ssh

#SSH

Table of Contents

1. Module Description - What the module does and why it is useful
2. Setup - The basics of getting started with ssh
   • What ssh affects
   • Setup requirements
   • Beginning with ssh
3. Usage - Configuration options and additional functionality
4. Reference
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module
7. Acceptance Tests

Module Description

Sets up SSH Client and Server

Ciphers

By default, the sshd::server class will accept a wide range of ciphers.

At the time of 5.1.0, the default ciphers for ssh::server are:

• aes128-gcm@openssh.com
• aes256-gcm@openssh.com

There are also 'fallback' ciphers, which are required in order to communicate with FIPS-140-2 conformant systems. These are also included by default unless the parameter ssh::server::conf::enable_fallback_ciphers is set to false:

• aes128-cbc
• aes192-cbc
• aes256-cbc

Setup

What ssh affects

SSH installs the SSH package, runs the sshd service and manages files primarily in /etc/ssh

Setup requirements

The only requirement is including the ssh module in your modulepath

Beginning with SSH

including ::ssh will install both the server and the client

Usage

I want to manage only the server or the client

Server

include 'sshd::server'

This will result in a server that accepts the following ciphers:

• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• aes128-cbc
• aes192-cbc
• aes256-cbc

Client

include 'sshd::client'

The ciphers configured for the ssh client are set to only the strongest ciphers. In order to connect to a system that does not have these ciphers but uses the older ciphers you should use the command line option, ssh -c. See the man pages for further information.

I want to disable fallback ciphers

class{'ssh::config':
  enable_fallback_ciphers => false
}
include 'sshd::server'

This will result in a server that accepts the following ciphers:

• aes128-gcm@openssh.com
• aes256-gcm@openssh.com

Reference

Public Classes

• ssh
• ssh::client
• ssh::server
• ssh::server::conf

Defined Types

• ssh::client::host_config_entry

Limitations

SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.

Development

Please read our Contribution Guide and visit our Developer Wiki

If you find any issues, they can be submitted to our JIRA.

Acceptance tests

To run the system tests, you need Vagrant installed.

You can then run the following to execute the acceptance tests:

   bundle exec rake beaker:suites

Some environment variables may be useful:

   BEAKER_debug=true
   BEAKER_provision=no
   BEAKER_destroy=no
   BEAKER_use_fixtures_dir_for_modules=yes

• BEAKER_debug: show the commands being run on the STU and their output.
• BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.

• Tue Jun 20 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0

• Convert internally-used Puppet 3 functions to Puppet 4
  • ssh_config_bool_translate is now ssh::config_bool_translate
  • ssh_format_host_entry_for_sorting now ssh::format_host_entry_for_sorting
• Create Puppet 4 versions of externally-used Puppet 3 functions and mark the Puppet 3 functions as deprecated. They will be removed in a later release.
  • ssh_autokey should be replaced with ssh::autokey
  • ssh_global_known_hosts should be replaced with ssh::global_known_hosts

• Tue Mar 28 2017 Nicholas Hughes - 6.1.0-0

• Set permissions back to what the RPM sets and security scans expect
  • /etc/ssh/moduli
  • /var/empty/sshd
  • /var/empty/sshd/etc
  • /var/empty/sshd/etc/localtime

• Thu Mar 23 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0

• Reverted 'ssh::server::conf::trusted_nets' to 'ALL' by default to prevent lockouts from cloud systems

• Mon Mar 20 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.1-0

• move passgen to Puppet[:vardir]

• Thu Mar 9 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 6.0.1-0

• Remove some utf-8 smart quotes that were accidentally added to host_config_entry.pp

• Thu Feb 23 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.1-0

• Changed the default UsePrivilegeSeparation setting in sshd_config to use the vendor default of 'sandbox'
• Changed the default value of simp_options::trusted_nets to ['ALL'] to prevent permanent lockouts when a console isn't available.

• Thu Jan 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Updated pki scheme, application certs now managed in /etc/pki/simp_apps/sshd/x509

• Tue Jan 10 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

• Updated to use CTR ciphers instead of CBC as a fallback

• Tue Dec 20 2016 Liz Nemsick lnemsick.simp@gmail.com - 6.0.0-0

• Use simp_options module for global catalysts
• Use strongly typed parameters
• Rename defined type ssh::client::add_entry to ssh::client::host_config_entry

• Wed Nov 23 2016 Jeanne Greulich jgreulich@onyxpoint.com - 5.0.0-0

• Fix dependencies for simp 6 bump

• Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0

• Updated to compliance_markup version 2

• Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

• Updated iptables dependency version

• Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Fri Sep 30 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.12-0

• Fixed dependencies in metadata.json prior to a Forge push.

• Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.11-0

• Fix Forge haveged dependency name

• Tue Sep 06 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.10-0

• Modified AuthorizedKeysCommand to be /usr/bin/sss_ssh_authorizedkeys if sssd is enabled.

• Thu Aug 04 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.9-0

• Updated rpm requires to properly expire old versions

• Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.8-0

• Migration to semantic versioning and fix of the build system

• Tue Jul 05 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.7-0

• The defaults for use_iptables and use_ldap will now follow the global catalysts. Updated acceptance tests.

• Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.6-0

• Use_haveged is now a global catalyst.

• Wed Jun 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.5-0

• Pupmod-haveged now included by default to assist with entropy generation.

• Tue Jun 07 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0

• The openssh_version fact is now compatible with ruby 1.8.7.

• Sat May 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.4-0

• Ensure that we set the proper SELinux port connection options for sshd if using a non-standard port.

• Wed Apr 20 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.3-0

• Created an openssh_version fact.
• Modified kex algorithm set:
  • No longer set kex prior to openssh v 5.7
  • Curve25519 kex only set in openssh v 6.5+

• Tue Mar 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.2-0

• Openssh-ldap is no longer installed when use_sssd is true.

