openssh_server

table of contents

1. overview
2. module description – what the module does and why it is useful
3. setup – the bascics of getting started with openssh_server
   • what openssh_server affects
   • setup requirements
   • beginning with openssh_server
4. usage – configuration options and additional functionality
5. reference – an under-the-hood peek at what the module is doing and how
   • classes
6. limitations – OS compatiblity, and cetera
7. development – guide for contributing to the module

overview

This module handles an openssh-server.

module description

This module installs, configures, and starts the openssh-server.

setup

what openssh_server affects

• Package['openssh_server'] (optional)
• File['openssh_server_preseed'] (optional)
• File['sshd_config'] (optional)
• File['sshd_no_start'] (optional)
• Service['sshd'] (optional)

setup requirements

You need at least PP 4.2.

beginning with openssh_server

Ensure the openssh-server package is present, and the sshd(8) service is running (leaves the distributed configuration in place):

class ssh_server {
    class { 'openssh_server':
    }
}

usage

See examples/.

reference

• class reference
• type reference
• there are no functions

classes

public classes

• openssh_server: the basis class
• openssh_server::params: holds defaults for the basis class

private classes

• openssh_server::install: performs the installation
• openssh_server::config: distributes the configuration files
• openssh_server::service: manages the Service['sshd']

parameters

Structured overview:

• package
  • openssh_server_package_name
  • latest_instead_of_present
• preseed
  • manage_openssh_server_preseed
  • preseed_path
  • preseed_validate_cmd
  • preseed_validate_replace
• sshd_config file
  • manage_sshd_config
  • sshd_config_path
  • sshd_config_mode
  • sshd_config_owner
  • sshd_config_group
  • sshd_config_template
  • sshd_config_validate_cmd
  • sshd_config_validate_replace
• sshd service
  • sshd_ensure
  • sshd_enable
  • no_start_file_ensure
• sshd_config content
  • sshd_config_commentary_track
  • sshd_config_preamble
  • incoming
    • what to listen on
      • address_family
      • port
      • listen_address
    • what to accept
      • gateway_ports
      • max_startups
      • protocol
      • max_sessions
    • who are we
      • host_key
      • host_certificate
    • response
      • banner
      • debian_banner
      • version_addendum
    • don't know where to sort in
      • host_key_agent
  • authentication methods
    • global policy which authentication methods are accepted
      • password_authentication
      • pubkey_authentication
      • kerberos_authentication
      • gssapi_authentication
      • challenge_response_auth
      • use_pam
      • hostbased_authentication
      • kbd_interactive_auth
      • rhosts_rsa_authentication
      • rsa_authentication
    • authentication chains
      • authentication_methods
  • authentication tuning
    • general: who (from where)
      • permit_root_login
      • deny_users
      • allow_users
      • deny_groups
      • allow_groups
    • general: security
      • use_privilege_separation
      • use_dns
      • max_auth_tries
      • strict_modes
    • general: interaction
      • login_grace_time
      • use_login
    • password authentication
      • permit_empty_passwords
    • public key authentication
      • pubkey_accepted_key_types
      • pubkey_accepted_key_types
      • trusted_user_ca_keys
      • authorized_principals_file
      • authorized_principals_cmd
      • authorized_principals_cmd_uid
    • Kerberos options
      • kerberos_get_afs_token
      • kerberos_or_local_passwd
      • kerberos_ticket_cleanup
    • GSSAPI options
      • gssapi_key_exchange
      • gssapi_strict_acceptor_check
      • gssapi_store_creds_on_rekey
      • gssapi_cleanup_credentials
    • host-based authentication
      • hostbased_accepted_key_types
      • hostbased_uses_name_fr_packet
    • host-based and r-host-RSA authentication
      • ignore_rhosts
      • ignore_user_known_hosts
  • granted access
    • greeting in interactive sessions
      • print_motd
      • print_last_log
    • security
      • chroot_directory
  • session
    • ciphers
      • ciphers
    • session key
      • kex_algorithms
    • re-keying
      • rekey_limit
    • general: content
      • ipqos
      • compression
    • message authentication code; used in SSHv2 for data integrity protection
      • macs
    • general: environment
      • force_command
      • accept_env
      • permit_user_environment
      • permit_tty
    • subsystems
      • subsystem
    • forwarding
      • permit_tunnel
      • allow_agent_forwarding
      • allow_tcp_forwarding
      • permit_open
      • allow_stream_local_forwarding
      • stream_local_bind_mask
      • stream_local_bind_unlink
    • built-in X11 traffic forwarder
      • x11_forwarding
      • x_auth_location
      • x11_use_localhost
      • x11_display_offset
    • session abort conditions
      • tcp_keep_alive
      • client_alive_interval
      • client_alive_count_max
    • lifetime and size of ephemeral version 1 server key
      • key_regeneration_interval
      • server_key_bits
  • output
    • maintenance
      • pid_file
    • logging
      • syslog_facility
      • log_level
      • fingerprint_hash
  • match
    • match

