Forge Home

openssh_server

Installs and configures openssh-server.

8,693 downloads

6,458 latest version

2.4 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

  1. Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
  2. Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

  • 0.0.3 (latest)
  • 0.0.2
  • 0.0.1
released Jan 21st 2018
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 5.0.0
  • ,
Tasks:
  • test

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'kb-openssh_server', '0.0.3'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add kb-openssh_server
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install kb-openssh_server --version 0.0.3

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: ssh, openssh, sshd

Documentation

kb/openssh_server — version 0.0.3 Jan 21st 2018

openssh_server

table of contents

  1. overview
  2. module description – what the module does and why it is useful
  3. setup – the bascics of getting started with openssh_server
  4. usage – configuration options and additional functionality
  5. reference – an under-the-hood peek at what the module is doing and how
  6. limitations – OS compatiblity, and cetera
  7. development – guide for contributing to the module

overview

This module handles an openssh-server.

module description

This module installs, configures, and starts the openssh-server.

setup

what openssh_server affects

  • Package['openssh_server'] (optional)
  • File['openssh_server_preseed'] (optional)
  • File['sshd_config'] (optional)
  • File['sshd_no_start'] (optional)
  • Service['sshd'] (optional)

setup requirements

You need at least PP 4.2.

beginning with openssh_server

Ensure the openssh-server package is present, and the sshd(8) service is running (leaves the distributed configuration in place):

class ssh_server {
    class { 'openssh_server':
    }
}

usage

See examples/.

reference

classes

public classes

  • openssh_server: the basis class
  • openssh_server::params: holds defaults for the basis class

private classes

  • openssh_server::install: performs the installation
  • openssh_server::config: distributes the configuration files
  • openssh_server::service: manages the Service['sshd']

parameters

Structured overview:


openssh_server_package_name
  • abstract: the name of the package to install

  • behavior:

    • any string: the package gets installed (or updated, see latest_instead_of_present)

    • undef: Package['openssh_server'] ain't managed by this module

  • allowed values: a string or undef

  • default: undef on FreeBSD, 'openssh-server' everywhere else


latest_instead_of_present
  • abstract: whether to ensure Package['openssh_server'] to be latest instead of just present

  • behavior

    • true: Package['openssh_server'] becomes latest

    • false: Package['openssh_server'] becomes present

  • accepted values: true and false

  • default value: false


manage_openssh_server_preseed
  • abstract: whether File['openssh_server_preseed'] is managed

  • behavior:

    • false: File['openssh_server_preseed'] isn't managed

    • true: a proper preseed (responsefile) gets created at preseed_path. The only known preseedable value is permit_root_login. The class parameter and it appears in the preseed file.

  • allowed values: true and false

  • default: true on Debian systems, false everywhere else


preseed_path
  • abstract: File['openssh_server_preseed']['path']

  • allowed values: a non-empty string

  • default: '/var/cache/debconf/openssh_server.preseed'


preseed_validate_cmd
  • abstract: how to validate the preseed file

  • note: as far as I've seen debconf-set-selections(1) checks for syntax errors only. Specifying a string for a boolean setting doesn't seem to be caught.

  • allowed values: any string or undef

  • default: '/usr/bin/debconf-set-selections --verbose --checkonly %'


preseed_validate_replace
  • abstract: the character to replace with the path to the temporary new contents file

  • allowed values: any string or undef

  • default: '%'


manage_sshd_config
  • abstract: whether this module manages File['sshd_config']

  • allowed values: true and false

  • default: false


sshd_config_path
  • abstract: File['sshd_config']['path']

  • allowed values: a non-empty string

  • default: '/etc/ssh/sshd_config'


sshd_config_mode
  • abstract: the file permissions of File['sshd_config']

  • behavior

    • any string: the specified mode is ensured

    • undef: the file mode is undefined

  • allowed values: any string or undef

  • default: '0644'


sshd_config_owner
  • abstract: the file owner of File['sshd_config']

  • allowed values: any string, a non-negative integer, or undef

  • default: 'root' on Debian and FreeBSD systems, 0 (the integer) everywhere else


sshd_config_group
  • abstract: the group of File['sshd_config']

  • allowed values: any string, a non-negative integer, or undef

  • default value: 'root' on Debian platforms, 'wheel' on FreeBSD platforms, 0 anywhere else


sshd_config_template
  • abstract: sshd_config is rendered by template()

  • acceptable values: a non-empty string

  • see also: the default template uses sshd_config_preamble

  • default: 'openssh_server/sshd_config.erb'


sshd_config_validate_cmd
  • abstract: a syntax validation command for sshd_config(5)

  • behavior:

    • any string: the specified command validates the new sshd_config

    • undef: no validation performed. sshd(8) refuses to start with faulty configuration files. However, I experienced Service['sshd'] reports a successful start anyway. Ergo, you definitely wanna validate.