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 4.1.1-0

• Migrated use_simp_pki to a global catalyst.

• Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-15

• Ensure that EL6.7+ uses SSSD over NSCD

• Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-14

• Added compliance function support

• Mon Jan 18 2016 Carl Caum carl@puppetlabs.com - 4.1.0-13

• Removed empty logic block that was causing compilation errors in Puppet 4.

• Wed Dec 09 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-12

• CCE-3660-8 compliance. Do not allow empty ssh passwords.

• Fri Dec 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-12

• Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
• Moved parameter validation to the top of each class.

• Fri Nov 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

• Updated the code to work around a bug in the OpenSSH client where FIPS mode fails if the 'Cipher' parameter is present in /etc/ssh/ssh_config

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-11

• migration to simplib and simpcat (lib/ only)

• Fri Sep 18 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-10

• Updated the ssh client ciphers to match the ssh server ciphers.

• Wed Jul 29 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Incorporated the updated SSH Augeas Lenses
• Created a sub-rpm for the lenses to account for the modified license terms
• Added support for default KexAlgorithms
• Added sensible defaults for the SSH server in both FIPS and non-FIPS mode
• Note: I have not yet tested these in FIPS enforcing mode so adjustments may need to be made

• Fri Feb 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Added support for the new augeasproviders_ssh module
• Migrated to the new 'simp' environment.

• Fri Feb 06 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Made all of the custom functions environment aware
• Enhanced the ssh_keygen function to return private keys if so instructed since we can use that to eradicate some automatically generated cruft in the module spaces.
• Changed puppet-server requirement to puppet

• Fri Dec 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Added a function, ssh_format_host_entry_for_sorting, that is explicitly for use by the concat_fragment part of ssh::client::add_entry. It handles proper sorting order when wildcards and question marks are used.

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

• Removed all non FIPS compliant ciphers from ssh server and client configs.

• Thu Jun 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

• Added support for the 'AuthorizedKeysCommandUser' in sshd_config since this is now required in RHEL >= 7.

• Thu Jun 05 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4

• Set compression off in sshd_config by default.

• Thu May 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Fixed a resource chaining issue with /etc/ssh/ldap.conf. The source had not been declared properly so the dependency chain was not being enforced.

• Fri Apr 11 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

• Refactored manifests and removed singleton defines for puppet 3 and hiera compatibility.
• Added spec tests.
• Added function sshd_config_bool_translate to translate booleans into yes/no variables.

• Sun Apr 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Added hooks for various top-level variables for increased configuration flexibility.

• Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-1

• Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
• Removed the management of most variables by default from ssh::server::conf. The remainder are now managed by an sshd augeas provider.
• ALL supported variables are now settable via extdata as ssh::server::conf::
• This means that you can easily manipulate any variable as well as setting those that are not natively managed using the augeas provider.
• This work was done for supporting OpenShift

• Thu Jan 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• AVC errors were being generated due to the /etc/ssh/ldap.conf file being a symlink. This is now copied directly from /etc/pam_ldap.conf instead of linked.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-2

• Updated all erb templates to properly scope variables.

• Wed Sep 25 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1

• Added the ability to modify the hosts that can connect to sshd via IPTables using a client_nets variable.

• Thu May 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

• Changed all localtime symlinks to file copies since SELinux does not like symlinks in these cases.

• Tue Apr 16 2013 Nick Markowski nmarkowski@keywcorp.com - 2.0.0-9

• All ssh public key authentication now directly uses LDAP.
• Added ldap.conf to /etc/ssh.
• Added openssh-ldap rpm and authorizedkeyscommand wrapper to template.
• SSH fully manages /etc/ssh/local_keys.

• Mon Dec 10 2012 Maintenance 2.0.0-8

• Created a Cucumber test to ensure that the SSH daemon is running.
• Created a Cucumber test which creates a temporary user, and ensures that they can SSH into the puppet server.

• Thu Nov 08 2012 Maintenance 2.0.0-7

• The ssh_global_known_hosts function now automatically deletes any short name key files that conflict with a long name file prior to manipulating the catalog.

• Fri Jul 20 2012 Maintenance 2.0.0-6

• Added a custom type 'sshkey_prune' that, given a target file, prunes all ssh keys that Puppet doesn't know about.
• Updated the ssh_global_known_hosts function to expire old keys after 7 days by default. Users may specify their own number of expire days or set to 0 to never expire any keys.

• Wed Apr 11 2012 Maintenance 2.0.0-5

• Fixed bug with ssh_global_known_hosts such that it uses 'host_aliases' instead of 'alias' since the latter has be deprecated.
• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 2.0.0-4

• Added the CBC ciphers back to the SSH server default config since their absence was causing issues with various scripting languages.
• Reformatted against the Puppet Labs style guide.
• Improved test stubs.

• Mon Dec 26 2011 Maintenance 2.0.0-3

• Updated the spec file to not require a separate file list.

• Tue May 31 2011 Maintenance - 2.0.0-2

• Set PrintLastLog to 'no' by default since this is now handled by PAM.
• Removed CBC ciphers from the client and server.
• No longer enable X11 forwarding on SSH servers by default.
• Reduce the acceptable SSH cipher set to AES without CBC.

• Fri Feb 11 2011 Maintenance - 2.0.0-1

• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Updated to use concat_build and concat_fragment types.

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Maintenance - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jun 30 2010 Maintenance 1.0-1

• /etc/ssh/ssh_known_hosts is now collected from all puppet managed hosts without using stored configs.

• Tue May 25 2010 Maintenance 1.0-0

• Code refactoring.