Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-ssh', '6.20.0'
Learn more about managing modules with a PuppetfileDocumentation
SSH
Table of Contents
- Module Description
- Setup
- Usage
- Limitations
- Development
- Acceptance tests
Module Description
Manages the SSH Client and Server
Setup
What ssh affects
SSH installs the SSH package, runs the sshd service and manages files primarily
in /etc/ssh
Setup requirements
The only requirement is including the ssh module in your modulepath
Beginning with SSH
include 'ssh'
Usage
Including ssh
will manage both the server and the client with reasonable
settings:
include 'ssh'
The ssh
class automatically includes both the ssh::client
and ssh:server
classes. To exclude one or both of these classes, set the appropriate parameter
to false as shown:
class{ 'ssh':
enable_client => false,
enable_server => false,
}
SSH client
Managing client settings
Including ssh::client
with no other options will automatically manage client
settings to be used with all hosts (Host *
).
If you want to customize any of these settings, you must disable the creation
of the default entry with ssh::client::add_default_entry: false
and manage
Host *
manually with the defined type ssh::client::host_config_entry
:
class{ 'ssh::client': add_default_entry => false }
ssh::client::host_config_entry{ '*':
gssapiauthentication => true,
gssapikeyexchange => true,
gssapidelegatecredentials => true,
}
Managing client settings for specific hosts
Different settings for particular hosts can be managed by using the defined
type ssh::client::host_config_entry
:
# `ancient.switch.fqdn` only understands old ciphers:
ssh::client::host_config_entry { 'ancient.switch.fqdn':
ciphers => [ 'aes128-cbc', '3des-cbc' ],
}
Managing additional client settings using ssh_config
If you need to customize a setting in /etc/ssh/ssh_config
that
ssh::client::host_config_entry
doesn't manage, use the
ssh_config
type, provided by augeasproviders_ssh:
# RequestTTY isn't handled by ssh::client::host_config_entry
# Note: RequestTTY is not a valid ssh_config setting on OpenSSH where version < 5.9
ssh_config { 'Global RequestTTY':
ensure => present,
key => 'RequestTTY',
value => 'auto',
}
Including the client by itself
include `ssh::client`
You can prevent all inclusions of ssh
from inadvertently managing the SSH
server by specifying ssh::enable_server: false
:
class{ 'ssh':
enable_client => true,
enable_server => false,
}
SSH server
Managing server settings
Including ssh::server
with the default options will manage the server with
reasonable settings for each host's environment.
include 'ssh::server'
# Alternative:
# if `ssh::enable_server: true`, this will also work
include 'ssh'
If you want to customize any ssh::server
settings, you must edit the
parameters of ssh::server::conf
using Hiera or ENC (Automatic Parameter
Lookup). These customizations cannot be made directly using a
resource-style class declaration; they must be made via APL:
---
# Note: Hiera only!
ssh::server::conf::port: 2222
ssh::server::conf::ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-ctr'
- 'aes256-gcm@openssh.com'
ssh::server::conf::ssh_loglevel: "verbose"
ssh::server::conf::gssapiauthentication: true
include 'ssh::server'
# Alternative:
# if `ssh::enable_server: true`, this will also work
include 'ssh'
Managing additional server settings
Using Hiera
Users may specify any undefined global sshd
settings using the
ssh::server::conf::custom_entries
parameter as follows:
---
ssh::server::conf::custom_entries:
GSSAPIKeyExchange: "yes"
GSSAPICleanupCredentials: "yes"
NOTE: This is parameter is not validated. Be careful to only specify options that are allowed for your particular SSH daemon. Invalid options may cause the ssh service to fail on restart. Duplicate settings will result in duplicate Puppet resources (i.e., manifest compilation failures).
Using sshd_config
Prior to version 6.7.0 of the simp-ssh
module, undefined sshd
settings
were managed with sshd_config
_ type, provided by
augeasproviders_ssh. Although this functionality has been
incorporated into ssh::server::conf::custom_entries
, it is still available,
and in some cases such as Match
entries, necessary to call directly.
The following examples illustrate Match
entries using sshd_config
:
Puppet:
include 'ssh::server'
sshd_config {
"AllowAgentForwarding":
ensure => present,
condition => "Host *.example.net",
value => "yes",
}
# Specify unique names to avoid duplicate declarations and compilation failures
sshd_config {
"X11Forwarding foo":
ensure => present,
keys => "X11Forwarding",
condition => "Host foo User root",
value => "yes",
}
To delete a sshd_config
entry, simply set ensure
to absent as shown:
sshd_config {
"X11Forwarding foo":
ensure => absent,
}
Including the server by itself
You can focus ssh
on managing the SSH server by itself by specifying
ssh::enable_client: false
:
class{ 'ssh':
enable_client => false,
enable_server => true,
}
Note: including ssh::client
directly would still manage the SSH client
Managing SSH ciphers
Unless instructed otherwise, the ssh::
classes select ciphers based on the OS
environment (the OS version, the version of the SSH server, whether FIPS
mode is enabled, etc).
Server ciphers
At the time of 6.4.0, the default ciphers for ssh::server
on EL7 when FIPS
mode is disabled are:
aes256-gcm@openssh.com
aes128-gcm@openssh.com
aes256-ctr
aes192-ctr
aes128-ctr
There are also 'fallback' ciphers, which are required in order to communicate
with systems that are compliant with FIPS-140-2. These are
always included by default unless the parameter
ssh::server::conf::enable_fallback_ciphers
is set to false
:
aes256-ctr
aes192-ctr
aes128-ctr
At the time of 6.4.0, the 'fallback' ciphers are the default ciphers for
ssh::server
on EL7 when FIPS mode is enabled and EL6 in either mode.
Client ciphers
By default, the system client ciphers in /etc/ssh/ssh_config
are configured
to strong ciphers that are recommended for use.
If you need to connect to a system that does not support these ciphers but uses older or weaker ciphers, you should either:
- Manage an entry for that specific host using an additional
ssh::client::host_config_entry
, or: - Connect to the client with custom ciphers specified by the command line
option,
ssh -c
- You can see a list of ciphers that your ssh client supports with
ssh -Q cipher
. - See the ssh man pages for further information.
- You can see a list of ciphers that your ssh client supports with
Either of the choices above are preferable to weakening the system-wide client settings unecessarily.
Managing ssh_authorized_keys
You can manage users authorized_keys file using the ssh::authorized_keys
class and the ssh::authorized_keys::keys
hiera value.
---
ssh::authorized_keys::keys:
kelly: ssh-rsa skjfhslkdjfs...
nick:
- ssh-rsa sajhgfsaihd...
- ssh-rsa jrklsahsgfs...
mike:
key: dlfkjsahh...
type: ssh-rsa
user: mlast
target: /home/gitlab-runner/.ssh/authorized_keys
Limitations
SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
To see a list of development tasks available for this module, run
bundle exec rake -T
Acceptance tests
To run the system tests, you need Vagrant
installed.
You can then run the following to execute the acceptance tests:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_destroy=onpass
BEAKER_provision=no
BEAKER_fips=yes
BEAKER_debug
: show the commands being run on the SUT and their output.BEAKER_destroy=onpass
prevent the machine destruction if the tests fail.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_fips=yes
: Provision the SUTs in FIPS mode.
