Version information
This version is compatible with:
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'eyp-openssh', '0.1.31'
Learn more about managing modules with a PuppetfileDocumentation
openssh
Table of Contents
Overview
openssh management
Module Description
openssh client and server management
Setup
What openssh affects
Manages:
- files:
- /etc/ssh/sshd_config
- /etc/ssh/ssh_config
- packages:
- client package (if not included in server package)
- server package
Setup Requirements
This module requires pluginsync enabled
Beginning with openssh
class { 'openssh::client': }
class { 'openssh::server': }
Usage
Cyphers / MACs hardening
global variable eypopensshserver::hardening to enable/disable default hardening (default: false)
manage user's priv keys
class { 'openssh': }
class { 'openssh::server': }
class { 'openssh::client': }
openssh::privkey { 'postgres':
homedir => '/var/lib/pgsql',
}
matchers
openssh::match{'chroot':
groups => [ 'sftp' ],
forcecommand => 'internal-sftp',
chrootdirectory => '%h',
}
allow/deny users
openssh::denyuser { 'loluser': }
openssh::denyuser { 'loluser2': }
openssh::allowuser { 'allowuser5': }
openssh::allowuser { 'allowuser6': }
using openssh::server's array
class { 'openssh::server':
denyusers => [ 'loluser3', 'loluser4' ],
allowusers => [ 'root', 'ggg', 'kk', 'rrr' ],
enableldapsshkeys => false,
}
Restric login per user to a given set of IPs
openssh::match{ 'users ips allowed':
users => [ 'ada', 'ualoc' ],
allowed_ips => [ '1.2.3.4', '5.6.7.8', '1.1.1.1' ],
}
This will generate the following config in sshd_config:
Match user ada,ualoc
AllowTcpForwarding no
AllowUsers ada@1.2.3.4
AllowUsers ada@5.6.7.8
AllowUsers ada@1.1.1.1
AllowUsers ualoc@1.2.3.4
AllowUsers ualoc@5.6.7.8
AllowUsers ualoc@1.1.1.1
Reference
global variables:
- eypopensshserver::hardening: to manage default hardening of Cyphers and MACs (default: false)
classes
openssh
empty class - just a placeholder
openssh::client
Most variables are standard postfix variables, please refer to postfix documentation for further detaisl:
- gssapi_authentication: (default: true)
openssh::server
Most variables are standard postfix variables, please refer to ssh documentation for further detaisl:
- ensure: service's ensure (default: running)
- manage_service (default: true)
- manage_docker_service (default: true)
- enable (default: true)
- port: (default: 22)
- permitrootlogin: (default: no)
- usedns (default: false)
- usepam (default: true)
- x11forwarding (default: false)
- passwordauth (default: true)
- permitemptypasswords (default: false)
- enableldapsshkeys (default: false)
- syslogfacility
- banner (default: undef)
- clientaliveinterval (default: 900)
- clientalivecountmax (default: 0)
- log_level (default: INFO)
- ignore_rhosts (default: true)
- hostbased_authentication (default: false)
- maxauthtries (default: 4)
- permit_user_environment (default: false)
- allowusers: (order: DenyUsers, AllowUsers, default: undef)
- denyusers: (order: DenyUsers, AllowUsers, default: undef)
openssh::service
private class to manage openssh::server's service
defines
openssh::allowuser
- username (default: resource's name)
openssh::denyuser
- username (default: resource's name)
openssh::match
- matchers (at least one must be set):
- groups (default: undef)
- users (default: undef)
- addresses (default: undef)
- hosts (default: undef)
- chrootdirectory: It might not be supported (default: undef)
- forcecommand: (default: undef)
- allow_tcp_forwarding (default: false)
- allowed_ips: list of allowed IPs for this user (default: undef)
openssh::privkey
- ensure (default: present)
- user = $name,
- group = $name,
- homedir = "/home/${name}",
- type (default: rsa)
- passphrase (default: '')
Limitations
Tested on:
- CentOS 5
- CentOS 6
- CentOS 7
- Ubuntu 14.04
- SLES 11 SP3
Development
We are pushing to have acceptance testing in place, so any new feature should have some tests to check both presence and absence of any feature
TODO
- Move openssh::server configuration options to the openssh::server namespace, for example:
- openssh::denyuser -> openssh::server::denyuser
- Implement openssh::client::host using concat { $openssh::params::ssh_config: }
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
CHANGELOG
0.1.31
- ubuntu 16 support
0.1.30
- global variable eypopensshserver::hardening to enable/disable default hardening (default: false)
0.1.29
- rollback secure ciphers & MACs
0.1.28
- secure ciphers & MACs
- changed default ClientAliveCountMax to 5
0.1.27
- bugfix validate openssh::server
0.1.26
- openssh::server:
- rollback enforced secure ciphers - set to undef
- rollback enforced secure MACs - set to undef
0.1.25
- openssh::server:
- rollback 0.1.24 & 0.1.23
- enforced secure ciphers
- enforced secure MACs
- logingracetime set by default to 60
0.1.24
- openssh::server:
- changed default ClientAliveCountMax to 15
0.1.23
- openssh::server:
- changed default ClientAliveInterval to 240
Dependencies
- puppetlabs/stdlib (>= 4.6.0)
- puppetlabs/concat (>= 1.2.3)
- eyp/eyplib (>= 0.1.0 < 0.2.0)