openssh_server

tasks
Installs and configures openssh-server.

Kai Burghardt

kb

6,949 downloads

4,885 latest version

2.4 quality score

Version information

  • 0.0.3 (latest)
  • 0.0.2
  • 0.0.1
released Jan 21st 2018
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 5.0.0
  • Debian
    ,
    Ubuntu
Tasks:
  • test

Start using this module

Tags: openssh, sshd, ssh

Documentation

kb/openssh_server — version 0.0.3 Jan 21st 2018

openssh_server

table of contents

  1. overview
  2. module description – what the module does and why it is useful
  3. setup – the bascics of getting started with openssh_server
  4. usage – configuration options and additional functionality
  5. reference – an under-the-hood peek at what the module is doing and how
  6. limitations – OS compatiblity, and cetera
  7. development – guide for contributing to the module

overview

This module handles an openssh-server.

module description

This module installs, configures, and starts the openssh-server.

setup

what openssh_server affects

  • Package['openssh_server'] (optional)
  • File['openssh_server_preseed'] (optional)
  • File['sshd_config'] (optional)
  • File['sshd_no_start'] (optional)
  • Service['sshd'] (optional)

setup requirements

You need at least PP 4.2.

beginning with openssh_server

Ensure the openssh-server package is present, and the sshd(8) service is running (leaves the distributed configuration in place):

class ssh_server {
    class { 'openssh_server':
    }
}

usage

See examples/.

reference

classes

public classes

  • openssh_server: the basis class
  • openssh_server::params: holds defaults for the basis class

private classes

  • openssh_server::install: performs the installation
  • openssh_server::config: distributes the configuration files
  • openssh_server::service: manages the Service['sshd']

parameters

Structured overview:


openssh_server_package_name
  • abstract: the name of the package to install

  • behavior:

    • any string: the package gets installed (or updated, see latest_instead_of_present)

    • undef: Package['openssh_server'] ain't managed by this module

  • allowed values: a string or undef

  • default: undef on FreeBSD, 'openssh-server' everywhere else


latest_instead_of_present
  • abstract: whether to ensure Package['openssh_server'] to be latest instead of just present

  • behavior

    • true: Package['openssh_server'] becomes latest

    • false: Package['openssh_server'] becomes present

  • accepted values: true and false

  • default value: false


manage_openssh_server_preseed
  • abstract: whether File['openssh_server_preseed'] is managed

  • behavior:

    • false: File['openssh_server_preseed'] isn't managed

    • true: a proper preseed (responsefile) gets created at preseed_path. The only known preseedable value is permit_root_login. The class parameter and it appears in the preseed file.

  • allowed values: true and false

  • default: true on Debian systems, false everywhere else


preseed_path
  • abstract: File['openssh_server_preseed']['path']

  • allowed values: a non-empty string

  • default: '/var/cache/debconf/openssh_server.preseed'


preseed_validate_cmd
  • abstract: how to validate the preseed file

  • note: as far as I've seen debconf-set-selections(1) checks for syntax errors only. Specifying a string for a boolean setting doesn't seem to be caught.

  • allowed values: any string or undef

  • default: '/usr/bin/debconf-set-selections --verbose --checkonly %'


preseed_validate_replace
  • abstract: the character to replace with the path to the temporary new contents file

  • allowed values: any string or undef

  • default: '%'


manage_sshd_config
  • abstract: whether this module manages File['sshd_config']

  • allowed values: true and false

  • default: false


sshd_config_path
  • abstract: File['sshd_config']['path']

  • allowed values: a non-empty string

  • default: '/etc/ssh/sshd_config'


sshd_config_mode
  • abstract: the file permissions of File['sshd_config']

  • behavior

    • any string: the specified mode is ensured

    • undef: the file mode is undefined

  • allowed values: any string or undef

  • default: '0644'


sshd_config_owner
  • abstract: the file owner of File['sshd_config']

  • allowed values: any string, a non-negative integer, or undef

  • default: 'root' on Debian and FreeBSD systems, 0 (the integer) everywhere else


sshd_config_group
  • abstract: the group of File['sshd_config']

  • allowed values: any string, a non-negative integer, or undef

  • default value: 'root' on Debian platforms, 'wheel' on FreeBSD platforms, 0 anywhere else


sshd_config_template
  • abstract: sshd_config is rendered by template()

  • acceptable values: a non-empty string

  • see also: the default template uses sshd_config_preamble

  • default: 'openssh_server/sshd_config.erb'


sshd_config_validate_cmd
  • abstract: a syntax validation command for sshd_config(5)

  • behavior:

    • any string: the specified command validates the new sshd_config

    • undef: no validation performed. sshd(8) refuses to start with faulty configuration files. However, I experienced Service['sshd'] reports a successful start anyway. Ergo, you definitely wanna validate.