Environment variables specific to pupmod-simp-ssh
SIMP_SSH_report_dir=/PATH/TO/DIRECTORY
SIMP_SSH_report_dir
: If set to a valid directory, will record the Ciphers / MACs / kexalgorithms for each SSH server during the test. This can be used to validate and update the information in the Server ciphers section.
Reference
Table of Contents
Classes
ssh
: Sets up files for ssh.ssh::authorized_keys
: Addssh_authorized_keys
via hiera in a loopssh::client
: Sets up a ssh client and creates /etc/ssh/ssh_config.ssh::client::params
: Default parameters for the SSH clientssh::server
: Sets up a ssh server and starts sshd.ssh::server::conf
: Sets up sshd_config and adds an iptables rule if iptables is being used.ssh::server::params
: Default parameters for the SSH Server
Defined types
ssh::client::host_config_entry
: Creates a host entry to ssh_config
Resource types
sshkey_prune
: The file that you wish to prune
Functions
ssh::add_sshd_config
: Add a sshd_config entry if it is not in the remove listssh::autokey
: Generates a random RSA SSH private and public key pair for a passedssh::config_bool_translate
: Translates true|false or 'true'|'false' to 'yes'|'no', respectivelyssh::format_host_entry_for_sorting
: A method to sensibly format sort SSH 'host' entries which containssh::global_known_hosts
: Update the ssh_known_hosts files for all hosts, purging old files,ssh::parse_ssh_pubkey
: Take an ssh pubkey that looks like: ssh-rsa jdlkfgjsdfo;i... user@domain.com and turn it into a hash, usable in the ssh_authorized_key type
Data types
Ssh::Authentications
: Valid SSH Authentication SettingsSsh::Loglevel
: Valid SSH LoglevelsSsh::PermitRootLogin
: Valid Settings for PermitRootLoginSsh::Syslogfacility
: Valid SSH Syslog Facility Settings
Classes
ssh
Sets up files for ssh.
Parameters
The following parameters are available in the ssh
class:
enable_client
Data type: Boolean
If true, set up the SSH client configuration files.
Default value: true
enable_server
Data type: Boolean
If true, set up an SSH server on the system.
Default value: true
ssh::authorized_keys
This class was designed so you can just paste the output of the ssh pubkey into hiera and it will work. See the example below for details.
WARNING
This creates a user for every key and every user in the Hash. If this is large, please consider moving to a central source for these keys, such as LDAP, so that you do not over-burden your Puppet server.
WARNING
Examples
Adding user keys via Hiera
---
ssh::authorized_keys::keys:
kelly: ssh-rsa skjfhslkdjfs...
nick:
- ssh-rsa sajhgfsaihd...
- ssh-rsa jrklsahsgfs...
mike:
key: dlfkjsahh...
type: ssh-rsa
user: mlast
target: /home/gitlab-runner/.ssh/authorized_keys
Parameters
The following parameters are available in the ssh::authorized_keys
class:
keys
Data type: Hash
The hash to generate key resouces from
Default value: {}
ssh::client
Sets up a ssh client and creates /etc/ssh/ssh_config.
Parameters
The following parameters are available in the ssh::client
class:
add_default_entry
Data type: Boolean
Set this if you wish to automatically have the '*' Host entry set up with some sane defaults.
Default value: true
fips
Data type: Boolean
If set or FIPS is already enabled, adjust for FIPS mode.
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
haveged
Data type: Boolean
If true, include the haveged module to assist with entropy generation.
Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })
package_ensure
Data type: String
The ensure status the openssh-clients package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
ssh::client::params
Default parameters for the SSH client
ssh::server
Sets up a ssh server and starts sshd.
Parameters
The following parameters are available in the ssh::server
class:
server_ensure
Data type: String
The ensure status of the openssh-server package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
ldap_ensure
Data type: String
The ensure status of the openssh-ldap package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
ssh::server::conf
sshd
configuration variables can be set using Augeas outside of this
class with no adverse effects.
SSH Parameters ####
Custom Parameters ####
SIMP Parameters ####
Parameters
The following parameters are available in the ssh::server::conf
class:
acceptenv
allowgroups
allowusers
manage_authorizedkeysfile
authorizedkeysfile
authorizedkeyscommand
authorizedkeyscommanduser
banner
challengeresponseauthentication
ciphers
clientalivecountmax
clientaliveinterval
compression
denygroups
denyusers
gssapiauthentication
hostbasedauthentication
ignorerhosts
ignoreuserknownhosts
kerberosauthentication
kex_algorithms
listenaddress
logingracetime
ssh_loglevel
macs
maxauthtries
passwordauthentication
permitemptypasswords
permitrootlogin
permituserenvironment
port
printlastlog
protocol
rhostsrsaauthentication
strictmodes
subsystem
syslogfacility
tcpwrappers
usepam
manage_pam_sshd
oath
oath_window
useprivilegeseparation
x11forwarding
custom_entries
remove_entries
remove_subsystems
app_pki_external_source
app_pki_key
enable_fallback_ciphers
fallback_ciphers
fips
firewall
haveged
ldap
pki
sssd
ensure_sssd_packages
trusted_nets
acceptenv
Data type: Array[String]
Specifies what environment variables sent by the client will be copied into the sessions environment.
Default value: $ssh::server::params::acceptenv
allowgroups
Data type: Optional[Array[String]]
A list of group name patterns. If specified, login is allowed only for users whose primary or supplementary group list matches one of the patterns.
Default value: undef
allowusers
Data type: Optional[Array[String]]
A list of user name patterns. If specified, login is allowed only for users whose name matches one of the patterns.
Default value: undef
manage_authorizedkeysfile
Data type: Boolean
This will allow users to opt out of puppet managing their ssh authorized keys file. If set to false, authorizedkeysfile will be ignored.
Default value: true
authorizedkeysfile
Data type: String
This is set to a non-standard location to provide for increased control over who can log in as a given user.
Default value: '/etc/ssh/local_keys/%u'
authorizedkeyscommand
Data type: Optional[Stdlib::Absolutepath]
Specifies a program to be used for lookup of the user's public keys.
Default value: undef
authorizedkeyscommanduser
Data type: String
Specifies the user under whose account the AuthorizedKeysCommand is run.
Default value: 'nobody'
banner
Data type: Stdlib::Absolutepath
The contents of the specified file are sent to the remote user before authentication is allowed.
Default value: '/etc/issue.net'
challengeresponseauthentication
Data type: Boolean
Specifies whether challenge-response authentication is allowed.
Default value: false
ciphers
Data type: Optional[Array[String]]
Specifies the ciphers allowed for protocol version 2. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.
Default value: undef
clientalivecountmax
Data type: Integer
@see man page for sshd_config
Default value: 0
clientaliveinterval
Data type: Integer
@see man page for sshd_config
Default value: 600
compression
Data type: Variant[Boolean,Enum['delayed']]
Specifies whether compression is allowed, or delayed until the user has authenticated successfully.
