'absent' ) { + $real_user = $user ? { + false => $name, + "" => $name, + default => $user, + } + case $target { + undef: { + $real_target = "/home/$real_user/.ssh/authorized_keys" + } + default: { + $real_target = $target + } + } ssh_authorized_key{$name: type => $type, key => $key, - user => $user, - target => $target, + user => $real_user, + target => $real_target, } case $options { -- cgit v1.2.3 From 992e6e0f07ea70c2e39df30035f414f33babf6c0 Mon Sep 17 00:00:00 2001 From: Antoine Beaupre Date: Sat, 6 Dec 2008 18:39:53 -0500 Subject: use the proper fact to export ssh keys. See http://projects.reductivelabs.com/issues/show/1799#note-1 --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 20dd1fb..6eb15b3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -211,12 +211,12 @@ class sshd::base { notify => Service[sshd], } # Now add the key, if we've got one - case $sshrsakey_key { + case $sshrsakey { '': { info("no sshrsakey on $fqdn") } default: { @@sshkey{"$hostname.$domain": type => ssh-rsa, - key => $sshrsakey_key, + key => $sshrsakey, ensure => present, } } -- cgit v1.2.3 From 461bc0c2f0c7cb11b08c3fa22175bfea2fd4b8f8 Mon Sep 17 00:00:00 2001 From: Antoine Beaupre Date: Sat, 6 Dec 2008 19:12:17 -0500 Subject: emit a warning instead of info when the ssh server doesn't have an sshrsa key also export the key based on ip address, removing all warnings --- manifests/init.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 6eb15b3..9d34f50 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -212,13 +212,18 @@ class sshd::base { } # Now add the key, if we've got one case $sshrsakey { - '': { info("no sshrsakey on $fqdn") } + '': { warning("no sshrsakey on $fqdn") } default: { @@sshkey{"$hostname.$domain": type => ssh-rsa, key => $sshrsakey, ensure => present, } + @@sshkey{"$ipaddress": + type => ssh-rsa, + key => $sshrsakey, + ensure => present, + } } } service{'sshd': -- cgit v1.2.3 From f44776cbbf1f825e0961c6aedecf67f6652859a6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:52:40 -0400 Subject: replace the sshd_additional_options variable with two, one called sshd_head_additional_options and one called sshd_tail_additional_options. the first puts the value at the beginning of the file, and the second at the end. This is necessary due to some option ordering requiring things to be before others --- manifests/init.pp | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 0480fee..b7ae200 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -113,10 +113,17 @@ # Might be interesting for sftponly usage # Default: empty -> no change of the default # -# sshd_additional_options: Set this to any additional sshd_options which aren't listed above. -# As well this option might be usefull to define complexer Match Blocks -# This string is going to be included, like it is defined. So take care! -# Default: empty -> not added. +# sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the beginning of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. +# +# sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above. +# Anything set here will be added to the end of the sshd_config file. +# This option might be useful to define complicated Match Blocks +# This string is going to be included, like it is defined. So take care! +# Default: empty -> not added. class sshd { include sshd::client @@ -195,8 +202,12 @@ class sshd::base { case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } + case $sshd_head_additional_options { + '': { $sshd_head_additional_options = '' } + } + case $sshd_tail_additional_options { + '': { $sshd_tail_additional_options = '' } + } } file { 'sshd_config': -- cgit v1.2.3 From dfebe2a9b537a63c7ff0cf4aeb6cda7a132f77a0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 20:55:01 -0400 Subject: make it possible to override what version of openssh-server and client are installed by providing the variable $sshd_ensure_version, which defaults to the previous value of present when not specified --- manifests/client.pp | 23 ++++++++++++++++------- manifests/init.pp | 6 ++++++ 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index 34308b4..7dfe913 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -13,13 +13,22 @@ class sshd::client { } class sshd::client::base { - # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - mode => 0644, owner => root, group => 0; - } - - # Now collect all server keys - Sshkey <<||>> + + case $sshd_ensure_version { + '': { $sshd_ensure_version = "present" } + } + + package{openssh-clients: + ensure => $sshd_ensure_version, + } + + # this is needed because the gid might have changed + file { '/etc/ssh/ssh_known_hosts': + mode => 0644, owner => root, group => 0; + } + + # Now collect all server keys + Sshkey <<||>> } class sshd::client::linux inherits sshd::client::base { diff --git a/manifests/init.pp b/manifests/init.pp index b7ae200..5179e08 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -208,6 +208,12 @@ class sshd::base { case $sshd_tail_additional_options { '': { $sshd_tail_additional_options = '' } } + case $sshd_ensure_version { + '': { $sshd_ensure_version = "present" } + } + + package{openssh: + ensure => $sshd_ensure_version, } file { 'sshd_config': -- cgit v1.2.3 From 55e0a6178ba2831231400a23aab97b4d41ecfffc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 21:02:31 -0400 Subject: the sshd::linux class cannot also define the openssh package if we are to have the possibility of potentially overriding the version number it must be done in the base class --- manifests/init.