  • allowed values: any string, and undef

  • default value: '/usr/sbin/sshd -t -f %'


sshd_config_validate_replace
  • abstract: the character replaced in sshd_config_validate_cmd with the temporary new content file

  • allowed values: any string, and undef

  • default: '%'


sshd_ensure
  • abstract: Service['sshd']['ensure']

  • behavior:

    • undef: this module doesn't manage Service['sshd']

    • 'running': Service['sshd']['ensure'] = 'running'

    • 'stopped': Service['sshd']['ensure'] = 'stopped'

  • allowed values: 'running', 'stopped' and undef

  • default: 'running'


sshd_enable
  • abstract: Service['sshd']['enable']

  • note: requires Service['sshd'] to be managed by this module, compare sshd_ensure

  • allowed values: 'manual', 'mask', true, false, and undef

  • default: true


no_start_file_ensure
  • abstract: how to deal with /etc/ssh/sshd_not_to_be_run

  • behavior

    • 'present': the file is created. It uses the same mode, owner, group as for sshd_config File creation happens before Service['sshd']. Setting sshd_ensure to 'running' does not emit an error. See /etc/init.d/ssh or /lib/systemd/system/ssh.service for details

    • 'absent': ensure the no-start-file isn't there

    • undef: neither delete or touch(1) the no-start-file

  • allowed values: 'present', 'absent' and undef

  • default value: 'absent' (unconditionally!)


sshd_config_commentary_track
  • abstract: whether comments and empty lines are filtered from the default sshd_config template

  • behavior:

    • false: all lines of the content body starting with a hash are filtered, as well as empty lines

    • true: comments and structuring empty lines remain in place (the default template currently gives an odd look, if not all [or at least most] parameters are used)

  • allowed values: true and false

  • default: true


sshd_config_preamble
  • abstract: specifies a preamble template() for sshd_config

  • behavior

    • any non-empty string: the default template sshd_config_template includes the specified template.

    • undef: the default template does not include a preamble

  • allowed values: any non-empty string, and undef

  • default: openssh_server/sshd_config_preamble.erb


address_family
  • abstract: see AddressFamily in sshd_config(5)

  • allowed values: 'any', 'inet', 'inet6', and undef

  • default: undef


port
  • abstract: see Port in sshd_config(5) and -p in sshd(8)

  • allowed values: a non-empty array of integers ∊ [0, 65535], or undef

  • default: undef


listen_address
  • abstract: compare ListenAddress in sshd_config(5)

  • allowed values: a non-empty array of the following structure: {host => …, port => Optional[…]} or undef. host can be an array of four integers ∊ [0, 255], or an array of eight integers ∊ [0x0000, 0xFFFF], or a non-empty string of non-blank characters. port can be an integer ∊ [0, 65535].

  • example: [{host => [10, 11, 12, 13], port => 65432}] (do not copy)

  • default: undef


gateway_ports
  • abstract: see GatewayPorts in sshd_config(5)

  • allowed values: true, false, 'clientspecified' or undef

  • default: undef


max_startups
  • abstract: see for MaxStartups in sshd_config(5)

  • allowed values:

    • a non-negative integer

    • a hash of the structure {start => Integer[0], rate => Integer[0], full => Integer[0]}

    • undef

  • default: undef


protocol
  • abstract: see Protocol in sshd_config(5)

  • allowed values: a non-empty array of integers ∊ [1, 2], and undef

  • example: [2]

  • default: undef


max_sessions
  • abstract: see MaxSessions in sshd_config(5)

  • accepted values: any non-negative integer, and undef

  • default value: undef


host_key
  • abstract: see HostKey in sshd_config(5) and -h in sshd(8)

  • allowed values: a non-empty array of strings, containing no blanks, and not ending on a slash /, or, alternatively, undef

  • example: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']

  • default: undef


host_certificate
  • abstract: see HostCertificate in sshd_config(5)

  • allowed values: as for host_key

  • default: undef


banner
  • abstract: see Banner in sshd_config(5)

  • allowed values: a string containing no blanks and not ending on a slash /, or undef