Default value: 'delayed'
denygroups
Data type: Optional[Array[String]]
A list of group name patterns. If specified, login is disallowed for users whose primary or supplementary group list matches one of the patterns.
Default value: undef
denyusers
Data type: Optional[Array[String]]
A list of user name patterns. If specified, login is disallowed for users whose name matches one of the patterns.
Default value: undef
gssapiauthentication
Data type: Boolean
Specifies whether user authentication based on GSSAPI is allowed. If the
system is connected to an IPA domain, this will be default to true, based
on the existance of the ipa
fact.
Default value: $ssh::server::params::gssapiauthentication
hostbasedauthentication
Data type: Boolean
@see man page for sshd_config
Default value: false
ignorerhosts
Data type: Boolean
@see man page for sshd_config
Default value: true
ignoreuserknownhosts
Data type: Boolean
@see man page for sshd_config
Default value: true
kerberosauthentication
Data type: Boolean
@see man page for sshd_config
Default value: false
kex_algorithms
Data type: Optional[Array[String]]
Specifies the key exchange algorithms accepted. When unset, an appropriate set of algorithms is automatically selected by this class, taking into account whether the server is in FIPS mode and whether the version of openssh installed supports this feature.
Default value: undef
listenaddress
Data type: Optional[Variant[Simplib::Host, Array[Simplib::Host]]]
Specifies the local addresses sshd should listen on.
Default value: undef
logingracetime
Data type: Integer[0]
The max number of seconds the server will wait for a successful login before disconnecting. If the value is 0, there is no limit.
Default value: 120
ssh_loglevel
Data type: Optional[Ssh::Loglevel]
Specifies the verbosity level that is used when logging messages from sshd.
Default value: undef
macs
Data type: Optional[Array[String]]
Specifies the available MAC algorithms. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.
Default value: undef
maxauthtries
Data type: Integer[1]
Specifies the maximum number of authentication attempts permitted per connection.
Default value: 6
passwordauthentication
Data type: Boolean
Specifies whether password authentication is allowed on the sshd server.
- This setting must be managed by default so that switching to and from OATH does not lock you out of your system.
Default value: true
permitemptypasswords
Data type: Boolean
When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
Default value: false
permitrootlogin
Data type: Ssh::PermitRootLogin
Specifies whether root can log in using SSH.
Default value: false
permituserenvironment
Data type: Boolean
@see man page for sshd_config
Default value: false
port
Data type: Variant[Array[Simplib::Port],Simplib::Port]
Specifies the port number SSHD listens on.
Default value: 22
printlastlog
Data type: Boolean
Specifies whether SSHD should print the date and time of the last user login when a user logs in interactively.
Default value: false
protocol
Data type: Array[Integer[1,2]]
@see man page for sshd_config
Default value: [2]
rhostsrsaauthentication
Data type: Optional[Boolean]
This sshd option has been completely removed in openssh 7.4 and
will cause an error message to be logged, when present. On systems
using openssh 7.4 or later, only set this value if you need
RhostsRSAAuthentication
to be in the sshd configuration file to
satisfy an outdated, STIG check.
Default value: $ssh::server::params::rhostsrsaauthentication
strictmodes
Data type: Boolean
@see man page for sshd_config
Default value: true
subsystem
Data type: String
Configures an external subsystem for file transfers.
Default value: 'sftp /usr/libexec/openssh/sftp-server'
syslogfacility
Data type: Ssh::Syslogfacility
Gives the facility code that is used when logging messages.
Default value: 'AUTHPRIV'
tcpwrappers
Data type: Boolean
If true, enable sshd tcpwrappers.
Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })
usepam
Data type: Boolean
Enables the Pluggable Authentication Module interface.
Default value: simplib::lookup('simp_options::pam', { 'default_value' => true })
manage_pam_sshd
Data type: Boolean
Flag indicating whether or not to manage the pam stack for sshd. This is required for the oath option to work properly.
Default value: $oath
oath
Data type: Boolean
EXPERIMENTAL FEATURE Configures ssh to use pam_oath TOTP in the sshd pam stack. Also configures sshd_config to use required settings. Inherits from simp_options::oath, defaults to false if not found.
Default value: simplib::lookup('simp_options::oath', { 'default_value' => false })
oath_window
Data type: Integer[0]
Sets the TOTP window (Defined in RFC 6238 section 5.2)
Default value: 1
useprivilegeseparation
Data type: Variant[Boolean,Enum['sandbox']]
Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic.
This option has no effect on OpenSSH >= 7.5.0 due to being deprecated.
Default value: 'sandbox'
x11forwarding
Data type: Boolean
Specifies whether X11 forwarding is permitted.
Default value: false
custom_entries
Data type: Optional[Hash[String[1],NotUndef]]
A Hash of key/value pairs that will be added as sshd_config
resources
without any validation.
- NOTE: Due to complexity,
Match
entries are not supported and will need to be added usingsshd_config_match
resources as described inaugeasproviders_ssh
@example Set AuthorizedPrincipalsCommand
ssh::server::conf::custom_entries: AuthorizedPrincipalsCommand: '/usr/local/bin/my_auth_command'
Default value: undef
remove_entries
Data type: Optional[Array[String[1]]]
List of configuration parameters that will be removed.
- NOTE: Due to complexity,
Match
entries are not supported and will need to be removed usingsshd_config_match
resources as described inaugeasproviders_ssh
Default value: undef
remove_subsystems
Data type: Optional[Array[String[1]]]
List of subsystems that will be removed.
Default value: undef
app_pki_external_source
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file. This key file is used to generate the system SSH certificates for consistency.
Default value: "/etc/pki/simp_apps/sshd/x509/private/${facts['networking']['fqdn']}.pem"
enable_fallback_ciphers
Data type: Boolean
If true, add the fallback ciphers from ssh::server::params to the cipher list. This is intended to provide compatibility with non-SIMP systems in a way that properly supports FIPS 140-2.
Default value: true
fallback_ciphers
Data type: Array[String]
The set of ciphers that should be used should no other cipher be declared. This is used when $ssh::server::conf::enable_fallback_ciphers is enabled.
Default value: $ssh::server::params::fallback_ciphers
fips
Data type: Boolean
If set or FIPS is already enabled, adjust for FIPS mode.
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
firewall
Data type: Boolean
If true, use the SIMP iptables class.
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
haveged
Data type: Boolean
If true, include the haveged module to assist with entropy generation.
Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })
ldap
Data type: Boolean
If true, enable LDAP support on the system. If authorizedkeyscommand is empty, this will set the authorizedkeyscommand to ssh-ldap-wrapper so that SSH public keys can be stored directly in LDAP.
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
pki
Data type: Variant[Enum['simp'],Boolean]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sshd/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sshd/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
sssd
Data type: Boolean
If true, use sssd
Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })
ensure_sssd_packages
Data type: Variant[Boolean,Array[String[1]]]
A list of SSSD-related packages to ensure are installed on the system.
- Set to
false
to prevent package management.
Default value: ['sssd-common']
trusted_nets
Data type: Simplib::Netlist
The networks to allow to connect to SSH.