  • allowed values: any string, and undef

  • default value: '/usr/sbin/sshd -t -f %'


sshd_config_validate_replace
  • abstract: the character replaced in sshd_config_validate_cmd with the temporary new content file

  • allowed values: any string, and undef

  • default: '%'


sshd_ensure
  • abstract: Service['sshd']['ensure']

  • behavior:

    • undef: this module doesn't manage Service['sshd']

    • 'running': Service['sshd']['ensure'] = 'running'

    • 'stopped': Service['sshd']['ensure'] = 'stopped'

  • allowed values: 'running', 'stopped' and undef

  • default: 'running'


sshd_enable
  • abstract: Service['sshd']['enable']

  • note: requires Service['sshd'] to be managed by this module, compare sshd_ensure

  • allowed values: 'manual', 'mask', true, false, and undef

  • default: true


no_start_file_ensure
  • abstract: how to deal with /etc/ssh/sshd_not_to_be_run

  • behavior

    • 'present': the file is created. It uses the same mode, owner, group as for sshd_config File creation happens before Service['sshd']. Setting sshd_ensure to 'running' does not emit an error. See /etc/init.d/ssh or /lib/systemd/system/ssh.service for details

    • 'absent': ensure the no-start-file isn't there

    • undef: neither delete or touch(1) the no-start-file

  • allowed values: 'present', 'absent' and undef

  • default value: 'absent' (unconditionally!)


sshd_config_commentary_track
  • abstract: whether comments and empty lines are filtered from the default sshd_config template

  • behavior:

    • false: all lines of the content body starting with a hash are filtered, as well as empty lines

    • true: comments and structuring empty lines remain in place (the default template currently gives an odd look, if not all [or at least most] parameters are used)

  • allowed values: true and false

  • default: true


sshd_config_preamble
  • abstract: specifies a preamble template() for sshd_config

  • behavior

    • any non-empty string: the default template sshd_config_template includes the specified template.

    • undef: the default template does not include a preamble

  • allowed values: any non-empty string, and undef

  • default: openssh_server/sshd_config_preamble.erb


address_family
  • abstract: see AddressFamily in sshd_config(5)

  • allowed values: 'any', 'inet', 'inet6', and undef

  • default: undef


port
  • abstract: see Port in sshd_config(5) and -p in sshd(8)

  • allowed values: a non-empty array of integers ∊ [0, 65535], or undef

  • default: undef


listen_address
  • abstract: compare ListenAddress in sshd_config(5)

  • allowed values: a non-empty array of the following structure: {host => …, port => Optional[…]} or undef. host can be an array of four integers ∊ [0, 255], or an array of eight integers ∊ [0x0000, 0xFFFF], or a non-empty string of non-blank characters. port can be an integer ∊ [0, 65535].

  • example: [{host => [10, 11, 12, 13], port => 65432}] (do not copy)

  • default: undef


gateway_ports
  • abstract: see GatewayPorts in sshd_config(5)

  • allowed values: true, false, 'clientspecified' or undef

  • default: undef


max_startups
  • abstract: see for MaxStartups in sshd_config(5)

  • allowed values:

    • a non-negative integer

    • a hash of the structure {start => Integer[0], rate => Integer[0], full => Integer[0]}

    • undef

  • default: undef


protocol
  • abstract: see Protocol in sshd_config(5)

  • allowed values: a non-empty array of integers ∊ [1, 2], and undef

  • example: [2]

  • default: undef


max_sessions
  • abstract: see MaxSessions in sshd_config(5)

  • accepted values: any non-negative integer, and undef

  • default value: undef


host_key
  • abstract: see HostKey in sshd_config(5) and -h in sshd(8)

  • allowed values: a non-empty array of strings, containing no blanks, and not ending on a slash /, or, alternatively, undef

  • example: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']

  • default: undef


host_certificate
  • abstract: see HostCertificate in sshd_config(5)

  • allowed values: as for host_key

  • default: undef


banner
  • abstract: see Banner in sshd_config(5)