  • default: undef


debian_banner
  • abstract: see DebianBanner in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


version_addendum
  • abstract: see VersionAddendum in sshd_config(5)

  • allowed values: a word in the ASCII character set, or undef

  • default: undef


host_key_agent
  • abstract: see HostKeyAgent in sshd_config(5)

  • allowed values: a non-empty string containing no blanks, or undef

  • default: undef


password_authentication
  • abstract: see PasswordAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


pubkey_authentication
  • abstract: see PubkeyAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


kerberos_authentication
  • abstract: see KerberosAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_authentication
  • abstract: see GSSAPIAuthentication in sshd_config(5)

  • accepted values: true, false, undef

  • default: undef


challenge_response_auth
  • abstract: see ChallengeResponseAuthentication in sshd_config(5)

  • honored values: true, false, and undef

  • default value: undef


use_pam
  • abstract: see UsePAM in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


hostbased_authentication
  • abstract: see HostbasedAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


kbd_interactive_auth
  • abstract: see KbdInteractiveAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


rhosts_rsa_authentication
  • abstract: see RhostsRSAAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


rsa_authentication
  • abstract: see RSAAuthentication in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


authentication_methods
  • abstract: see AuthenticationMethods in sshd_config(5)

  • allowed values: a non-empty array of non-empty arrays of the following structure: {method => …, device => Optional[…]} where method is a word in the ASCII character set, and optionally device is a word in the ASCII character set. Alternatively undef.

  • example: [[{method => 'publickey'}, {method => 'password'}], [{method => 'publickey'}, {method => 'keyboard-interactive'}]] (do not copy but write off)

  • default: undef


permit_root_login
  • abstract: see PermitRootLogin in sshd_config(5)

  • allowed values: true, false, 'without-password', 'forced-commands-only', and undef

  • default: undef


deny_users
  • abstract: see DenyUsers in sshd_config(5)

  • acceptable values: a non-empty array of non-empty strings, without any blanks, or undef

  • example: ['*']

  • default: undef


allow_users
  • abstract: compare AllowUsers in sshd_config(5)

  • allowed values: see deny_users

  • example: ['ernie', 'bert']

  • default: undef


deny_groups
  • abstract: see DenyGroups in sshd_config(5)

  • acceptable values: a non-empty array of non-empty strings, containing no blanks, or just undef

  • example: ['*']

  • default: undef


allow_groups
  • abstract: see AllowGroups in sshd_config(5)

  • allowed values: see deny_groups

  • example: ['support', 'staff']

  • default: undef


use_privilege_separation
  • abstract: see UsePrivilegeSeparation in sshd_config(5) and compare § “files” in sshd(8)

  • allowed values: true, false, 'sandbox' and undef

  • default: undef


use_dns
  • abstract: see UseDNS in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


max_auth_tries
  • abstract: see MaxAuthTries in sshd_config(5)

  • allowed values: some non-negative integer or undef

  • default: undef


strict_modes
  • abstract: see StrictModes in sshd_config(5)

  • allowed values: true, false and undef

  • default: undef


login_grace_time
  • abstract: see LoginGraceTime in sshd_config(5) and -g in sshd(8)

  • accepted values: a non-negative integer, and undef

  • default: undef


use_login
  • abstract: see UseLogin in sshd_config(5) for more information

  • allowed values: true, false or undef

  • default: undef


permit_empty_passwords
  • abstract: compare PermitEmptyPasswords in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


pubkey_accepted_key_types
  • abstract: see PubkeyAcceptedKeyTypes in sshd_config(5)

  • allowed values: true, false and undef

  • default value: undef


pubkey_accepted_key_types
  • abstract: see PubkeyAcceptedKeyTypes in sshd_config(8)

  • allowed values: a non-empty array of non-empty strings, containing no blanks or commas, or just undef

  • example: ['ssh-ed25519*', 'ecdsa*']

  • default value: undef


trusted_user_ca_keys
  • abstract: see TrustedUserCAKeys in sshd_config(5) for more details

  • allowed values: a non-empty string of non-blank characters, and not ending on a slash, or undef

  • default: undef


authorized_principals_file
  • abstract: see AuthorizedPrincipalsFile in sshd_config(5)

  • allowed values: undef, or an absolute path to a file, or a path starting with '%h' xor '~'. Both variants must not contain any blanks. Both variants must not end on a slash.