Default value: ['ALL']
ssh::server::params
Curve
exchange was not fully supported until openssh 6.5- RhostsRSAAuthentication was removed in openssh 7.4
Defined types
ssh::client::host_config_entry
GSSAPI may be used.
the client's GSSAPI credentials will force the rekeying of the ssh connection.
trusted to securely canonicalize the name of the host being connected to.
Examples
Adding default entry
ssh::client::host_config_entry { '*':
gssapiauthentication => true,
forwardx11trusted => true'
}
Parameters
The following parameters are available in the ssh::client::host_config_entry
defined type:
target
address_family
batchmode
bindaddress
challengeresponseauthentication
checkhostip
cipher
ciphers
clearallforwardings
compression
compressionlevel
connectionattempts
connecttimeout
controlmaster
controlpath
dynamicforward
enablesshkeysign
escapechar
exitonforwardfailure
forwardagent
forwardx11
forwardx11trusted
gatewayports
globalknownhostsfile
gssapiauthentication
gssapidelegatecredentials
gssapikeyexchange
gssapirenewalforcesrekey
gssapitrustdns
hashknownhosts
hostbasedauthentication
hostkeyalgorithms
hostkeyalias
hostname
identitiesonly
identityfile
kbdinteractiveauthentication
kbdinteractivedevices
localcommand
localforward
ssh_loglevel
macs
nohostauthenticationforlocalhost
numberofpasswordprompts
passwordauthentication
permitlocalcommand
port
preferredauthentications
protocol
proxycommand
pubkeyauthentication
rekeylimit
remoteforward
rhostsrsaauthentication
rsaauthentication
sendenv
serveralivecountmax
serveraliveinterval
smartcarddevice
stricthostkeychecking
tcpkeepalive
tunnel
tunneldevice
useprivilegedport
user
userknownhostsfile
verifyhostkeydns
visualhostkey
xauthlocation
target
Data type: Stdlib::Absolutepath
Absolute path to the ssh_config file to manage.
Default value: '/etc/ssh/ssh_config'
address_family
Data type: Enum['any', 'inet', 'inet6']
The IP Address family to use when connecting. Valid options: 'any', 'inet', 'inet6'.
Default value: 'any'
batchmode
Data type: Boolean
If set to true, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password.
Default value: false
bindaddress
Data type: Optional[Simplib::Host]
Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address. Note that this option does not work if UsePrivilegedPort is set to false.
Default value: undef
challengeresponseauthentication
Data type: Boolean
Specifies whether to use challenge-response authentication.
Default value: true
checkhostip
Data type: Boolean
If this flag is set to true, ssh will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing and will add addresses of destination hosts to ~/.ssh/known_hosts in the process, regardless of the setting of StrictHostKeyChecking.
Default value: true
cipher
Data type: Enum['blowfish', '3des', 'des']
Specifies the cipher to use for encrypting the session in protocol version 1. Valid Options: 'blowfish', '3des', 'des'.
Default value: '3des'
ciphers
Data type: Optional[Array[String]]
Specifies the ciphers allowed for protocol version 2 in order of preference. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.
Default value: undef
clearallforwardings
Data type: Boolean
Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared.
Default value: false
compression
Data type: Boolean
Specifies whether to use compression.
Default value: true
compressionlevel
Data type: Integer[1,9]
Specifies the compression level to use if compression is enabled.
Default value: 6
connectionattempts
Data type: Integer[1]
Specifies the number of tries (one per second) to make before exiting.
Default value: 1
connecttimeout
Data type: Integer[0]
Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout.
Default value: 0
controlmaster
Data type: Enum['yes','no','ask']
Enables the sharing of multiple sessions over a single network connection.
Default value: 'no'
controlpath
Data type: Optional[Variant[Stdlib::Absolutepath, Enum['none']]]
Specify the path to the control socket used for connection sharing as set by controlmaster.
Default value: undef
dynamicforward
Data type: Optional[Variant[Simplib::Port, Simplib::Host::Port]]
Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
Default value: undef
enablesshkeysign
Data type: Boolean
Setting this option to true enables the use of the helper program ssh-keysign during HostbasedAuthentication.
Default value: false
escapechar
Data type: Pattern[/^[[:graph:]]$/, /^\^[[:alpha:]]$/, /^none$/]
Sets the default escape character. Must be a single character.
Default value: '~'
exitonforwardfailure
Data type: Boolean
Specifies whether ssh should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings.
Default value: false
forwardagent
Data type: Boolean
Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine.
Default value: false
forwardx11
Data type: Boolean
Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set.
Default value: false
forwardx11trusted
Data type: Boolean
If set to true, remote X11 clients will have full access to the original X11 display.
Default value: false
gatewayports
Data type: Boolean
Specifies whether remote hosts are allowed to connect to local forwarded ports.
Default value: false
globalknownhostsfile
Data type: Optional[Array[Stdlib::Absolutepath]]
Specifies one or more files to use for the global host key database.
Default value: undef
gssapiauthentication
Data type: Boolean
Specifies whether user authentication
based on GSSAPI is allowed. If the system is connected to an IPA domain,
this will be set to true, regardless of this parameter. It uses the
ipa
fact to determine domain membership.
Default value: false
gssapidelegatecredentials
Data type: Boolean
Forward credentials to the server.
Default value: false
gssapikeyexchange
Data type: Boolean
Specifies whether key exchange based on
Default value: false
gssapirenewalforcesrekey
Data type: Boolean
If set to true then renewal of
Default value: false
gssapitrustdns
Data type: Boolean
Set to true to indicate that the DNS is
Default value: false
hashknownhosts
Data type: Boolean
Indicates that SSH should hash host names and addresses when they are added to known hosts.
Default value: true
hostbasedauthentication
Data type: Boolean
Specifies whether to try rhosts based authentication with public key authentication.
Default value: false
hostkeyalgorithms
Data type: Optional[Array[String]]
Specifies the host key algorithms that the client wants to use in order of preference.
Default value: undef
hostkeyalias
Data type: Optional[String]
Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files.
Default value: undef
hostname
Data type: Optional[Simplib::Host]
Specifies the real hostname to log into.
Default value: undef
identitiesonly
Data type: Boolean
Specifies that ssh should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh command-line, even if ssh-agent or a PKCS11Provider offers more identities.
Default value: false
identityfile
Data type: Optional[String]
Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication identity is read.
Default value: undef
kbdinteractiveauthentication
Data type: Boolean
Specifies whether to use keyboard-interactive authentication.
Default value: true
kbdinteractivedevices
Data type: Optional[Array[String]]
Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated.
Default value: undef
localcommand
Data type: Optional[String]
Specifies a command to execute on the local machine after successfully connecting to the server.
Default value: undef
localforward
Data type: Optional[String]
Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport.
Default value: undef
ssh_loglevel
Data type: Ssh::Loglevel
Gives the verbosity level that is used when logging messages. Valid options: 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', and 'DEBUG3'.
Default value: 'INFO'
macs
Data type: Optional[Array[String]]
Specifies the MAC (message authentication code) algorithms in order of preference. When unset, a strong set of algorithms is automatically selected by this class, taking into account whether the server is in FIPS mode.
Default value: undef
nohostauthenticationforlocalhost
Data type: Boolean
This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys. However, this option disables host authentication for localhost.
