Forge Home


Puppet OpenSSH Module


9,952 latest version

3.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.30 (latest)
  • 1.0.29
  • 1.0.28
  • 1.0.27
  • 1.0.25
  • 1.0.24
  • 1.0.23
  • 1.0.22
  • 1.0.21
  • 1.0.20
  • 1.0.19
  • 1.0.18
  • 1.0.17
  • 1.0.16
  • 1.0.15
  • 1.0.14
  • 1.0.13
  • 1.0.12
  • 1.0.11
  • 1.0.10
  • 1.0.9
  • 1.0.8
  • 1.0.7
  • 1.0.6
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Mar 3rd 2014

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'pennycoders-openssh', '1.0.30'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add pennycoders-openssh
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install pennycoders-openssh --version 1.0.30

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



pennycoders/openssh — version 1.0.30 Mar 3rd 2014


Build Status

####Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with openssh
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module


This manages the OpenSSH server.

##Module Description

This manages the configuration of the OpenSSH server. It's defaults fall in line with the CIS Benchmarks and USGCB benchmarks for ssh servers (as an aside the USGCB link has puppet module downloads. They are... sub-optimal and shouldn't actually be used). As such the defaults are pretty strict and may need adjustment.


###What openssh affects

  • Install openssh-server and dependencies, which will include openssh-client
  • Manage the sshd_config file

###Setup Requirements

Currently has no requirements nor dependencies on other modules.

###Beginning with openssh

A simple include 'openssh' will suffice.


All configuration is done in the main openssh class. See Reference for a list of options.


Hopefully a complete list of parameters that can be set. These can be set with hiera using openssh::VAR_NAME or set when invoking a class.

  • port - Port it runs on, default 22
  • permit_root_login - Allow root user to login, default 'no'
  • log_level - Logging level, default 'INFO'
  • x11_forwarding - Permit X11 forwarding, default 'no'
  • max_auth_tries - Number of tries before dropping connection, default 4
  • password_authentication - Allow the use of passwords to login. Disable this if you only use ssh keys. Default 'yes'
  • ciphers - List of ssh ciphers to support, defaults to counter based ciphers
  • client_alive_interval - after this many seconds of no activity increment a count that's used for client_alive_count_max. Default is 300 (ie 5 minutes). Setting to 0 disables this. This will probably be a commonly changed option when on dev or staging environments.
  • client_alive_count_max - when client_alive_interval is reached this many times, drop the connection. Default is 0 meaning after the first time client_alive_interval is reached, drop the connection.
  • allow_users - Comma separated list of users to allow. Default is 'UNSET' which excludes this option from config.
  • deny_users - Comma separated list of users to deny. Default is 'UNSET' which excludes this option from config.
  • banner - File to display on login. Default is /etc/ Accepts 'UNSET' to not have a login banner
  • sftp_chroot - Enable sftp chroot settings. Default is false. To take advantage of this create a regular user and place them into the 'sftponly' group. They will then only be able to see their home folder.
  • config_template - The template file to use for sshd_config. This is determined by the module and doesn't need to be set.
  • service_name - Name of service. Determined by module.
  • service_ensure - What state should this be in. Default is running
  • service_enable - Should the service be enabled. Default is true
  • package_name - Name of package to install. Determined by module.
  • package_ensure - State of the openssh package. Default is present


Currently testing has been limited to Ubuntu 12.04 and CentOS 5 and 6. Should work with any debian or redhat flavored OS.


  • Fork
  • create feature branch
  • make changes
  • submit pull requests