  • defaults to: undef


authorized_principals_cmd
  • abstract: see AuthorizedPrincipalsCommand in sshd_config(5)

  • allowed values: undef or a string starting with a slash (not containing any blanks) and optionally followed by a space and then containing anything but newlines.

  • example: '/usr/local/sbin/sshdapc %u'

  • default: undef


authorized_principals_cmd_uid
  • abstract: see AuthorizedPrincipalsCommandUser in sshd_config(5)

  • allowed values: a non-empty string containing no blanks, or undef

  • example: 'lu' (local user [the default user I create at my site])

  • default: undef


kerberos_get_afs_token
  • abstract: see KerberosGetAFSToken in sshd_config(5) for details

  • allowed values: true, false, and undef

  • default value: undef


kerberos_or_local_passwd
  • abstract: search for KerberosOrLocalPasswd in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


kerberos_ticket_cleanup
  • abstract: see KerberosTicketCleanup in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_key_exchange
  • abstract: see GSSAPIKeyExchange in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_strict_acceptor_check
  • abstract: see GSSAPIStrictAcceptorCheck in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_store_creds_on_rekey
  • abstract: see GSSAPIStoreCredentialsOnRekey in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


gssapi_cleanup_credentials
  • abstract: compare GSSAPICleanupCredentials in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


hostbased_accepted_key_types
  • abstract: see HostbasedAcceptedKeyTypes in sshd_config(5)

  • allowed values: undef or a non-empty array of non-empty strings containing no blanks or commas

  • default: undef


hostbased_uses_name_fr_packet
  • abstract: see HostbasedUsesNameFromPacketOnly in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


ignore_rhosts
  • abstract: see IgnoreRhosts in sshd_config(5) for on that

  • allowed values: true, false, and undef

  • default: undef


ignore_user_known_hosts
  • abstract: see IgnoreUserKnownHosts in sshd_config(5)

  • allowed values: undef, false, and true

  • default: undef


print_motd
  • abstract: see PrintMotd in sshd_config(5) and §§ “login process” and “files” in sshd(8)

  • allowed values: true, false, and undef

  • default: undef


print_last_log
  • abstract: compare PrintLastLog in sshd_config(5) and § “login process” in sshd(8)

  • allowed values: uhm, true, and, uhm, falseundef, too

  • default: undef


chroot_directory
  • abstract: see ChrootDirectory in sshd_config(5)

  • accepted values: undef, or a non-empty string containing no blanks and ending on a slash /

  • example: '/opt/mailbox_read_env/'

  • default: undef


ciphers
  • abstract: see Ciphers in sshd_config(5)

  • allowed values: undef or a non-empty array of strings what ssh -Q cipher in my version of openssh listed

  • example: ['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'arcfour256', 'arcfour128', 'arcfour']

  • default: undef


kex_algorithms
  • abstract: see KexAlgorithms in sshd_config(5)

  • allowed values: undef or a non-empty array of string which ssh -Q kex of my openssh version listed

  • example: ['ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256', 'curve25519-sha256@libssh.org']

  • default: undef


rekey_limit
  • abstract: see RekeyLimit in sshd_config(5)

  • accepted values: undef or a hash of the following structure: {maximum_transmitted_bytes => …, maximum_seconds_elapsed => Optional[…]} where maximum_transmitted_bytes is either a non-negative integer, or the string 'default'. The optional maximum_seconds_elapsed can be a non-negative integer, or the string 'none'.

  • example: {maximum_transmitted_bytes => 'default', maximum_seconds_elapsed => 3593} (do not copy but write off)

  • default: undef


ipqos
  • abstract: confer IPQoS in sshd_config(5)

  • allowed values: undef or a hash of the following structure: {interactive_sessions => …, non_interactive_sessions => …} Both interactive_sessions and non_interactive_sessions have to be either an integer ∊ [0, 255], or of the named QoS in the man page as a string.

  • example: {interactive_sessions => 'lowdelay', non_interactive_sessions => 'throughput'}

  • default: undef


compression
  • abstract: look up Compression in sshd_config(5)

  • allowed values: true, false, 'delayed', and undef

  • default: undef


macs
  • abstract: read MACs in sshd_config(5)

  • allowed values: undef or a non-empty array of strings, what my openssh version returned on ssh -Q mac

  • default: undef


force_command
  • abstract: see ForceCommand in sshd_config(5)

  • allowed values: undef or a non-empty string containing no newlines

  • default: undef


accept_env
  • abstract: compare AcceptEnv in sshd_config(5)

  • allowed values: undef or a non-empty array of non-empty strings containing no blanks