Default value: false
numberofpasswordprompts
Data type: Integer[1]
Specifies the number of password prompts before giving up.
Default value: 3
passwordauthentication
Data type: Boolean
Specifies whether to use password authentication.
Default value: true
permitlocalcommand
Data type: Boolean
Allow local command execution via the LocalCommand option or using the !command escape sequence.
Default value: false
port
Data type: Simplib::Port
Specifies the port number to connect on the remote host.
Default value: 22
preferredauthentications
Data type: Array[Ssh::Authentications]
Specifies the order in which the client should try authentication methods. The order will be determined from the start of the array to the end of the array. Default: ['publickey','hostbased','keyboard-interactive','password']
Default value:
[ 'publickey',
'hostbased',
'keyboard-interactive',
'password' ]
protocol
Data type: Variant[Integer[1,2], Enum['2,1']]
Specifies the protocol versions SSH should support.
Default value: 2
proxycommand
Data type: Optional[String]
Specifies the command to use to connect to the server.
Default value: undef
pubkeyauthentication
Data type: Boolean
Specifies whether to try public key authentication.
Default value: true
rekeylimit
Data type: Optional[String]
Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated.
Default value: undef
remoteforward
Data type: Optional[String]
Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine.
Default value: undef
rhostsrsaauthentication
Data type: Boolean
Specifies whether to try rhosts based authentication with RSA host authentication.
Default value: false
rsaauthentication
Data type: Boolean
Specifies whether to try RSA Authentication.
Default value: true
sendenv
Data type: Array[String]
Specifies what variables from the local environ should be sent to the server.
Default value:
[ 'LANG',
'LC_CTYPE',
'LC_NUMERIC',
'LC_TIME',
'LC_COLLATE',
'LC_MONETARY',
'LC_MESSAGES',
'LC_PAPER',
'LC_NAME',
'LC_ADDRESS',
'LC_TELEPHONE',
'LC_MEASUREMENT',
'LC_IDENTIFICATION',
'LC_ALL' ]
serveralivecountmax
Data type: Integer[1]
Sets the number of server alive messages (see below) which may be sent without ssh receiving any messages back from the server.
Default value: 3
serveraliveinterval
Data type: Integer[0]
Sets a timeout interval in seconds after which if no data has been received from the server. The default is 0, indicating that these messages will not be sent to the server.
Default value: 0
smartcarddevice
Data type: Optional[String]
Specifies which smartcard device to use.
Default value: undef
stricthostkeychecking
Data type: Enum['yes','no','ask']
If set to yes, ssh will never automatically add host keys to the known_hosts file, and refuses to connect to hosts whose keys have changed. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. Valid Options: 'yes', 'no', 'ask'
Default value: 'ask'
tcpkeepalive
Data type: Boolean
Specifies whether the system should send TCP keepalive messages to the other side.
Default value: true
tunnel
Data type: Enum['yes','no','point-to-point','ethernet']
If 'yes', request device forwarding between the client and server.
Default value: 'no'
tunneldevice
Data type: Optional[String]
Specifies the devices to open on the client and the server.
Default value: undef
useprivilegedport
Data type: Boolean
Specifies whether to use a privileged port for outgoing connections.
Default value: false
user
Data type: Optional[String]
Specifies the user to log in as.
Default value: undef
userknownhostsfile
Data type: Optional[Array[Stdlib::Absolutepath]]
Specifies one or more files to use for the user host key database, separated by whitespace.
Default value: undef
verifyhostkeydns
Data type: Enum['yes','no','ask']
Specifies whether to verify the remote key using DNS and SSHFP resource records.
Default value: 'no'
visualhostkey
Data type: Boolean
If this flag is set to true, an ASCII art representation of the remote host key fingerprint is printed in addition to the fingerprint string at login and for unknown host keys.
Default value: false
xauthlocation
Data type: Stdlib::Absolutepath
Specifies the full pathname of the xauth program.
Default value: '/usr/bin/xauth'
Resource types
sshkey_prune
The file that you wish to prune
Properties
The following properties are available in the sshkey_prune
type.
prune
Valid values: true
, false
Whether or not to prune the file in $name
Default value: true
Parameters
The following parameters are available in the sshkey_prune
type.
name
namevar
The file that you wish to prune
provider
The specific backend to use for this sshkey_prune
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Functions
ssh::add_sshd_config
Type: Puppet Language
Add a sshd_config entry if it is not in the remove list
ssh::add_sshd_config(String[1] $key, Any $value, Variant[Array[String[1]],Undef] $remove_keys, Array[Type[Catalogentry]] $resources_to_notify = [ Service['sshd'] ])
Add a sshd_config entry if it is not in the remove list
Returns: Nil
key
Data type: String[1]
The name of the sshd configuration parameter
value
Data type: Any
The value of the sshd configuration parameter
remove_keys
Data type: Variant[Array[String[1]],Undef]
List of sshd configuration parameters to be removed
resources_to_notify
Data type: Array[Type[Catalogentry]]
Catalog resources to notify when the sshd configuration has changed
ssh::autokey
Type: Ruby 4.x API
user.
Keys are stored in "Puppet[:vardir]/simp/environments//simp_autofiles/ssh_autokeys"
Note: This function if marked as an InternalFunction because it changes the state of the system by writing key files.
ssh::autokey(String $username, Optional[Hash] $options)
The following options are supported:
- 'key_strength': key length, Integer, defaults to 2048
- 'return_private': whether to return the private key, Boolean, defaults to false NOTE: A minimum key strength of 1024 is enforced!
Returns: String
The public key of the user
username
Data type: String
username for which SSH key pairs will be generated
options
Data type: Optional[Hash]
Options hash
ssh::autokey(String $username, Optional[Integer] $key_strength, Optional[Boolean] $return_private)
NOTE: A minimum key strength of 1024 is enforced!
Returns: String
The public key of the user or the private key if
return_private is specified.
username
Data type: String
username for which SSH key pairs will be generated
key_strength
Data type: Optional[Integer]
key length, defaults to 2048
return_private
Data type: Optional[Boolean]
whether to return the private key, defaults to false
ssh::config_bool_translate
Type: Ruby 4.x API
All other values are passed-through unchanged
ssh::config_bool_translate(String $config_item)
The ssh::config_bool_translate function.
Returns: Any
transformed config_item
config_item
Data type: String
Configuration item to be translated
ssh::config_bool_translate(Boolean $config_item)
The ssh::config_bool_translate function.
Returns: Any
transformed config_item
config_item
Data type: Boolean
Configuration item to be translated
ssh::format_host_entry_for_sorting
Type: Ruby 4.x API
wildcards and question marks.
The output is intended for use with the simpcat_fragment type and is not meant for use as a host entry itself.
The general idea is that it places all items at the bottom of the list using zzzz, then sorts by question marks first per section then wildcards per section.
Example: Input: '*' Output: 'zzzz98_st__'
Input: '*.foo.bar' Output: 'zzzz96_st__.foo.bar'
Input: 'foo.?.bar' Output: 'foo.zzzz95_qu__.bar'
Input: 'foo?.*.bar' Output: 'foozzzz96_qu.zzzz95_st.bar'
ssh::format_host_entry_for_sorting(String $host_entry)
wildcards and question marks.