  • allowed values: a string containing no blanks and not ending on a slash /, or undef

  • default: undef


debian_banner
  • abstract: see DebianBanner in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


version_addendum
  • abstract: see VersionAddendum in sshd_config(5)

  • allowed values: a word in the ASCII character set, or undef

  • default: undef


host_key_agent
  • abstract: see HostKeyAgent in sshd_config(5)

  • allowed values: a non-empty string containing no blanks, or undef

  • default: undef


password_authentication
  • abstract: see PasswordAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


pubkey_authentication
  • abstract: see PubkeyAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


kerberos_authentication
  • abstract: see KerberosAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_authentication
  • abstract: see GSSAPIAuthentication in sshd_config(5)

  • accepted values: true, false, undef

  • default: undef


challenge_response_auth
  • abstract: see ChallengeResponseAuthentication in sshd_config(5)

  • honored values: true, false, and undef

  • default value: undef


use_pam
  • abstract: see UsePAM in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


hostbased_authentication
  • abstract: see HostbasedAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


kbd_interactive_auth
  • abstract: see KbdInteractiveAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


rhosts_rsa_authentication
  • abstract: see RhostsRSAAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


rsa_authentication
  • abstract: see RSAAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


authentication_methods
  • abstract: see AuthenticationMethods in sshd_config(5)

  • allowed values: a non-empty array of non-empty arrays of the following structure: {method => …, device => Optional[…]} where method is a word in the ASCII character set, and optionally device is a word in the ASCII character set. Alternatively undef.

  • example: [[{method => 'publickey'}, {method => 'password'}], [{method => 'publickey'}, {method => 'keyboard-interactive'}]] (do not copy but write off)

  • default: undef


permit_root_login
  • abstract: see PermitRootLogin in sshd_config(5)

  • allowed values: true, false, 'without-password', 'forced-commands-only', and undef

  • default: undef


deny_users
  • abstract: see DenyUsers in sshd_config(5)

  • acceptable values: a non-empty array of non-empty strings, without any blanks, or undef

  • example: ['*']

  • default: undef


allow_users
  • abstract: compare AllowUsers in sshd_config(5)

  • allowed values: see deny_users

  • example: ['ernie', 'bert']

  • default: undef


deny_groups
  • abstract: see DenyGroups in sshd_config(5)

  • acceptable values: a non-empty array of non-empty strings, containing no blanks, or just undef

  • example: ['*']

  • default: undef


allow_groups
  • abstract: see AllowGroups in sshd_config(5)

  • allowed values: see deny_groups

  • example: ['support', 'staff']

  • default: undef


use_privilege_separation
  • abstract: see UsePrivilegeSeparation in sshd_config(5) and compare § “files” in sshd(8)

  • allowed values: true, false, 'sandbox' and undef

  • default: undef


use_dns
  • abstract: see UseDNS in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


max_auth_tries
  • abstract: see MaxAuthTries in sshd_config(5)

  • allowed values: some non-negative integer or undef

  • default: undef


strict_modes
  • abstract: see StrictModes in sshd_config(5)

  • allowed values: true, false and undef

  • default: undef


login_grace_time
  • abstract: see LoginGraceTime in sshd_config(5) and -g in sshd(8)

  • accepted values: a non-negative integer, and undef

  • default: undef


use_login
  • abstract: see UseLogin in sshd_config(5) for more information

  • allowed values: true, false or undef

  • default: undef


permit_empty_passwords
  • abstract: compare PermitEmptyPasswords in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


pubkey_accepted_key_types
  • abstract: see PubkeyAcceptedKeyTypes in sshd_config(5)

  • allowed values: true, false and undef

  • default value: undef


pubkey_accepted_key_types
  • abstract: see PubkeyAcceptedKeyTypes in sshd_config(8)

  • allowed values: a non-empty array of non-empty strings, containing no blanks or commas, or just undef

  • example: ['ssh-ed25519*', 'ecdsa*']

  • default value: undef


trusted_user_ca_keys
  • abstract: see TrustedUserCAKeys in sshd_config(5) for more details

  • allowed values: a non-empty string of non-blank characters, and not ending on a slash, or undef

  • default: undef


authorized_principals_file
  • abstract: see AuthorizedPrincipalsFile in sshd_config(5)

  • allowed values: undef, or an absolute path to a file, or a path starting with '%h' xor '~'. Both variants must not contain any blanks. Both variants must not end on a slash.