---

openssh_server_package_name

• abstract: the name of the package to install

• behavior:

  • any string: the package gets installed (or updated, see latest_instead_of_present)

  • undef: Package['openssh_server'] ain't managed by this module

• allowed values: a string or undef

• default: undef on FreeBSD, 'openssh-server' everywhere else

---

latest_instead_of_present

• abstract: whether to ensure Package['openssh_server'] to be latest instead of just present

• behavior

  • true: Package['openssh_server'] becomes latest

  • false: Package['openssh_server'] becomes present

• accepted values: true and false

• default value: false

---

manage_openssh_server_preseed

• abstract: whether File['openssh_server_preseed'] is managed

• behavior:

  • false: File['openssh_server_preseed'] isn't managed

  • true: a proper preseed (responsefile) gets created at preseed_path. The only known preseedable value is permit_root_login. The class parameter and it appears in the preseed file.

• allowed values: true and false

• default: true on Debian systems, false everywhere else

---

preseed_path

• abstract: File['openssh_server_preseed']['path']

• allowed values: a non-empty string

• default: '/var/cache/debconf/openssh_server.preseed'

---

preseed_validate_cmd

• abstract: how to validate the preseed file

• note: as far as I've seen debconf-set-selections(1) checks for syntax errors only. Specifying a string for a boolean setting doesn't seem to be caught.

• allowed values: any string or undef

• default: '/usr/bin/debconf-set-selections --verbose --checkonly %'

---

preseed_validate_replace

• abstract: the character to replace with the path to the temporary new contents file

• allowed values: any string or undef

• default: '%'

---

manage_sshd_config

• abstract: whether this module manages File['sshd_config']

• allowed values: true and false

• default: false

---

sshd_config_path

• abstract: File['sshd_config']['path']

• allowed values: a non-empty string

• default: '/etc/ssh/sshd_config'

---

sshd_config_mode

• abstract: the file permissions of File['sshd_config']

• behavior

  • any string: the specified mode is ensured

  • undef: the file mode is undefined

• allowed values: any string or undef

• default: '0644'

---

sshd_config_owner

• abstract: the file owner of File['sshd_config']

• allowed values: any string, a non-negative integer, or undef

• default: 'root' on Debian and FreeBSD systems, 0 (the integer) everywhere else

---

sshd_config_group

• abstract: the group of File['sshd_config']

• allowed values: any string, a non-negative integer, or undef

• default value: 'root' on Debian platforms, 'wheel' on FreeBSD platforms, 0 anywhere else

---

sshd_config_template

• abstract: sshd_config is rendered by template()

• acceptable values: a non-empty string

• see also: the default template uses sshd_config_preamble

• default: 'openssh_server/sshd_config.erb'

---

sshd_config_validate_cmd

• abstract: a syntax validation command for sshd_config(5)

• behavior:

  • any string: the specified command validates the new sshd_config

  • undef: no validation performed. sshd(8) refuses to start with faulty configuration files. However, I experienced Service['sshd'] reports a successful start anyway. Ergo, you definitely wanna validate.

• allowed values: any string, and undef

• default value: '/usr/sbin/sshd -t -f %'

---

sshd_config_validate_replace

• abstract: the character replaced in sshd_config_validate_cmd with the temporary new content file

• allowed values: any string, and undef

• default: '%'

---

sshd_ensure

• abstract: Service['sshd']['ensure']

• behavior:

  • undef: this module doesn't manage Service['sshd']

  • 'running': Service['sshd']['ensure'] = 'running'

  • 'stopped': Service['sshd']['ensure'] = 'stopped'

• allowed values: 'running', 'stopped' and undef

• default: 'running'

---

sshd_enable

• abstract: Service['sshd']['enable']