The output is intended for use with the simpcat_fragment type and is not meant for use as a host entry itself.
The general idea is that it places all items at the bottom of the list using zzzz, then sorts by question marks first per section then wildcards per section.
Example: Input: '*' Output: 'zzzz98_st__'
Input: '*.foo.bar' Output: 'zzzz96_st__.foo.bar'
Input: 'foo.?.bar' Output: 'foo.zzzz95_qu__.bar'
Input: 'foo?.*.bar' Output: 'foozzzz96_qu.zzzz95_st.bar'
Returns: Any
transformed host_entry
host_entry
Data type: String
SSH host entry, which may contain wildcards
ssh::global_known_hosts
Type: Ruby 4.x API
removing duplicates, and creating catalog resources that are found
Note: This function if marked as an InternalFunction because it changes the state of the system by adding/removing files and adding catalog resources.
ssh::global_known_hosts(Optional[Integer] $expire_days)
removing duplicates, and creating catalog resources that are found
Note: This function if marked as an InternalFunction because it changes the state of the system by adding/removing files and adding catalog resources.
Returns: None
expire_days
Data type: Optional[Integer]
expire time in days; defaults to 7; value of 0 means never purge
ssh::parse_ssh_pubkey
Type: Puppet Language
Take an ssh pubkey that looks like: ssh-rsa jdlkfgjsdfo;i... user@domain.com and turn it into a hash, usable in the ssh_authorized_key type
ssh::parse_ssh_pubkey(String $key)
Take an ssh pubkey that looks like: ssh-rsa jdlkfgjsdfo;i... user@domain.com and turn it into a hash, usable in the ssh_authorized_key type
Returns: Hash
key
Data type: String
The ssh key, can be pasted from ~/.ssh/id_rsa.pub or similar
Data types
Ssh::Authentications
Valid SSH Authentication Settings
Alias of Enum['publickey', 'hostbased', 'keyboard-interactive', 'password', 'gssapi-with-mic']
Ssh::Loglevel
Valid SSH Loglevels
Alias of Enum['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3']
Ssh::PermitRootLogin
Valid Settings for PermitRootLogin
Alias of Variant[Boolean, Enum['prohibit-password', 'without-password', 'forced-commands-only']]
Ssh::Syslogfacility
Valid SSH Syslog Facility Settings
Alias of Enum['DAEMON', 'USER', 'AUTH', 'AUTHPRIV', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7']
- Tue Oct 01 2024 Steven Pritchard steve@sicura.us - 6.20.0
- Update metadata upper bounds for puppet-augeasproviders_ssh and puppet-selinux
- Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 6.19.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
- Wed Jul 10 2024 Steven Pritchard steve@sicura.us - 6.18.2
- Fix calls to
FileUtils.mkdir_p
to work on Ruby 3
- Tue Jun 18 2024 Rick Gardner Rick@sicura.us - 6.18.1
- Fixed custom fact on windows bug
- Wed Feb 07 2024 Mike Riddle mike@sicura.us - 6.18.0
- [puppetsync] Update metadata upper bounds for puppet-nsswitch, puppet-gitlab, puppet-snmp, simp-pam, and simp-useradd
- Wed Dec 06 2023 Mike Riddle mike@sicura.us - 6.17.1
- The module will now correctly handle a situation where /etc/localtime doesn't exist
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 6.17.0
- [puppetsync] Add EL9 support
- Wed Oct 18 2023 Steven Pritchard steve@sicura.us - 6.16.1
- Replace calls to
File.exists?
withFile.exist?
for compatibility with Ruby 3
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.16.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Thu Sep 07 2023 Steven Pritchard steve@sicura.us - 6.15.0
- Add AlmaLinux 8 support
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.14.0
- Add RockyLinux 8 support
- Sat Oct 15 2022 Trevor Vaughan trevor@sicura.us - 6.13.1
- Remove unnecessary augeasproviders_core module dependency
- Mon Nov 29 2021 Mike Riddle mike@sicura.us - 6.13.0
- Added an option to turn off managing the AuthorizedKeysFile parameter in /etc/ssh/sshd_config
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.12.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Tue Apr 20 2021 Liz Nemsick lnemsick.simp@gmail.com - 6.12.0
- Update to augeasproviders_ssh < 5.0.0
- Tue Apr 20 2021 Liz Nemsick lnemsick.simp@gmail.com - 6.11.2
- Fixed a bug where some changes to sshd configuration did not cause the
sshd service to restart.
sshd_config
resources created byssh::add_sshd_config()
did not notifyService[sshd]
.
- Fixed a bug that caused a compilation error when
ssh::conf::ensure_sshd_packages
was set totrue
. - Removed sshd configuration logic pertaining to OpenSSH versions used in EL6.
- Tue Mar 02 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.11.2
- Updated server::conf to include the voxpupuli selinux module when calling selinux_port. This will ensure the packages that selinux_port needs are installed.
- Added memory to the testing nodesets for EL8 because running selinux_port was giving an out of memory error.
- Fri Feb 19 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.11.2
- Openssh dropped support for SSH protocol 1 in version 8.0. EL8 installs openssh v8 by default. This fix checks the version of openssh when creating ssh_config host entries and removes those values that are no longer used.
- Wed Jan 13 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.11.2
- Removed EL6 from supported OSes
- Wed Nov 25 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.11.2
- No longer set HostKeyAlgorithms on the client configuration by default
- Thu Nov 19 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.11.1-0
- Migrate to the updated version of simp/selinux that allows for isolated package installation in support of the SELinux native types.
- Allow users to use the 'puppet/selinux' module instead of SIMP components.
- Tue Jul 07 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.11.0-0
- Fix EL8 support when setting server::conf::manage_pam_sshd to
true
- Remove dependency on the simp/sssd module
- Ensure that the sssd-common package is installed if required and allow the user to disable this if necessary
- Remove the Puppet 3 functions that were marked as deprecated in 2017
- Wed Feb 19 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.10.0-0
- Added EL8 support
- Ensure that UsePrivilegeSeparation is removed from sshd_config on platforms that do not support it
- Thu Oct 24 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.9.0-0
- Added two
ssh::server::conf
parameters to allow users to ensure specific sshd configuration is removed from sshd_config:ssh::server::conf::remove_entries
ssh::server::conf::remove_subsystems
- Allow use of simp-simplib 4.X.
- Fri Oct 18 2019 Kendall Moore kendall.moore@onyxpoint.com - 6.9.0-0
- Updated the default Tunnel setting to 'no' in ssh_config to match the man page
- Tue Aug 06 2019 Michael Morrone michael.morrone@@onyxpoint.com - 6.8.1-0
- Removed ensure from policycoreutils-python in server config for multiple port support to elimate duplicate declaration
- Tue Jul 30 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.8.0-0
- Add multiple port support
- The ssh::server::conf::port entry can now take an Array of ports
selinux_port
resources are created for each non-standard entry
- Update the required version of simp-beaker-helpers to work around Highline issues in the compliance acceptance tests.