  • defaults to: undef


authorized_principals_cmd
  • abstract: see AuthorizedPrincipalsCommand in sshd_config(5)

  • allowed values: undef or a string starting with a slash (not containing any blanks) and optionally followed by a space and then containing anything but newlines.

  • example: '/usr/local/sbin/sshdapc %u'

  • default: undef


authorized_principals_cmd_uid
  • abstract: see AuthorizedPrincipalsCommandUser in sshd_config(5)

  • allowed values: a non-empty string containing no blanks, or undef

  • example: 'lu' (local user [the default user I create at my site])

  • default: undef


kerberos_get_afs_token
  • abstract: see KerberosGetAFSToken in sshd_config(5) for details

  • allowed values: true, false, and undef

  • default value: undef


kerberos_or_local_passwd
  • abstract: search for KerberosOrLocalPasswd in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


kerberos_ticket_cleanup
  • abstract: see KerberosTicketCleanup in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_key_exchange
  • abstract: see GSSAPIKeyExchange in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_strict_acceptor_check
  • abstract: see GSSAPIStrictAcceptorCheck in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_store_creds_on_rekey
  • abstract: see GSSAPIStoreCredentialsOnRekey in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_cleanup_credentials
  • abstract: compare GSSAPICleanupCredentials in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


hostbased_accepted_key_types
  • abstract: see HostbasedAcceptedKeyTypes in sshd_config(5)

  • allowed values: undef or a non-empty array of non-empty strings containing no blanks or commas

  • default: undef


hostbased_uses_name_fr_packet
  • abstract: see HostbasedUsesNameFromPacketOnly in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


ignore_rhosts
  • abstract: see IgnoreRhosts in sshd_config(5) for on that

  • allowed values: true, false, and undef

  • default: undef


ignore_user_known_hosts
  • abstract: see IgnoreUserKnownHosts in sshd_config(5)

  • allowed values: undef, false, and true

  • default: undef


print_motd
  • abstract: see PrintMotd in sshd_config(5) and §§ “login process” and “files” in sshd(8)

  • allowed values: true, false, and undef

  • default: undef


print_last_log
  • abstract: compare PrintLastLog in sshd_config(5) and § “login process” in sshd(8)

  • allowed values: uhm, true, and, uhm, falseundef, too

  • default: undef


chroot_directory
  • abstract: see ChrootDirectory in sshd_config(5)

  • accepted values: undef, or a non-empty string containing no blanks and ending on a slash /

  • example: '/opt/mailbox_read_env/'

  • default: undef


ciphers
  • abstract: see Ciphers in sshd_config(5)

  • allowed values: undef or a non-empty array of strings what ssh -Q cipher in my version of openssh listed

  • example: ['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'arcfour256', 'arcfour128', 'arcfour']

  • default: undef


kex_algorithms
  • abstract: see KexAlgorithms in sshd_config(5)

  • allowed values: undef or a non-empty array of string which ssh -Q kex of my openssh version listed

  • example: ['ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256', 'curve25519-sha256@libssh.org']

  • default: undef


rekey_limit
  • abstract: see RekeyLimit in sshd_config(5)

  • accepted values: undef or a hash of the following structure: {maximum_transmitted_bytes => …, maximum_seconds_elapsed => Optional[…]} where maximum_transmitted_bytes is either a non-negative integer, or the string 'default'. The optional maximum_seconds_elapsed can be a non-negative integer, or the string 'none'.

  • example: {maximum_transmitted_bytes => 'default', maximum_seconds_elapsed => 3593} (do not copy but write off)

  • default: undef


ipqos
  • abstract: confer IPQoS in sshd_config(5)

  • allowed values: undef or a hash of the following structure: {interactive_sessions => …, non_interactive_sessions => …} Both interactive_sessions and non_interactive_sessions have to be either an integer ∊ [0, 255], or of the named QoS in the man page as a string.

