openssh

Puppet Module for managing OpenSSH
Matt Dainty

Matt Dainty

bodgit

5,130 downloads

3,165 latest version

5.0 quality score

Version information

  • 1.0.3 (latest)
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Jul 3rd 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.4.x
  • Puppet >=4.9.0 <7.0.0
  • OpenBSD
    ,
    RedHat
    ,
    CentOS
    ,
    OracleLinux
    ,
    Scientific

Start using this module

Tags: openssh, ssh

Documentation

bodgit/openssh — version 1.0.3 Jul 3rd 2019

openssh

Tested with Travis CI

Build Status Coverage Status Puppet Forge

Table of Contents

  1. Description
  2. Setup - The basics of getting started with openssh
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Description

This module manages OpenSSH.

CentOS, RHEL, Scientific, Oracle Enterprise Linux and OpenBSD is supported using Puppet 4.9.0 or later.

Setup

Beginning with openssh

The module defaults match those of the target OS so in the very simplest case, you can just include the following:

include ::openssh::client
include ::openssh::server

Usage

If you want to tune the security settings of the server:

class { '::openssh::server':
  allow_groups                      => ['ssh-user'],
  challenge_response_authentication => false,
  ciphers                           => [
    'chacha20-poly1305@openssh.com',
    'aes256-gcm@openssh.com',
    'aes128-gcm@openssh.com',
    'aes256-ctr',
    'aes192-ctr',
    'aes128-ctr',
  ],
  host_key                          => [
    '/etc/ssh/ssh_host_ed25519_key',
    '/etc/ssh/ssh_host_rsa_key',
  ],
  kex_algorithms                    => [
    'curve25519-sha256@libssh.org',
    'diffie-hellman-group-exchange-sha256',
  ],
  macs                              => [
    'hmac-sha2-512-etm@openssh.com',
    'hmac-sha2-256-etm@openssh.com',
    'hmac-ripemd160-etm@openssh.com',
    'umac-128-etm@openssh.com',
    'hmac-sha2-512',
    'hmac-sha2-256',
    'hmac-ripemd160',
    'umac-128@openssh.com',
  ],
  password_authentication           => false,
  permit_root_login                 => false,
  pubkey_authentication             => true,
  protocol                          => [2],
}

Enabling SSH public key lookups from LDAP:

class { '::openssh::server':
  authorized_keys_command      => '/usr/libexec/openssh/ssh-ldap-helper',
  authorized_keys_command_user => 'nobody',
}

class { '::openssh::server::ldap':
  base_dn => 'ou=people,dc=example,dc=com',
  group   => 'nobody',
  uri     => [
    'ldap://ldap.example.com',
  ],
}

To add Match ... blocks to the server configuration:

include ::openssh::server

::openssh::server::match { 'sftponly':
  group                => [
    'sftponly',
  ],
  chroot_directory     => '%h',
  force_command        => 'internal-sftp',
  allow_tcp_forwarding => false,
  x11_forwarding       => false,
}

To create a client configuration file and manage Host ... and Match ... blocks within it:

include ::openssh::client

::openssh::client::configuration { '/home/user/.ssh/config':
  owner => 'user',
  group => 'user',
  mode  => '0640',
}

::openssh::client::host { 'default':
  host          => '*',
  target        => '/home/user/.ssh/config',
  order         => 99,
  proxy_command => '/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
}

::openssh::client::match { 'catch-all':
  target        => '/home/user/.ssh/config',
  proxy_command => '/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
}

Reference

The reference documentation is generated with puppet-strings and the latest version of the documentation is hosted at https://bodgit.github.io/puppet-openssh/.

Limitations

This module has been built on and tested against Puppet 4.9.0 and higher.

The module has been tested on:

  • Red Hat/CentOS Enterprise Linux 6/7
  • OpenBSD 6.2/6.3

Development

The module has both rspec-puppet and beaker-rspec tests. Run them with:

$ bundle exec rake test
$ PUPPET_INSTALL_TYPE=agent PUPPET_INSTALL_VERSION=x.y.z bundle exec rake beaker:<nodeset>

Please log issues or pull requests at github.