- Mon Jun 03 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.8.0-0
- Add v2 compliance_markup data
- Add support for puppetlabs-stdlib 6
- Wed May 29 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.7.1-0
- Replace calls to 'system' with Puppet::Execution.execute in the ssh_autokey and ssh::autokeys functions.
- Mon Apr 29 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.7.0-0
- Switched to selinux_port type for alternate SSH ports
- Added the ability for users to set custom sshd config entries via a Hash in Hiera.
- Made ListenAddress optional and documented EL6 bug
- Tue Apr 16 2019 Zach turtles.be.the.best@gmail.com - 6.7.0-0
- Add OATH support
- Thu Apr 11 2019 Bob Vincent pillarsdotnet@gmail.com - 6.7.0-0
- Added support for the following SSH server configuration parameters:
- AllowGroups
- AllowUsers
- DenyGroups
- DenyUsers
- LoginGraceTime
- LogLevel
- MaxAuthTries
- Tue Apr 09 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.7.0-0
- Remove Elasticsearch and Grafana
- Updated tests in support of puppet6, and removed puppet4 support
- Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.6.1-0
- Use Puppet String in lieu of simplib's deprecated Puppet 3 to_string
- Use simplib::nets2ddq in lieu of deprecated Puppet 3 nets2ddq
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.6.0-0
- Expanded the upper limit of the stdlib Puppet module version
- Updated URLs in the README.md
- Tue Dec 04 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.6.0-0
- Fix bug in which the sshd 'Subsystem' configuration specified by ssh::server::conf::subsystem was erroneously stripped of whitespace
- Thu Nov 15 2018 Nick Miller nick.miller@onyxpoint.com - 6.6.0-0
- Added a new class, ssh::authorized_keys, that consumes a hash of ssh pubkeys
- Users are meant to be able to paste the output of their pubkey into hiera
- Arrays and hashes work too, though the hash option is not as smart as the others
- Update README with a section on it
- Add REFERENCE.md
- Fri Oct 26 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.5.1-0
- Add ssh_host_keys fact to gather configured
hostkey
values from sshd - Loop through all hostkeys and manage permissions for security and compliance
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.5.0-0
- Added the following package ensure parameters
- $ssh::client::package_ensure
- $ssh::server::server_ensure
- $ssh::server::ldap_ensure
- Changed the defaults for all package ensures from 'latest' to the following:
simp_options::package_ensure
when that parameter is present- 'installed' otherwise
- Thu Oct 11 2018 Zach turtles.be.the.best@gmail.com - 6.5.0-0
- Altered 00_default_spec.rb to stop deleting all ssh keys in test
- Replaced puppet_environment with puppet_collection in nodesets
- Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.5.0-0
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Wed Aug 29 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.4-0
- Added a Ssh::PermitRootLogin data type
- Updated tests
- Added a check to fail on EL6 if 'prohibit-password' is set since it is not allowed on that platform.
- Thu Aug 23 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.4.4-0
- Added support for Oracle Linux
- Added support for Puppet 5
- Mon Aug 20 2018 Bryan Howard bryan@alumni.caltech.edu - 6.4.4-0
- PermitRootLogin accepts more values than 'yes' and 'no'. Add support for 'without-password', 'prohibit-password', and 'forced-commands-only'.
- It was not possible to set PasswordAuthentication to 'no' because the conditional treated false the same as undef, which are intended to be different.
- Thu Aug 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.4.3-0
- By default, do not specify the obsolete RhostsRSAAuthentication configuration parameter in sshd_config on systems running openssh 7.4 or later. Beginning with openshh 7.4, sshd emits an error message when this parameter is present in sshd_config.
- Thu May 03 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.4.2-0
- Added some variables for sshd_config to meet STIG requirements. Most are just confirmation of defaults with the exception of ClientAliveInterval and ClientAliveMaxCount which have been set to activate Client Alive checks.
- Added compliance tests to install setting from compliance markup module and then run inspec tests to check for compliance.
- Update version range of auditd dependency in metadata.json
- Wed Mar 14 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.1-0
- Removed unused Augeas lens
sshd.aug
- Mon Mar 05 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.0-0
- Re-implemented
ssh::client::host_config_entry
usingssh_config
:- Users can now customize additional SSH client options
- Customizing ssh_config is consistent with sshd_config
- Tweaked Augeas lens
ssh.aug
to handleHostKeyAlgorithms
correctly - No change to the module's API
- Removed concat + .erb templates from old implementation
- Fixed idempotency bug with
/var/empty/sshd/etc/localtime
- Removed vestigial SIMP-1143 workaround from acceptance tests
- Fixed errors in README.md
- Ciphers and Usage sections rewritten and verified, with tests
- Added new environment variable
SIMP_SSH_report_dir
to acceptance tests to validate ciphers in README - Documented solution to SIMP-4440 and added acceptance test
- Removed cruft:
- Removed grub from metadata.json and .fixtures.yml because nothing uses it
- Removed NSCD-related cruft (/etc/pam_ldap.conf) from ancient ldap code
- Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.3.0-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
- Fri Jan 19 2018 Nick Miller nick.miller@onyxpoint.com - 6.3.0-0
- If the host has joined an IPA domain, set GSSAPIAuthentication to 'yes' in the ssh server and client configuration files.
- Wed Aug 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.1-0
- Update to augeasproviders_grub 3
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0
- Update concat version in metadata.json & build/rpm_metadata/requires
- Tue Jun 20 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Convert internally-used Puppet 3 functions to Puppet 4
- ssh_config_bool_translate is now ssh::config_bool_translate
- ssh_format_host_entry_for_sorting now ssh::format_host_entry_for_sorting
- Create Puppet 4 versions of externally-used Puppet 3 functions and
mark the Puppet 3 functions as deprecated. They will be removed in
a later release.
- ssh_autokey should be replaced with ssh::autokey
- ssh_global_known_hosts should be replaced with ssh::global_known_hosts
- Tue Mar 28 2017 Nicholas Hughes - 6.1.0-0
- Set permissions back to what the RPM sets and security scans expect
- /etc/ssh/moduli
- /var/empty/sshd
- /var/empty/sshd/etc
- /var/empty/sshd/etc/localtime
- Thu Mar 23 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0
- Reverted 'ssh::server::conf::trusted_nets' to 'ALL' by default to prevent lockouts from cloud systems
- Mon Mar 20 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.1-0
- move passgen to Puppet[:vardir]
- Thu Mar 9 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 6.0.1-0
- Remove some utf-8 smart quotes that were accidentally added to host_config_entry.pp
- Thu Feb 23 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.1-0
- Changed the default UsePrivilegeSeparation setting in sshd_config to use the vendor default of 'sandbox'
- Changed the default value of simp_options::trusted_nets to ['ALL'] to prevent permanent lockouts when a console isn't available.
- Thu Jan 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated pki scheme, application certs now managed in /etc/pki/simp_apps/sshd/x509
- Tue Jan 10 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Updated to use CTR ciphers instead of CBC as a fallback
- Tue Dec 20 2016 Liz Nemsick lnemsick.simp@gmail.com - 6.0.0-0
- Use simp_options module for global catalysts
- Use strongly typed parameters
- Rename defined type ssh::client::add_entry to ssh::client::host_config_entry
- Wed Nov 23 2016 Jeanne Greulich jgreulich@onyxpoint.com - 5.0.0-0
- Fix dependencies for simp 6 bump
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Fri Sep 30 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.12-0
- Fixed dependencies in
metadata.json
prior to a Forge push.
- Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.11-0
- Fix Forge
haveged
dependency name
- Tue Sep 06 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.10-0
- Modified AuthorizedKeysCommand to be /usr/bin/sss_ssh_authorizedkeys if sssd is enabled.
- Thu Aug 04 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.9-0
- Updated rpm requires to properly expire old versions
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.8-0
- Migration to semantic versioning and fix of the build system
- Tue Jul 05 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.7-0
- The defaults for use_iptables and use_ldap will now follow the global catalysts. Updated acceptance tests.
- Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.6-0
- Use_haveged is now a global catalyst.
- Wed Jun 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.5-0
- Pupmod-haveged now included by default to assist with entropy generation.
- Tue Jun 07 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0
- The openssh_version fact is now compatible with ruby 1.8.7.
- Sat May 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.4-0
- Ensure that we set the proper SELinux port connection options for sshd if using a non-standard port.
- Wed Apr 20 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.3-0
- Created an openssh_version fact.
- Modified kex algorithm set:
- No longer set kex prior to openssh v 5.7
- Curve25519 kex only set in openssh v 6.5+
- Tue Mar 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.2-0
- Openssh-ldap is no longer installed when use_sssd is true.
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 4.1.1-0
- Migrated use_simp_pki to a global catalyst.
- Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-15
- Ensure that EL6.7+ uses SSSD over NSCD
- Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-14
- Added compliance function support
- Mon Jan 18 2016 Carl Caum carl@puppetlabs.com - 4.1.0-13
- Removed empty logic block that was causing compilation errors in Puppet 4.
- Wed Dec 09 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-12
- CCE-3660-8 compliance. Do not allow empty ssh passwords.
- Fri Dec 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-12
- Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
- Moved parameter validation to the top of each class.
- Fri Nov 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11
- Updated the code to work around a bug in the OpenSSH client where FIPS mode fails if the 'Cipher' parameter is present in /etc/ssh/ssh_config
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-11
- migration to simplib and simpcat (lib/ only)
- Fri Sep 18 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-10
- Updated the ssh client ciphers to match the ssh server ciphers.
- Wed Jul 29 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Incorporated the updated SSH Augeas Lenses
- Created a sub-rpm for the lenses to account for the modified license terms
- Added support for default KexAlgorithms
- Added sensible defaults for the SSH server in both FIPS and non-FIPS mode
- Note: I have not yet tested these in FIPS enforcing mode so adjustments may need to be made
- Fri Feb 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Added support for the new augeasproviders_ssh module
- Migrated to the new 'simp' environment.
- Fri Feb 06 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Made all of the custom functions environment aware
- Enhanced the ssh_keygen function to return private keys if so instructed since we can use that to eradicate some automatically generated cruft in the module spaces.
- Changed puppet-server requirement to puppet
- Fri Dec 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Added a function, ssh_format_host_entry_for_sorting, that is explicitly for use by the concat_fragment part of ssh::client::add_entry. It handles proper sorting order when wildcards and question marks are used.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5
- Removed all non FIPS compliant ciphers from ssh server and client configs.
- Thu Jun 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5
- Added support for the 'AuthorizedKeysCommandUser' in sshd_config since this is now required in RHEL >= 7.
- Thu Jun 05 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4
- Set compression off in sshd_config by default.
- Thu May 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Fixed a resource chaining issue with /etc/ssh/ldap.conf. The source had not been declared properly so the dependency chain was not being enforced.
- Fri Apr 11 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2
- Refactored manifests and removed singleton defines for puppet 3 and hiera compatibility.
- Added spec tests.
- Added function sshd_config_bool_translate to translate booleans into yes/no variables.
- Sun Apr 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Added hooks for various top-level variables for increased configuration flexibility.
- Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-1
- Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
- Removed the management of most variables by default from ssh::server::conf. The remainder are now managed by an sshd augeas provider.
- ALL supported variables are now settable via extdata as ssh::server::conf::
- This means that you can easily manipulate any variable as well as setting those that are not natively managed using the augeas provider.
- This work was done for supporting OpenShift
- Thu Jan 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- AVC errors were being generated due to the /etc/ssh/ldap.conf file being a symlink. This is now copied directly from /etc/pam_ldap.conf instead of linked.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-2
- Updated all erb templates to properly scope variables.
- Wed Sep 25 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1
- Added the ability to modify the hosts that can connect to sshd via IPTables using a client_nets variable.
- Thu May 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Changed all localtime symlinks to file copies since SELinux does not like symlinks in these cases.
- Tue Apr 16 2013 Nick Markowski nmarkowski@keywcorp.com - 2.0.0-9
- All ssh public key authentication now directly uses LDAP.
- Added ldap.conf to /etc/ssh.
- Added openssh-ldap rpm and authorizedkeyscommand wrapper to template.
- SSH fully manages /etc/ssh/local_keys.
- Mon Dec 10 2012 Maintenance 2.0.0-8
- Created a Cucumber test to ensure that the SSH daemon is running.
- Created a Cucumber test which creates a temporary user, and ensures that they can SSH into the puppet server.
- Thu Nov 08 2012 Maintenance 2.0.0-7
- The ssh_global_known_hosts function now automatically deletes any short name key files that conflict with a long name file prior to manipulating the catalog.
- Fri Jul 20 2012 Maintenance 2.0.0-6
- Added a custom type 'sshkey_prune' that, given a target file, prunes all ssh keys that Puppet doesn't know about.
- Updated the ssh_global_known_hosts function to expire old keys after 7 days by default. Users may specify their own number of expire days or set to 0 to never expire any keys.
- Wed Apr 11 2012 Maintenance 2.0.0-5
- Fixed bug with ssh_global_known_hosts such that it uses 'host_aliases' instead of 'alias' since the latter has be deprecated.
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 2.0.0-4
- Added the CBC ciphers back to the SSH server default config since their absence was causing issues with various scripting languages.
- Reformatted against the Puppet Labs style guide.
- Improved test stubs.
- Mon Dec 26 2011 Maintenance 2.0.0-3
- Updated the spec file to not require a separate file list.
- Tue May 31 2011 Maintenance - 2.0.0-2
- Set PrintLastLog to 'no' by default since this is now handled by PAM.
- Removed CBC ciphers from the client and server.
- No longer enable X11 forwarding on SSH servers by default.
- Reduce the acceptable SSH cipher set to AES without CBC.
- Fri Feb 11 2011 Maintenance - 2.0.0-1
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Maintenance - 1-2
- Converting all spec files to check for directories prior to copy.
- Wed Jun 30 2010 Maintenance 1.0-1
- /etc/ssh/ssh_known_hosts is now collected from all puppet managed hosts without using stored configs.
- Tue May 25 2010 Maintenance 1.0-0
- Code refactoring.
Dependencies
- puppet/augeasproviders_ssh (>= 2.5.0 < 8.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
pupmod-simp-ssh - A Puppet Module for managing SSHD -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.