• note: requires Service['sshd'] to be managed by this module, compare sshd_ensure

• allowed values: 'manual', 'mask', true, false, and undef

• default: true

---

no_start_file_ensure

• abstract: how to deal with /etc/ssh/sshd_not_to_be_run

• behavior

  • 'present': the file is created. It uses the same mode, owner, group as for sshd_config File creation happens before Service['sshd']. Setting sshd_ensure to 'running' does not emit an error. See /etc/init.d/ssh or /lib/systemd/system/ssh.service for details

  • 'absent': ensure the no-start-file isn't there

  • undef: neither delete or touch(1) the no-start-file

• allowed values: 'present', 'absent' and undef

• default value: 'absent' (unconditionally!)

---

sshd_config_commentary_track

• abstract: whether comments and empty lines are filtered from the default sshd_config template

• behavior:

  • false: all lines of the content body starting with a hash are filtered, as well as empty lines

  • true: comments and structuring empty lines remain in place (the default template currently gives an odd look, if not all [or at least most] parameters are used)

• allowed values: true and false

• default: true

---

sshd_config_preamble

• abstract: specifies a preamble template() for sshd_config

• behavior

  • any non-empty string: the default template sshd_config_template includes the specified template.

  • undef: the default template does not include a preamble

• allowed values: any non-empty string, and undef

• default: openssh_server/sshd_config_preamble.erb

---

address_family

• abstract: see AddressFamily in sshd_config(5)

• allowed values: 'any', 'inet', 'inet6', and undef

• default: undef

---

port

• abstract: see Port in sshd_config(5) and -p in sshd(8)

• allowed values: a non-empty array of integers ∊ [0, 65535], or undef

• default: undef

---

listen_address

• abstract: compare ListenAddress in sshd_config(5)

• allowed values: a non-empty array of the following structure: {host => …, port => Optional[…]} or undef. host can be an array of four integers ∊ [0, 255], or an array of eight integers ∊ [0x0000, 0xFFFF], or a non-empty string of non-blank characters. port can be an integer ∊ [0, 65535].

• example: [{host => [10, 11, 12, 13], port => 65432}] (do not copy)

• default: undef

---

gateway_ports

• abstract: see GatewayPorts in sshd_config(5)

• allowed values: true, false, 'clientspecified' or undef

• default: undef

---

max_startups

• abstract: see for MaxStartups in sshd_config(5)

• allowed values:

  • a non-negative integer

  • a hash of the structure {start => Integer[0], rate => Integer[0], full => Integer[0]}

  • undef

• default: undef

---

protocol

• abstract: see Protocol in sshd_config(5)

• allowed values: a non-empty array of integers ∊ [1, 2], and undef

• example: [2]

• default: undef

---

max_sessions

• abstract: see MaxSessions in sshd_config(5)

• accepted values: any non-negative integer, and undef

• default value: undef

---

host_key

• abstract: see HostKey in sshd_config(5) and -h in sshd(8)

• allowed values: a non-empty array of strings, containing no blanks, and not ending on a slash /, or, alternatively, undef

• example: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']

• default: undef

---

host_certificate

• abstract: see HostCertificate in sshd_config(5)

• allowed values: as for host_key

• default: undef

---

banner

• abstract: see Banner in sshd_config(5)

• allowed values: a string containing no blanks and not ending on a slash /, or undef

• default: undef

---

debian_banner

• abstract: see DebianBanner in sshd_config(5)

• allowed values: true, false, and undef

• default value: undef

---

version_addendum

• abstract: see VersionAddendum in sshd_config(5)

• allowed values: a word in the ASCII character set, or undef

• default: undef

---

host_key_agent

• abstract: see HostKeyAgent in sshd_config(5)

• allowed values: a non-empty string containing no blanks, or undef

• default: undef

---

password_authentication

• abstract: see PasswordAuthentication in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

pubkey_authentication

• abstract: see PubkeyAuthentication in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

kerberos_authentication

• abstract: see KerberosAuthentication in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

gssapi_authentication

• abstract: see GSSAPIAuthentication in sshd_config(5)

• accepted values: true, false, undef

• default: undef

---

challenge_response_auth

• abstract: see ChallengeResponseAuthentication in sshd_config(5)

• honored values: true, false, and undef

• default value: undef

---

use_pam

• abstract: see UsePAM in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

hostbased_authentication

• abstract: see HostbasedAuthentication in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

kbd_interactive_auth

• abstract: see KbdInteractiveAuthentication in sshd_config(5)

• allowed values: true, false, and undef

• default value: undef

---

rhosts_rsa_authentication

• abstract: see RhostsRSAAuthentication in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

rsa_authentication

• abstract: see RSAAuthentication in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

authentication_methods

• abstract: see AuthenticationMethods in sshd_config(5)

• allowed values: a non-empty array of non-empty arrays of the following structure: {method => …, device => Optional[…]} where method is a word in the ASCII character set, and optionally device is a word in the ASCII character set. Alternatively undef.

