Forge Home

openssh

Puppet Module for managing OpenSSH

6,566 downloads

4,516 latest version

5.0 quality score

Version information

  • 1.0.3 (latest)
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Jan 13th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.4.x
  • Puppet >=4.9.0 <7.0.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'bodgit-openssh', '1.0.3'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add bodgit-openssh
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install bodgit-openssh --version 1.0.3

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: ssh, openssh

Documentation

bodgit/openssh — version 1.0.3 Jan 13th 2019

openssh

Tested with Travis CI

Build Status Coverage Status Puppet Forge

Table of Contents

  1. Description
  2. Setup - The basics of getting started with openssh
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Description

This module manages OpenSSH.

CentOS, RHEL, Scientific, Oracle Enterprise Linux and OpenBSD is supported using Puppet 4.9.0 or later.

Setup

Beginning with openssh

The module defaults match those of the target OS so in the very simplest case, you can just include the following:

include ::openssh::client
include ::openssh::server

Usage

If you want to tune the security settings of the server:

class { '::openssh::server':
  allow_groups                      => ['ssh-user'],
  challenge_response_authentication => false,
  ciphers                           => [
    'chacha20-poly1305@openssh.com',
    'aes256-gcm@openssh.com',
    'aes128-gcm@openssh.com',
    'aes256-ctr',
    'aes192-ctr',
    'aes128-ctr',
  ],
  host_key                          => [
    '/etc/ssh/ssh_host_ed25519_key',
    '/etc/ssh/ssh_host_rsa_key',
  ],
  kex_algorithms                    => [
    'curve25519-sha256@libssh.org',
    'diffie-hellman-group-exchange-sha256',
  ],
  macs                              => [
    'hmac-sha2-512-etm@openssh.com',
    'hmac-sha2-256-etm@openssh.com',
    'hmac-ripemd160-etm@openssh.com',
    'umac-128-etm@openssh.com',
    'hmac-sha2-512',
    'hmac-sha2-256',
    'hmac-ripemd160',
    'umac-128@openssh.com',
  ],
  password_authentication           => false,
  permit_root_login                 => false,
  pubkey_authentication             => true,
  protocol                          => [2],
}

Enabling SSH public key lookups from LDAP:

class { '::openssh::server':
  authorized_keys_command      => '/usr/libexec/openssh/ssh-ldap-helper',
  authorized_keys_command_user => 'nobody',
}

class { '::openssh::server::ldap':
  base_dn => 'ou=people,dc=example,dc=com',
  group   => 'nobody',
  uri     => [
    'ldap://ldap.example.com',
  ],
}

To add Match ... blocks to the server configuration:

include ::openssh::server

::openssh::server::match { 'sftponly':
  group                => [
    'sftponly',
  ],
  chroot_directory     => '%h',
  force_command        => 'internal-sftp',
  allow_tcp_forwarding => false,
  x11_forwarding       => false,
}

To create a client configuration file and manage Host ... and Match ... blocks within it:

include ::openssh::client

::openssh::client::configuration { '/home/user/.ssh/config':
  owner => 'user',
  group => 'user',
  mode  => '0640',
}

::openssh::client::host { 'default':
  host          => '*',
  target        => '/home/user/.ssh/config',
  order         => 99,
  proxy_command => '/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
}

::openssh::client::match { 'catch-all':
  target        => '/home/user/.ssh/config',
  proxy_command => '/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
}

Reference

The reference documentation is generated with puppet-strings and the latest version of the documentation is hosted at https://bodgit.github.io/puppet-openssh/.

Limitations

This module has been built on and tested against Puppet 4.9.0 and higher.

The module has been tested on:

  • Red Hat/CentOS Enterprise Linux 6/7
  • OpenBSD 6.2/6.3

Development

The module has both rspec-puppet and beaker-rspec tests. Run them with:

$ bundle exec rake test
$ PUPPET_INSTALL_TYPE=agent PUPPET_INSTALL_VERSION=x.y.z bundle exec rake beaker:<nodeset>

Please log issues or pull requests at github.