  • example: ['LANG', 'LC_*']

  • default: undef


permit_user_environment
  • abstract: see PermitUserEnvironment in sshd_config(5)

  • accepted values: true, false, and undef

  • default: undef


permit_tty
  • abstract: see PermitTTY in sshd_config(5)

  • allowed values: true, false and undef

  • default: undef


subsystem
  • abstract: see Subsystem in sshd_config(5)

  • allowed values: undef or a non-empty array of hashes having the following structure: {name => …, command => …, arguments => Optional[…]} where name has to be a word out of the ASCII character set. command has to be string starting with a slash /, containing no blanks, and must not end on a slash. arguments is an optional non-empty array of non-empty strings containing no blanks

  • example: {name => 'sftp', command => '/usr/lib/openssh/sftp-server'} (do not copy but write off)

  • default: undef


permit_tunnel
  • abstract: see PermitTunnel in sshd_config(5)

  • allowed values: true, false, 'point-to-point', 'ethernet', and undef

  • default: undef


allow_agent_forwarding
  • abstract: see AllowAgentForwarding in sshd_config(5)

  • allowed values: true, false, and undef

  • default value: undef


allow_tcp_forwarding
  • abstract: see AllowTcpForwarding in sshd_config(5)

  • allowed values: true, false, 'all', 'local', 'remote', and undef

  • default: undef


permit_open
  • abstract: see PermitOpen in sshd_config(5)

  • allowed values:

    • undef

    • 'any',

    • 'none'

    • a non-empty array of hashes with the following structure: {host => …, port => …} where host is either an array of four integers ∊ [0, 255], or an array of eight integers ∊ [0x0000, 0xFFFF], or non-empty string, containing neither strings or colons :. port has to be an integer ∊ [0, 65535].

  • default: undef


allow_stream_local_forwarding
  • abstract: see AllowStreamLocalForwarding in sshd_config(5)

  • allowed values: true, false, 'all', 'local', 'remote', or undef

  • default: undef


stream_local_bind_mask
  • abstract: see StreamLocalBindMask in sshd_config(5)

  • allowed values: undef or a string of four octal digits

  • default: undef


stream_local_bind_unlink
  • abstract: see StreamLocalBindUnlink in sshd_config(5)

  • allowed values: true, false, undef

  • default: undef


x11_forwarding
  • abstract: see X11Forwarding in sshd_config(5)

  • acceptable value: true, false, and undef

  • default: undef


x_auth_location
  • abstract: see XAuthLocation in sshd_config(5)

  • allowed values: undef, or 'none', or a string starting with a slash /, but not ending on a slash, and containing no blanks

  • default: undef


x11_use_localhost
  • abstract: see X11UseLocalhost in sshd_config(5)

  • honored values: true, false, and undef

  • default: undef


x11_display_offset
  • abstract: see X11DisplayOffset in sshd_config(5)

  • allowed values: undef or a non-negative integer

  • default: undef


tcp_keep_alive
  • abstract: see TCPKeepAlive in sshd_config(5)

  • allowed values: true, false, and undef

  • default: undef


client_alive_interval
  • abstract: see ClientAliveInterval in sshd_config(5)

  • allowed values: undef or a non-negative integer

  • default: undef


client_alive_count_max
  • abstract: see ClientAliveCountMax in sshd_config(5) for details

  • allowed values: undef or a non-negative integer

  • default: undef


key_regeneration_interval
  • abstract: compare KeyRegenerationInterval in sshd_config(5) and -k in sshd(8)

  • allowed values: undef or a non-negative integer

  • default: undef


server_key_bits
  • abstract: compare ServerKeyBits in sshd_config(5) and -b in sshd(8)

  • allowed values: undef or an integer ∊ [512, ∞),

  • default: undef


pid_file
  • abstract: see PidFile in sshd_config(5)

  • note: the init.d scripts hold plain text defaults. Changing this value might break Service['sshd'] as defined in openssh_server::service. You'd like to set sshd_ensure => undef, too, and perform service management on your own (e.g. via systemdisease unit files)

  • allowed values: an absolute path string to a file (not ending with a slash, and not containing any blanks), or 'none' or undef

  • default: undef


syslog_facility
  • abstract: see SyslogFacility in sshd_config(5)

  • allowed values: 'DAEMON', 'USER', 'AUTH', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7', and undef

  • default value: undef


log_level
  • abstract: see LogLevel in sshd_config(5)

  • behavior: According to sshd_config(5) the default logging level is 'INFO'. According to sshd(8) (see -q) beginning, authentication and termination of each connection is logged.