• example: [[{method => 'publickey'}, {method => 'password'}], [{method => 'publickey'}, {method => 'keyboard-interactive'}]] (do not copy but write off)

• default: undef

---

permit_root_login

• abstract: see PermitRootLogin in sshd_config(5)

• allowed values: true, false, 'without-password', 'forced-commands-only', and undef

• default: undef

---

deny_users

• abstract: see DenyUsers in sshd_config(5)

• acceptable values: a non-empty array of non-empty strings, without any blanks, or undef

• example: ['*']

• default: undef

---

allow_users

• abstract: compare AllowUsers in sshd_config(5)

• allowed values: see deny_users

• example: ['ernie', 'bert']

• default: undef

---

deny_groups

• abstract: see DenyGroups in sshd_config(5)

• acceptable values: a non-empty array of non-empty strings, containing no blanks, or just undef

• example: ['*']

• default: undef

---

allow_groups

• abstract: see AllowGroups in sshd_config(5)

• allowed values: see deny_groups

• example: ['support', 'staff']

• default: undef

---

use_privilege_separation

• abstract: see UsePrivilegeSeparation in sshd_config(5) and compare § “files” in sshd(8)

• allowed values: true, false, 'sandbox' and undef

• default: undef

---

use_dns

• abstract: see UseDNS in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

max_auth_tries

• abstract: see MaxAuthTries in sshd_config(5)

• allowed values: some non-negative integer or undef

• default: undef

---

strict_modes

• abstract: see StrictModes in sshd_config(5)

• allowed values: true, false and undef

• default: undef

---

login_grace_time

• abstract: see LoginGraceTime in sshd_config(5) and -g in sshd(8)

• accepted values: a non-negative integer, and undef

• default: undef

---

use_login

• abstract: see UseLogin in sshd_config(5) for more information

• allowed values: true, false or undef

• default: undef

---

permit_empty_passwords

• abstract: compare PermitEmptyPasswords in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

pubkey_accepted_key_types

• abstract: see PubkeyAcceptedKeyTypes in sshd_config(5)

• allowed values: true, false and undef

• default value: undef

---

pubkey_accepted_key_types

• abstract: see PubkeyAcceptedKeyTypes in sshd_config(8)

• allowed values: a non-empty array of non-empty strings, containing no blanks or commas, or just undef

• example: ['ssh-ed25519*', 'ecdsa*']

• default value: undef

---

trusted_user_ca_keys

• abstract: see TrustedUserCAKeys in sshd_config(5) for more details

• allowed values: a non-empty string of non-blank characters, and not ending on a slash, or undef

• default: undef

---

authorized_principals_file

• abstract: see AuthorizedPrincipalsFile in sshd_config(5)

• allowed values: undef, or an absolute path to a file, or a path starting with '%h' xor '~'. Both variants must not contain any blanks. Both variants must not end on a slash.

• defaults to: undef

---

authorized_principals_cmd

• abstract: see AuthorizedPrincipalsCommand in sshd_config(5)

• allowed values: undef or a string starting with a slash (not containing any blanks) and optionally followed by a space and then containing anything but newlines.