  • example: {interactive_sessions => 'lowdelay', non_interactive_sessions => 'throughput'}

  • default: undef


compression
  • abstract: look up Compression in sshd_config(5)

  • allowed values: true, false, 'delayed', and undef

  • default: undef


macs
  • abstract: read MACs in sshd_config(5)

  • allowed values: undef or a non-empty array of strings, what my openssh version returned on ssh -Q mac

  • default: undef


force_command
  • abstract: see ForceCommand in sshd_config(5)

  • allowed values: undef or a non-empty string containing no newlines

  • default: undef


accept_env
  • abstract: compare AcceptEnv in sshd_config(5)

  • allowed values: undef or a non-empty array of non-empty strings containing no blanks

  • example: ['LANG', 'LC_*']

  • default: undef


permit_user_environment
  • abstract: see PermitUserEnvironment in sshd_config(5)

  • accepted values: true, false, and undef

  • default: undef


permit_tty
  • abstract: see PermitTTY in sshd_config(5)

  • allowed values: true, false and undef

  • default: undef


subsystem
  • abstract: see Subsystem in sshd_config(5)

  • allowed values: undef or a non-empty array of hashes having the following structure: {name => …, command => …, arguments => Optional[…]} where name has to be a word out of the ASCII character set. command has to be string starting with a slash /, containing no blanks, and must not end on a slash. arguments is an optional non-empty array of non-empty strings containing no blanks

  • example: {name => 'sftp', command => '/usr/lib/openssh/sftp-server'} (do not copy but write off)

  • default: undef


permit_tunnel
  • abstract: see PermitTunnel in sshd_config(5)

  • allowed values: true, false, 'point-to-point', 'ethernet', and undef

  • default: undef


allow_agent_forwarding
  • abstract: see AllowAgentForwarding in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


allow_tcp_forwarding
  • abstract: see AllowTcpForwarding in sshd_config(5)

  • allowed values: true, false, 'all', 'local', 'remote', and undef

  • default: undef


permit_open
  • abstract: see PermitOpen in sshd_config(5)

  • allowed values:

    • undef

    • 'any',

    • 'none'

    • a non-empty array of hashes with the following structure: {host => …, port => …} where host is either an array of four integers ∊ [0, 255], or an array of eight integers ∊ [0x0000, 0xFFFF], or non-empty string, containing neither strings or colons :. port has to be an integer ∊ [0, 65535].

  • default: undef


allow_stream_local_forwarding
  • abstract: see AllowStreamLocalForwarding in sshd_config(5)

  • allowed values: true, false, 'all', 'local', 'remote', or undef

  • default: undef


stream_local_bind_mask
  • abstract: see StreamLocalBindMask in sshd_config(5)

  • allowed values: undef or a string of four octal digits

  • default: undef


stream_local_bind_unlink
  • abstract: see StreamLocalBindUnlink in sshd_config(5)

  • allowed values: true, false, undef

  • default: undef


x11_forwarding
  • abstract: see X11Forwarding in sshd_config(5)

  • acceptable value: true, false, and undef

  • default: undef


x_auth_location
  • abstract: see XAuthLocation in sshd_config(5)

  • allowed values: undef, or 'none', or a string starting with a slash /, but not ending on a slash, and containing no blanks

  • default: undef


x11_use_localhost
  • abstract: see X11UseLocalhost in sshd_config(5)

  • honored values: true, false, and undef

  • default: undef


x11_display_offset
  • abstract: see X11DisplayOffset in sshd_config(5)

  • allowed values: undef or a non-negative integer

  • default: undef


tcp_keep_alive
  • abstract: see TCPKeepAlive in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


client_alive_interval
  • abstract: see ClientAliveInterval in sshd_config(5)

  • allowed values: undef or a non-negative integer

  • default: undef


client_alive_count_max
  • abstract: see ClientAliveCountMax in sshd_config(5) for details

  • allowed values: undef or a non-negative integer

  • default: undef


key_regeneration_interval
  • abstract: compare KeyRegenerationInterval in sshd_config(5) and -k in sshd(8)

  • allowed values: undef or a non-negative integer

  • default: undef


server_key_bits
  • abstract: compare ServerKeyBits in sshd_config(5) and -b in sshd(8)

  • allowed values: undef or an integer ∊ [512, ∞),

  • default: undef


pid_file
  • abstract: see PidFile in sshd_config(5)

  • note: the init.d scripts hold plain text defaults. Changing this value might break Service['sshd'] as defined in openssh_server::service. You'd like to set sshd_ensure => undef, too, and perform service management on your own (e.g. via systemdisease unit files)

  • allowed values: an absolute path string to a file (not ending with a slash, and not containing any blanks), or 'none' or undef

  • default: undef


syslog_facility
  • abstract: see SyslogFacility in sshd_config(5)

  • allowed values: 'DAEMON', 'USER', 'AUTH', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7', and undef

  • default value: undef


log_level
  • abstract: see LogLevel in sshd_config(5)

  • behavior: According to sshd_config(5) the default logging level is 'INFO'. According to sshd(8) (see -q) beginning, authentication and termination of each connection is logged.

