Forge Home


openssh client and server management


6,272 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.31 (latest)
released Apr 25th 2017
This version is compatible with:
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'eyp-openssh', '0.1.31'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add eyp-openssh
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install eyp-openssh --version 0.1.31

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



eyp/openssh — version 0.1.31 Apr 25th 2017


PRs Welcome

Table of Contents

  1. Overview
  2. Module Description
  3. Setup
  4. Usage
  5. Reference
  6. Limitations
  7. Development


openssh management

Module Description

openssh client and server management


What openssh affects


  • files:
    • /etc/ssh/sshd_config
    • /etc/ssh/ssh_config
  • packages:
    • client package (if not included in server package)
    • server package

Setup Requirements

This module requires pluginsync enabled

Beginning with openssh

class { 'openssh::client': }

class { 'openssh::server': }


Cyphers / MACs hardening

global variable eypopensshserver::hardening to enable/disable default hardening (default: false)

manage user's priv keys

class { 'openssh': }
class { 'openssh::server': }
class { 'openssh::client': }

openssh::privkey { 'postgres':
  homedir => '/var/lib/pgsql',


  groups => [ 'sftp' ],
  forcecommand => 'internal-sftp',
  chrootdirectory => '%h',

allow/deny users

openssh::denyuser { 'loluser': }
openssh::denyuser { 'loluser2': }

openssh::allowuser { 'allowuser5': }
openssh::allowuser { 'allowuser6': }

using openssh::server's array

class { 'openssh::server':
  denyusers => [ 'loluser3', 'loluser4' ],
  allowusers => [ 'root', 'ggg', 'kk', 'rrr' ],
  enableldapsshkeys => false,

Restric login per user to a given set of IPs

openssh::match{ 'users ips allowed':
  users => [ 'ada', 'ualoc' ],
  allowed_ips => [ '', '', '' ],

This will generate the following config in sshd_config:

Match  user ada,ualoc
  AllowTcpForwarding no
  AllowUsers ada@
  AllowUsers ada@
  AllowUsers ada@
  AllowUsers ualoc@
  AllowUsers ualoc@
  AllowUsers ualoc@


global variables:

  • eypopensshserver::hardening: to manage default hardening of Cyphers and MACs (default: false)



empty class - just a placeholder


Most variables are standard postfix variables, please refer to postfix documentation for further detaisl:

  • gssapi_authentication: (default: true)


Most variables are standard postfix variables, please refer to ssh documentation for further detaisl:

  • ensure: service's ensure (default: running)
  • manage_service (default: true)
  • manage_docker_service (default: true)
  • enable (default: true)
  • port: (default: 22)
  • permitrootlogin: (default: no)
  • usedns (default: false)
  • usepam (default: true)
  • x11forwarding (default: false)
  • passwordauth (default: true)
  • permitemptypasswords (default: false)
  • enableldapsshkeys (default: false)
  • syslogfacility
  • banner (default: undef)
  • clientaliveinterval (default: 900)
  • clientalivecountmax (default: 0)
  • log_level (default: INFO)
  • ignore_rhosts (default: true)
  • hostbased_authentication (default: false)
  • maxauthtries (default: 4)
  • permit_user_environment (default: false)
  • allowusers: (order: DenyUsers, AllowUsers, default: undef)
  • denyusers: (order: DenyUsers, AllowUsers, default: undef)


private class to manage openssh::server's service



  • username (default: resource's name)


  • username (default: resource's name)


  • matchers (at least one must be set):
    • groups (default: undef)
    • users (default: undef)
    • addresses (default: undef)
    • hosts (default: undef)
  • chrootdirectory: It might not be supported (default: undef)
  • forcecommand: (default: undef)
  • allow_tcp_forwarding (default: false)
  • allowed_ips: list of allowed IPs for this user (default: undef)


  • ensure (default: present)
  • user = $name,
  • group = $name,
  • homedir = "/home/${name}",
  • type (default: rsa)
  • passphrase (default: '')


Tested on:

  • CentOS 5
  • CentOS 6
  • CentOS 7
  • Ubuntu 14.04
  • SLES 11 SP3


We are pushing to have acceptance testing in place, so any new feature should have some tests to check both presence and absence of any feature


  • Move openssh::server configuration options to the openssh::server namespace, for example:
    • openssh::denyuser -> openssh::server::denyuser
  • Implement openssh::client::host using concat { $openssh::params::ssh_config: }


  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request