  • acceptable values: 'QUIET', 'FATAL', 'ERROR', 'VERBOSE' 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3', 'INFO' and undef

  • default: undef


fingerprint_hash
  • abstract: see FingerprintHash in sshd_config(5)

  • acceptable values: 'md5', 'sha256' and undef

  • default: undef


match
  • abstract: apply settings to specific sort of connections only

  • acceptable values: undef, or a non-empty array of `openssh_server::match

  • default: undef

types

openssh_server::match

This resource type does nothing. It just exists to create a scope for variables.

All attributes but policy describe a condition an associated openssh_server::policy apply to.

If you do not specify any condition attributes, Match All is implied.

user
  • abstract: restrict matches to user names

  • allowed values: undef, or a non-empty array of non-empty strings containing no blanks or commas

  • example: ['service_user', 'puppet']

  • default: undef

group
  • abstract: restrict matches to users' groups

  • allowed values: undef, or a non-empty array of non-empty strings containing no blanks nor commas

  • example: ['wheel']

  • default: undef

host
  • abstract: restrict matches to host names

  • allowed values: undef, or a non-empty array of non-empty strings containing no blanks nor commas

  • example: ['*.int.acme.tld']

  • default: undef

local_address
  • abstract: restrict matches to their local address

  • This condition especially makes sense, if your sshd listens on multiple ListenAddresses

  • allowed values: undef, or non-empty array of arrays. The inner arrays can be either arrays of four integers ranging zero to 255, or arrays of eight integers rangin zero to 0xFFFF

  • example: [[10,4,8,3]]

  • default: undef

local_port
  • abstract: restrict matches to incoming ports

  • this condition especially makes sense, if your sshd(8) listens on multiple Ports

  • allowed values: undef, or a non-empty array of non-negative integers up to and include 65535

  • example: [31415, 62832]

  • default: undef

address
  • abstract: restrict matches to connections originating from specific address

  • allowed values: undef, or a non-empty array of structures. Structures may either have the keys ipv4_address_octets and cidr_mask, or ipv6_address_words and cidr_mask. In case they have ipv4_address_octets, cidr_mask may be a non-negative integer up to and including 32. In case they have ipv6_address_words, cidr_mask may be a non-negative integer up to and including 128. ipv4_address_octets has to be an array of four integers ranging from zero to 255. ipv6_address_words has to be an array of eigh integers ranging from zero to 0xFFFF.

  • example: [{ipv4_address_octets => [10,0,0,0], cidr_mask => 8}]

  • default: undef

policy
  • abstract: the policy associated with matched connections

  • required value: a reference to a openssh_server::policy resource

  • example: Openssh_server::Policy['weak_security']

  • default: undef

openssh_server::policy

This resource type does nothing. It just exists to create a scope for variables.

It accepts a limited set of class parameters, which have the same type:

limitations

  • Only one openssh-server instance can be managed. Since there are several ways to run multiple sshds on a single host, this module won't be enhanced into this direction. You'd probably want it realized somehow differently anyway.

  • This module does not provide a way to uninstall openssh-server.

  • As a limitation of what can be modeled with the PP language a sshd_config-change always triggers a restart. Though you can explicitely specify a restart command e.g. /etc/init.d/ssh reload, that's definitely not best practice. (compare PUP-1054)

  • During development I experienced Service['sshd'] (the PP resource) does not fail if it's got a faulty sshd_config. sshd_config_validate_cmd should catch this case now.

  • This module does not manage sshd_enable, sshd_program, or sshd_flags on FreeBSD platforms.

  • This module does not manage an sshd-specific PAM (pluggable authentication module) stack.

  • If you suffer from systemdisease, specifying a listen_address possibly results in a not-starting sshd(8) during boot-time: systemd tries to start the ssh service, though not all network interfaces are configured yet. The OpenSSH-server refuses to start, if there's no interface having the specified listen_address. The systemd guys virtually say, they're doing everything right, what's causing such situations are buggy implementation – OpenSSH allegedly has a buggy implementation (regarding networking).

development

  • drop me a line, if you'd like to improve this module: Kai Burghardt <wiz:KaiBurghardt.de>

to do:

  • tweak the template so in commentary mode it prints only comments/separating newlines where necessary
  • YARD
  • appoint ppl who care about support of their favorite OS