Version information
released May 24th 2018
This version is compatible with:
- Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.7.0 < 6.0.0
- , ,
This module has been deprecated by its author since Aug 24th 2022.
Start using this module
Documentation
attachmentgenie/ssh — version 3.0.0 May 24th 2018
#attachmentgenie/ssh
####Table of Contents
- Overview
- Setup - The basics of getting started with attachmentgenie/ssh
- Usage - Configuration options and additional functionality
- Development - Guide for contributing to the module
##Overview
The module makes it possible to install a ssh server and/or client and to add authorized ssh keys to existing users.
##Setup
###What attachmentgenie/ssh affects
- ssh server
- ssh client
- add authorized ssh keys to existing users.
###Beginning with attachmentgenie/ssh
The ssh::client class installs the ssh client:
class { 'ssh::client': }
The ssh::server class installs and configures the sshd:
class { 'ssh::server':
password_authentication => 'yes',
}
##Usage
You can specify the port the sshd should listen to by including the class with this special syntax:
class { 'ssh::server':
port => 20009,
}
You can also restrict access for only certain users:
class { 'ssh::server':
allowed_users => ['attachmentgenie', 'manager'],
}
And you can permit root logins (not recommended):
class { 'ssh::server':
permit_root_login => 'yes',
}
To permit root logins could be a serious security issue. In most cases you should
use something like sudo instead.
You can use ssh::user to add an authorized ssh key to an existing user
for effortless authentication with ssh:
ssh::user { 'attachmentgenie':
key => 'a8a7dgf7ad8j13g',
comment => 'laptop',
}
ssh::user { 'laptop':
key => 'a8a7dgf7ad8j13g',
user => 'attachmentgenie',
}
##Development
Please see CONTRIBUTING for details.
3.0.0
- moving to puppet 4/5 syntax
16-03-2017 - Release 2.1.0
- Allowing users to have multiple authorized keys (#51)
17-01-2017 - Release 2.0.0
- Adding more parameters to/for ssh_config
- ciphers
- kex_algorithms
- macs
- password_authentication
- Adding more parameters to/for sshd_config
- package
- compression
- deny_groups
- gssapi_keyexchange
- gssapi_cleanupcredentials
- kerberos_authentication
- max_sessions
- max_startups
- port
- kex_algorithms
- use_privilege_separation
- Moving to test kitchen for integration testing
- Now implementing dev-sec.io ssh hardening standard version 2.1.1 (https ://github.com/dev-sec/ssh-baseline)
Backward incompatible changes
- Support for puppet 3 has been dropped.
- Support for non LTS releases is no longer guaranteed.
- Support is only guaranteed for the last 2 LTS versions (if applicable).
- In order to pass the dev-sec.io ssh hardening standard several parameters/ssh_config defaults have been changed.
- PasswordAuthentication : system default => no
- GSSAPIAuthentication : system default => no
- Protocol : system default => 2
- Ciphers : system default => see params.pp
- KexAlgorithms : system default => see params.pp
- MACs : system default => see params.pp
- In order to pass the dev-sec.io ssh hardening standard several parameters/sshd_config defaults have been changed.
- AllowAgentForwarding : system default => no
- AllowTcpForwarding : system default => no
- AddressFamily : system default => any
- ListenAddress : system default => 0.0.0.0
- Banner : system defaukt => none
- UsePrivilegeSeparation : yes => see params.pp
- KexAlgorithms : system default => see params.pp
- LoginGraceTime : 120 => 30s
- IgnoreUserKnownHosts : system default => yes
- KerberosAuthentication : system default => no
- KerberosOrLocalPasswd : system default => no
- KerberosTicketCleanup : system default => yes
- GSSAPIKeyExchange : system default => no
- GSSAPICleanupCredentials : system default => yes
- X11UseLocalhost : system default => yes
- PrintLastLog : yes => no
- TCPKeepAlive : yes => no
- UseLogin : system default => no
- Compression : system default => undef
- MaxStartups : system default => 10:30:100
- MaxAuthTries : 6 => 2
- MaxSessions : system default => 10
27-05-2016 - Release 1.6.0
Summary
- Updating module layout
- Adding code to manage ssh_config
- Adding more parameters to manage in sshd_config
- Adding integration testing
Dependencies
- puppetlabs-stdlib (>= 4.13.0 < 5.0.0)
Copyright (C) 2017 by Bram Vogelaar <bram@attachmentgenie.com> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.