Forge Home

openssh

openssh client and server management

6,271 downloads

6,271 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.31 (latest)
released Apr 25th 2017
This version is compatible with:
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'eyp-openssh', '0.1.31'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add eyp-openssh
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install eyp-openssh --version 0.1.31

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

eyp/openssh — version 0.1.31 Apr 25th 2017

openssh

PRs Welcome

Table of Contents

  1. Overview
  2. Module Description
  3. Setup
  4. Usage
  5. Reference
  6. Limitations
  7. Development

Overview

openssh management

Module Description

openssh client and server management

Setup

What openssh affects

Manages:

  • files:
    • /etc/ssh/sshd_config
    • /etc/ssh/ssh_config
  • packages:
    • client package (if not included in server package)
    • server package

Setup Requirements

This module requires pluginsync enabled

Beginning with openssh

class { 'openssh::client': }

class { 'openssh::server': }

Usage

Cyphers / MACs hardening

global variable eypopensshserver::hardening to enable/disable default hardening (default: false)

manage user's priv keys

class { 'openssh': }
class { 'openssh::server': }
class { 'openssh::client': }

openssh::privkey { 'postgres':
  homedir => '/var/lib/pgsql',
}

matchers

openssh::match{'chroot':
  groups => [ 'sftp' ],
  forcecommand => 'internal-sftp',
  chrootdirectory => '%h',
}

allow/deny users

openssh::denyuser { 'loluser': }
openssh::denyuser { 'loluser2': }

openssh::allowuser { 'allowuser5': }
openssh::allowuser { 'allowuser6': }

using openssh::server's array

class { 'openssh::server':
  denyusers => [ 'loluser3', 'loluser4' ],
  allowusers => [ 'root', 'ggg', 'kk', 'rrr' ],
  enableldapsshkeys => false,
}

Restric login per user to a given set of IPs

openssh::match{ 'users ips allowed':
  users => [ 'ada', 'ualoc' ],
  allowed_ips => [ '1.2.3.4', '5.6.7.8', '1.1.1.1' ],
}

This will generate the following config in sshd_config:

Match  user ada,ualoc
  AllowTcpForwarding no
  AllowUsers ada@1.2.3.4
  AllowUsers ada@5.6.7.8
  AllowUsers ada@1.1.1.1
  AllowUsers ualoc@1.2.3.4
  AllowUsers ualoc@5.6.7.8
  AllowUsers ualoc@1.1.1.1

Reference

global variables:

  • eypopensshserver::hardening: to manage default hardening of Cyphers and MACs (default: false)

classes

openssh

empty class - just a placeholder

openssh::client

Most variables are standard postfix variables, please refer to postfix documentation for further detaisl:

  • gssapi_authentication: (default: true)

openssh::server

Most variables are standard postfix variables, please refer to ssh documentation for further detaisl:

  • ensure: service's ensure (default: running)
  • manage_service (default: true)
  • manage_docker_service (default: true)
  • enable (default: true)
  • port: (default: 22)
  • permitrootlogin: (default: no)
  • usedns (default: false)
  • usepam (default: true)
  • x11forwarding (default: false)
  • passwordauth (default: true)
  • permitemptypasswords (default: false)
  • enableldapsshkeys (default: false)
  • syslogfacility
  • banner (default: undef)
  • clientaliveinterval (default: 900)
  • clientalivecountmax (default: 0)
  • log_level (default: INFO)
  • ignore_rhosts (default: true)
  • hostbased_authentication (default: false)
  • maxauthtries (default: 4)
  • permit_user_environment (default: false)
  • allowusers: (order: DenyUsers, AllowUsers, default: undef)
  • denyusers: (order: DenyUsers, AllowUsers, default: undef)

openssh::service

private class to manage openssh::server's service

defines

openssh::allowuser

  • username (default: resource's name)

openssh::denyuser

  • username (default: resource's name)

openssh::match

  • matchers (at least one must be set):
    • groups (default: undef)
    • users (default: undef)
    • addresses (default: undef)
    • hosts (default: undef)
  • chrootdirectory: It might not be supported (default: undef)
  • forcecommand: (default: undef)
  • allow_tcp_forwarding (default: false)
  • allowed_ips: list of allowed IPs for this user (default: undef)

openssh::privkey

  • ensure (default: present)
  • user = $name,
  • group = $name,
  • homedir = "/home/${name}",
  • type (default: rsa)
  • passphrase (default: '')

Limitations

Tested on:

  • CentOS 5
  • CentOS 6
  • CentOS 7
  • Ubuntu 14.04
  • SLES 11 SP3

Development

We are pushing to have acceptance testing in place, so any new feature should have some tests to check both presence and absence of any feature

TODO

  • Move openssh::server configuration options to the openssh::server namespace, for example:
    • openssh::denyuser -> openssh::server::denyuser
  • Implement openssh::client::host using concat { $openssh::params::ssh_config: }

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request