• example: '/usr/local/sbin/sshdapc %u'

• default: undef

---

authorized_principals_cmd_uid

• abstract: see AuthorizedPrincipalsCommandUser in sshd_config(5)

• allowed values: a non-empty string containing no blanks, or undef

• example: 'lu' (local user [the default user I create at my site])

• default: undef

---

kerberos_get_afs_token

• abstract: see KerberosGetAFSToken in sshd_config(5) for details

• allowed values: true, false, and undef

• default value: undef

---

kerberos_or_local_passwd

• abstract: search for KerberosOrLocalPasswd in sshd_config(5)

• allowed values: true, false, and undef

• default value: undef

---

kerberos_ticket_cleanup

• abstract: see KerberosTicketCleanup in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

gssapi_key_exchange

• abstract: see GSSAPIKeyExchange in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

gssapi_strict_acceptor_check

• abstract: see GSSAPIStrictAcceptorCheck in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

gssapi_store_creds_on_rekey

• abstract: see GSSAPIStoreCredentialsOnRekey in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

gssapi_cleanup_credentials

• abstract: compare GSSAPICleanupCredentials in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

hostbased_accepted_key_types

• abstract: see HostbasedAcceptedKeyTypes in sshd_config(5)

• allowed values: undef or a non-empty array of non-empty strings containing no blanks or commas

• default: undef

---

hostbased_uses_name_fr_packet

• abstract: see HostbasedUsesNameFromPacketOnly in sshd_config(5)

• allowed values: true, false, and undef

• default value: undef

---

ignore_rhosts

• abstract: see IgnoreRhosts in sshd_config(5) for on that

• allowed values: true, false, and undef

• default: undef

---

ignore_user_known_hosts

• abstract: see IgnoreUserKnownHosts in sshd_config(5)

• allowed values: undef, false, and true

• default: undef

---

print_motd

• abstract: see PrintMotd in sshd_config(5) and §§ “login process” and “files” in sshd(8)

• allowed values: true, false, and undef

• default: undef

---

print_last_log

• abstract: compare PrintLastLog in sshd_config(5) and § “login process” in sshd(8)

• allowed values: uhm, true, and, uhm, false … undef, too

• default: undef

---

chroot_directory

• abstract: see ChrootDirectory in sshd_config(5)

• accepted values: undef, or a non-empty string containing no blanks and ending on a slash /

• example: '/opt/mailbox_read_env/'

• default: undef

---

ciphers

• abstract: see Ciphers in sshd_config(5)

• allowed values: undef or a non-empty array of strings what ssh -Q cipher in my version of openssh listed

• example: ['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'arcfour256', 'arcfour128', 'arcfour']

• default: undef

---

kex_algorithms

• abstract: see KexAlgorithms in sshd_config(5)

• allowed values: undef or a non-empty array of string which ssh -Q kex of my openssh version listed

• example: ['ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256', 'curve25519-sha256@libssh.org']

• default: undef

---

rekey_limit

• abstract: see RekeyLimit in sshd_config(5)

• accepted values: undef or a hash of the following structure: {maximum_transmitted_bytes => …, maximum_seconds_elapsed => Optional[…]} where maximum_transmitted_bytes is either a non-negative integer, or the string 'default'. The optional maximum_seconds_elapsed can be a non-negative integer, or the string 'none'.

• example: {maximum_transmitted_bytes => 'default', maximum_seconds_elapsed => 3593} (do not copy but write off)

• default: undef

---

ipqos

• abstract: confer IPQoS in sshd_config(5)

• allowed values: undef or a hash of the following structure: {interactive_sessions => …, non_interactive_sessions => …} Both interactive_sessions and non_interactive_sessions have to be either an integer ∊ [0, 255], or of the named QoS in the man page as a string.

• example: {interactive_sessions => 'lowdelay', non_interactive_sessions => 'throughput'}

• default: undef

---

compression

• abstract: look up Compression in sshd_config(5)

• allowed values: true, false, 'delayed', and undef

• default: undef

---

macs

• abstract: read MACs in sshd_config(5)

• allowed values: undef or a non-empty array of strings, what my openssh version returned on ssh -Q mac

• default: undef

---

force_command

• abstract: see ForceCommand in sshd_config(5)

• allowed values: undef or a non-empty string containing no newlines

• default: undef

---

accept_env

• abstract: compare AcceptEnv in sshd_config(5)

• allowed values: undef or a non-empty array of non-empty strings containing no blanks

• example: ['LANG', 'LC_*']

• default: undef

---

permit_user_environment

• abstract: see PermitUserEnvironment in sshd_config(5)

• accepted values: true, false, and undef

• default: undef

---

permit_tty

• abstract: see PermitTTY in sshd_config(5)

• allowed values: true, false and undef

• default: undef

---

subsystem

• abstract: see Subsystem in sshd_config(5)