  • acceptable values: 'QUIET', 'FATAL', 'ERROR', 'VERBOSE' 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3', 'INFO' and undef

  • default: undef


fingerprint_hash
  • abstract: see FingerprintHash in sshd_config(5)

  • acceptable values: 'md5', 'sha256' and undef

  • default: undef


match
  • abstract: apply settings to specific sort of connections only

  • acceptable values: undef, or a non-empty array of `openssh_server::match

  • default: undef

types

openssh_server::match

This resource type does nothing. It just exists to create a scope for variables.

All attributes but policy describe a condition an associated openssh_server::policy apply to.

If you do not specify any condition attributes, Match All is implied.

user
  • abstract: restrict matches to user names

  • allowed values: undef, or a non-empty array of non-empty strings containing no blanks or commas

  • example: ['service_user', 'puppet']

  • default: undef

group
  • abstract: restrict matches to users' groups

  • allowed values: undef, or a non-empty array of non-empty strings containing no blanks nor commas

  • example: ['wheel']

  • default: undef

host
  • abstract: restrict matches to host names

  • allowed values: undef, or a non-empty array of non-empty strings containing no blanks nor commas

  • example: ['*.int.acme.tld']

  • default: undef

local_address
  • abstract: restrict matches to their local address

  • This condition especially makes sense, if your sshd listens on multiple ListenAddresses

  • allowed values: undef, or non-empty array of arrays. The inner arrays can be either arrays of four integers ranging zero to 255, or arrays of eight integers rangin zero to 0xFFFF

  • example: [[10,4,8,3]]

  • default: undef

local_port
  • abstract: restrict matches to incoming ports

  • this condition especially makes sense, if your sshd(8) listens on multiple Ports

  • allowed values: undef, or a non-empty array of non-negative integers up to and include 65535

  • example: [31415, 62832]

  • default: undef

address
  • abstract: restrict matches to connections originating from specific address

  • allowed values: undef, or a non-empty array of structures. Structures may either have the keys ipv4_address_octets and cidr_mask, or ipv6_address_words and cidr_mask. In case they have ipv4_address_octets, cidr_mask may be a non-negative integer up to and including 32. In case they have ipv6_address_words, cidr_mask may be a non-negative integer up to and including 128. ipv4_address_octets has to be an array of four integers ranging from zero to 255. ipv6_address_words has to be an array of eigh integers ranging from zero to 0xFFFF.

  • example: [{ipv4_address_octets => [10,0,0,0], cidr_mask => 8}]

  • default: undef

policy
  • abstract: the policy associated with matched connections

  • required value: a reference to a openssh_server::policy resource

  • example: Openssh_server::Policy['weak_security']

  • default: undef

openssh_server::policy

This resource type does nothing. It just exists to create a scope for variables.

It accepts a limited set of class parameters, which have the same type:

limitations

  • Only one openssh-server instance can be managed. Since there are several ways to run multiple sshds on a single host, this module won't be enhanced into this direction. You'd probably want it realized somehow differently anyway.

  • This module does not provide a way to uninstall openssh-server.

  • As a limitation of what can be modeled with the PP language a sshd_config-change always triggers a restart. Though you can explicitely specify a restart command e.g. /etc/init.d/ssh reload, that's definitely not best practice. (compare PUP-1054)

  • During development I experienced Service['sshd'] (the PP resource) does not fail if it's got a faulty sshd_config. sshd_config_validate_cmd should catch this case now.

  • This module does not manage sshd_enable, sshd_program, or sshd_flags on FreeBSD platforms.

  • This module does not manage an sshd-specific PAM (pluggable authentication module) stack.

  • If you suffer from systemdisease, specifying a listen_address possibly results in a not-starting sshd(8) during boot-time: systemd tries to start the ssh service, though not all network interfaces are configured yet. The OpenSSH-server refuses to start, if there's no interface having the specified listen_address. The systemd guys virtually say, they're doing everything right, what's causing such situations are buggy implementation – OpenSSH allegedly has a buggy implementation (regarding networking).

development

  • drop me a line, if you'd like to improve this module: Kai Burghardt <wiz:KaiBurghardt.de>

to do:

  • tweak the template so in commentary mode it prints only comments/separating newlines where necessary
  • YARD
  • appoint ppl who care about support of their favorite OS