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 5179e08..ee233db 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -260,9 +260,6 @@ class sshd::base { } class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, - } File[sshd_config]{ require +> Package[openssh], } -- cgit v1.2.3 From d86ec97ab0d15c00d53a61fbac4edde70724486f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Jul 2009 21:04:23 -0400 Subject: same problem with the openssh-clients in the sshd::client::linux class --- manifests/client.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index 7dfe913..47340b8 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -32,9 +32,6 @@ class sshd::client::base { } class sshd::client::linux inherits sshd::client::base { - package {'openssh-clients': - ensure => installed, - } } class sshd::client::debian inherits sshd::client::linux { -- cgit v1.2.3 From 2c3f632e902d10780dcf9b24914e963ef6520af2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 9 Jul 2009 12:15:10 -0400 Subject: fix previous change which took the client/server packages out of the linux class and instead allow for a version change through an if variable. thanks ng! --- manifests/client.pp | 14 +++++--------- manifests/init.pp | 15 +++++++++++---- 2 files changed, 16 insertions(+), 13 deletions(-) (limited to 'manifests') diff --git a/manifests/client.pp b/manifests/client.pp index 47340b8..d473e3c 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -14,14 +14,6 @@ class sshd::client { class sshd::client::base { - case $sshd_ensure_version { - '': { $sshd_ensure_version = "present" } - } - - package{openssh-clients: - ensure => $sshd_ensure_version, - } - # this is needed because the gid might have changed file { '/etc/ssh/ssh_known_hosts': mode => 0644, owner => root, group => 0; @@ -32,9 +24,13 @@ class sshd::client::base { } class sshd::client::linux inherits sshd::client::base { + if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } + package {'openssh-clients': + ensure => $ssh_ensure_version, + } } -class sshd::client::debian inherits sshd::client::linux { +class sshd::client::debian inherits sshd::client::linux { Package['openssh-clients']{ name => 'openssh-client', } diff --git a/manifests/init.pp b/manifests/init.pp index ee233db..386bd77 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,6 +28,13 @@ # $sshd_use_pam = yes # include sshd::debian # +# If you need to install a version of the ssh daemon or client package other than +# the default one that would be installed by 'ensure => installed', then you can +# set the following variables: +# +# $sshd_ensure_version = "1:5.2p2-6" +# $ssh_ensure_version = "1:5.2p2-6" +# # The following is a list of the currently available variables: # # sshd_listen_address: specify the addresses sshd should listen on @@ -212,10 +219,6 @@ class sshd::base { '': { $sshd_ensure_version = "present" } } - package{openssh: - ensure => $sshd_ensure_version, - } - file { 'sshd_config': path => '/etc/ssh/sshd_config', owner => root, @@ -260,6 +263,10 @@ class sshd::base { } class sshd::linux inherits sshd::base { + if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } + package {'openssh': + ensure => $sshd_ensure_version, + } File[sshd_config]{ require +> Package[openssh], } -- cgit v1.2.3 From d4fba70a51eeb253b0155f378ce7735df9479cd4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Sep 2009 15:32:36 -0400 Subject: fix missing curly brace --- manifests/init.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 386bd77..092697c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -263,9 +263,10 @@ class sshd::base { } class sshd::linux inherits sshd::base { - if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } - package {'openssh': - ensure => $sshd_ensure_version, + if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } { + package {'openssh': + ensure => $sshd_ensure_version, + } } File[sshd_config]{ require +> Package[openssh], -- cgit v1.2.3 From 6601c382962824e7467fb00ea5a84894a901b937 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 1 Oct 2009 18:30:02 -0400 Subject: Revert "fix missing curly brace" -- this was actually correct This reverts commit d4fba70a51eeb253b0155f378ce7735df9479cd4. --- manifests/init.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 092697c..386bd77 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -263,10 +263,9 @@ class sshd::base { } class sshd::linux inherits sshd::base { - if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } { - package {'openssh': - ensure => $sshd_ensure_version, - } + if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } + package {'openssh': + ensure => $sshd_ensure_version, } File[sshd_config]{ require +> Package[openssh], -- cgit v1.2.3