• allowed values: undef or a non-empty array of hashes having the following structure: {name => …, command => …, arguments => Optional[…]} where name has to be a word out of the ASCII character set. command has to be string starting with a slash /, containing no blanks, and must not end on a slash. arguments is an optional non-empty array of non-empty strings containing no blanks

• example: {name => 'sftp', command => '/usr/lib/openssh/sftp-server'} (do not copy but write off)

• default: undef

---

permit_tunnel

• abstract: see PermitTunnel in sshd_config(5)

• allowed values: true, false, 'point-to-point', 'ethernet', and undef

• default: undef

---

allow_agent_forwarding

• abstract: see AllowAgentForwarding in sshd_config(5)

• allowed values: true, false, and undef

• default value: undef

---

allow_tcp_forwarding

• abstract: see AllowTcpForwarding in sshd_config(5)

• allowed values: true, false, 'all', 'local', 'remote', and undef

• default: undef

---

permit_open

• abstract: see PermitOpen in sshd_config(5)

• allowed values:

  • undef

  • 'any',

  • 'none'

  • a non-empty array of hashes with the following structure: {host => …, port => …} where host is either an array of four integers ∊ [0, 255], or an array of eight integers ∊ [0x0000, 0xFFFF], or non-empty string, containing neither strings or colons :. port has to be an integer ∊ [0, 65535].

• default: undef

---

allow_stream_local_forwarding

• abstract: see AllowStreamLocalForwarding in sshd_config(5)

• allowed values: true, false, 'all', 'local', 'remote', or undef

• default: undef

---

stream_local_bind_mask

• abstract: see StreamLocalBindMask in sshd_config(5)

• allowed values: undef or a string of four octal digits

• default: undef

---

stream_local_bind_unlink

• abstract: see StreamLocalBindUnlink in sshd_config(5)

• allowed values: true, false, undef

• default: undef

---

x11_forwarding

• abstract: see X11Forwarding in sshd_config(5)

• acceptable value: true, false, and undef

• default: undef

---

x_auth_location

• abstract: see XAuthLocation in sshd_config(5)

• allowed values: undef, or 'none', or a string starting with a slash /, but not ending on a slash, and containing no blanks

• default: undef

---

x11_use_localhost

• abstract: see X11UseLocalhost in sshd_config(5)

• honored values: true, false, and undef

• default: undef

---

x11_display_offset

• abstract: see X11DisplayOffset in sshd_config(5)

• allowed values: undef or a non-negative integer

• default: undef

---

tcp_keep_alive

• abstract: see TCPKeepAlive in sshd_config(5)

• allowed values: true, false, and undef

• default: undef

---

client_alive_interval

• abstract: see ClientAliveInterval in sshd_config(5)

• allowed values: undef or a non-negative integer

• default: undef

---

client_alive_count_max

• abstract: see ClientAliveCountMax in sshd_config(5) for details

• allowed values: undef or a non-negative integer

• default: undef

---

key_regeneration_interval

• abstract: compare KeyRegenerationInterval in sshd_config(5) and -k in sshd(8)

• allowed values: undef or a non-negative integer

• default: undef

---

server_key_bits

• abstract: compare ServerKeyBits in sshd_config(5) and -b in sshd(8)

• allowed values: undef or an integer ∊ [512, ∞),

• default: undef

---

pid_file

• abstract: see PidFile in sshd_config(5)

• note: the init.d scripts hold plain text defaults. Changing this value might break Service['sshd'] as defined in openssh_server::service. You'd like to set sshd_ensure => undef, too, and perform service management on your own (e.g. via systemdisease unit files)

• allowed values: an absolute path string to a file (not ending with a slash, and not containing any blanks), or 'none' or undef

• default: undef

---

syslog_facility

• abstract: see SyslogFacility in sshd_config(5)

• allowed values: 'DAEMON', 'USER', 'AUTH', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7', and undef

• default value: undef

---

log_level

• abstract: see LogLevel in sshd_config(5)

• behavior: According to sshd_config(5) the default logging level is 'INFO'. According to sshd(8) (see -q) beginning, authentication and termination of each connection is logged.

• acceptable values: 'QUIET', 'FATAL', 'ERROR', 'VERBOSE' 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3', 'INFO' and undef

• default: undef

---

fingerprint_hash

• abstract: see FingerprintHash in sshd_config(5)

• acceptable values: 'md5', 'sha256' and undef

• default: undef

---

match

• abstract: apply settings to specific sort of connections only

• acceptable values: undef, or a non-empty array of `openssh_server::match

• default: undef

types

openssh_server::match

This resource type does nothing. It just exists to create a scope for variables.

All attributes but policy describe a condition an associated openssh_server::policy apply to.

If you do not specify any condition attributes, Match All is implied.

user

• abstract: restrict matches to user names

• allowed values: undef, or a non-empty array of non-empty strings containing no blanks or commas

• example: ['service_user', 'puppet']

• default: undef

group

• abstract: restrict matches to users' groups

• allowed values: undef, or a non-empty array of non-empty strings containing no blanks nor commas

• example: ['wheel']

• default: undef

host

• abstract: restrict matches to host names

• allowed values: undef, or a non-empty array of non-empty strings containing no blanks nor commas

• example: ['*.int.acme.tld']

• default: undef

local_address

• abstract: restrict matches to their local address

• This condition especially makes sense, if your sshd listens on multiple ListenAddresses

• allowed values: undef, or non-empty array of arrays. The inner arrays can be either arrays of four integers ranging zero to 255, or arrays of eight integers rangin zero to 0xFFFF

• example: [[10,4,8,3]]

• default: undef

local_port

• abstract: restrict matches to incoming ports

• this condition especially makes sense, if your sshd(8) listens on multiple Ports

• allowed values: undef, or a non-empty array of non-negative integers up to and include 65535

• example: [31415, 62832]

• default: undef

address

• abstract: restrict matches to connections originating from specific address

• allowed values: undef, or a non-empty array of structures. Structures may either have the keys ipv4_address_octets and cidr_mask, or ipv6_address_words and cidr_mask. In case they have ipv4_address_octets, cidr_mask may be a non-negative integer up to and including 32. In case they have ipv6_address_words, cidr_mask may be a non-negative integer up to and including 128. ipv4_address_octets has to be an array of four integers ranging from zero to 255. ipv6_address_words has to be an array of eigh integers ranging from zero to 0xFFFF.

• example: [{ipv4_address_octets => [10,0,0,0], cidr_mask => 8}]

• default: undef

policy

• abstract: the policy associated with matched connections

• required value: a reference to a openssh_server::policy resource

• example: Openssh_server::Policy['weak_security']

• default: undef

openssh_server::policy

This resource type does nothing. It just exists to create a scope for variables.

It accepts a limited set of class parameters, which have the same type:

• gateway_ports
• max_sessions
• banner
• password_authentication
• pubkey_authentication
• kerberos_authentication
• gssapi_authentication
• hostbased_authentication
• kbd_interactive_auth
• rhosts_rsa_authentication
• rsa_authentication
• authentication_methods
• permit_root_login
• deny_users
• allow_users
• deny_groups
• allow_groups
• max_auth_tries
• permit_empty_passwords
• pubkey_accepted_key_types
• trusted_user_ca_keys
• authorized_principals_file
• revoked_keys
• authorized_keys_file

limitations

• Only one openssh-server instance can be managed. Since there are several ways to run multiple sshds on a single host, this module won't be enhanced into this direction. You'd probably want it realized somehow differently anyway.

• This module does not provide a way to uninstall openssh-server.

• As a limitation of what can be modeled with the PP language a sshd_config-change always triggers a restart. Though you can explicitely specify a restart command e.g. /etc/init.d/ssh reload, that's definitely not best practice. (compare PUP-1054)

• During development I experienced Service['sshd'] (the PP resource) does not fail if it's got a faulty sshd_config. sshd_config_validate_cmd should catch this case now.

• This module does not manage sshd_enable, sshd_program, or sshd_flags on FreeBSD platforms.

• This module does not manage an sshd-specific PAM (pluggable authentication module) stack.

• If you suffer from systemdisease, specifying a listen_address possibly results in a not-starting sshd(8) during boot-time: systemd tries to start the ssh service, though not all network interfaces are configured yet. The OpenSSH-server refuses to start, if there's no interface having the specified listen_address. The systemd guys virtually say, they're doing everything right, what's causing such situations are buggy implementation – OpenSSH allegedly has a buggy implementation (regarding networking).

development

• drop me a line, if you'd like to improve this module: Kai Burghardt <wiz:KaiBurghardt.de>

to do:

• tweak the template so in commentary mode it prints only comments/separating newlines where necessary
• YARD
• appoint ppl who care about support of their favorite OS