SSH

Table of Contents

• Module Description
• Setup
  • What ssh affects
  • Setup requirements
  • Beginning with SSH
• Usage
  • SSH client
    • Managing client settings
    • Managing client settings for specific hosts
    • Managing additional client settings using ssh_config
    • Including the client by itself
  • SSH server
    • Managing server settings
    • Managing additional server settings
      • Using Hiera
      • Using sshd_config
    • Including the server by itself
  • Managing SSH ciphers
    • Server ciphers
    • Client ciphers
  • Managing ssh_authorized_keys
• Limitations
• Development
• Acceptance tests
  • Environment variables specific to pupmod-simp-ssh

Module Description

Manages the SSH Client and Server

Setup

What ssh affects

SSH installs the SSH package, runs the sshd service and manages files primarily in /etc/ssh

Setup requirements

The only requirement is including the ssh module in your modulepath

Beginning with SSH

include 'ssh'

Usage

Including ssh will manage both the server and the client with "sane" settings:

include 'ssh'

SSH client

Managing client settings

Including ssh::client with no other options will automatically manage client settings to be used with all hosts (Host *).

If you want to customize any of these settings, you must disable the creation of the default entry with ssh::client::add_default_entry: false and manage Host * manually with the defined type ssh::client::host_config_entry:

class{ 'ssh::client': add_default_entry => false }

ssh::client::host_config_entry{ '*':
  gssapiauthentication      => true,
  gssapikeyexchange         => true,
  gssapidelegatecredentials => true,
}

Managing client settings for specific hosts

Including ssh::client will automatically manage client settings to be used with all hosts (Host *).

Different settings for particular hosts can be managed by using the defined type ssh::client::host_config_entry:

# `ancient.switch.fqdn` only understands old ciphers:
ssh::client::host_config_entry { 'ancient.switch.fqdn':
  ciphers => [ 'aes128-cbc', '3des-cbc' ],
}

Managing additional client settings using ssh_config

If you need to customize a setting in /etc/ssh/ssh_config that ssh::client::host_config_entry doesn't manage, use the ssh_config type, provided by augeasproviders_ssh:

# RequestTTY isn't handled by ssh::client::host_config_entry
# Note: RequestTTY is not a valid ssh_config setting on OpenSSH where version < 5.9
ssh_config { 'Global RequestTTY':
  ensure => present,
  key    => 'RequestTTY',
  value  => 'auto',
}

Including the client by itself

include `ssh::client`

You can prevent all inclusions of ssh from inadvertently managing the SSH server by specifying ssh::enable_server: false:

class{ 'ssh':
  enable_client => true,
  enable_server => false,
}

SSH server

Managing server settings

Including ssh::server with the default options will manage the server with reasonable settings for each host's environment.

If you want to customize any of these settings, you must edit the parameters of ssh::server::conf using Hiera or ENC (Automatic Parameter Lookup). These customizations cannot be made directly using a resource-style class declaration; they must be made via APL:

---
# Note: Hiera only!
ssh::server::conf::port: 2222
ssh::server::conf::ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-ctr'
- 'aes256-gcm@openssh.com

include 'ssh::server'

# Alternative:
# if `ssh::enable_server: true`, this will also work
include 'ssh'

Managing additional server settings

Using Hiera

Users may specify any undefined global sshd settings using the ssh::server::conf::custom_entries parameter as follows:

---
ssh::server::conf::custom_entries:
  AuthorizedPrincipalsCommand: "/usr/local/bin/my_command"

NOTE: This is parameter is not validated. Be careful to only specify options that are allowed for your particular SSH daemon. Invalid options may cause the ssh service to fail on restart.

Using sshd_config

If you need to customize a setting in /etc/ssh/sshd_config that the ssh::server class doesn't manage, use the sshd_config_ type, provided by augeasproviders_ssh

sshd_config {'LogLevel': value => 'VERBOSE'}

Some configurations may require a combination of ssh::server::conf and sshd_config. The following example configures the three /etc/ssh/sshd_config keys GSSAPIAuthentication, GSSAPIKeyExchange, and GSSAPICleanupCredentials with a value of "yes":

Hiera:

---
ssh::server::conf::gssapiauthentication: true

# GSSAPIKeyExchange + GSSAPICleanupCredentials are managed via sshd_config

Puppet:

include 'ssh::server'

sshd_config {
  default:
    ensure => 'present',
    value  => 'yes',
  ;
  # GSSAPIAuthentication is managed via `ssh::server::conf::gssapiauthentication`
  ['GSSAPIKeyExchange', 'GSSAPICleanupCredentials']:
    # use defaults
  ;
}

Including the server by itself

You can focus ssh on managing the SSH server by itself by specifying ssh::enable_client: false:

class{ 'ssh':
  enable_client => false,
  enable_server => true,
}

Note: including ssh::client directly would still manage the SSH client

Managing SSH ciphers

Unless instructed otherwise, the ssh:: classes select ciphers based on the OS environment (the OS version, the version of the SSH server, whether FIPS mode is enabled, etc).

Server ciphers

At the time of 6.4.0, the default ciphers for ssh::server on EL7 when FIPS mode is disabled are:

• aes256-gcm@openssh.com
• aes128-gcm@openssh.com
• aes256-ctr
• aes192-ctr
• aes128-ctr

There are also 'fallback' ciphers, which are required in order to communicate with systems that are compliant with FIPS-140-2. These are always included by default unless the parameter ssh::server::conf::enable_fallback_ciphers is set to false:

• aes256-ctr
• aes192-ctr
• aes128-ctr

At the time of 6.4.0, the 'fallback' ciphers are the default ciphers for ssh::server on EL7 when FIPS mode is enabled and EL6 in either mode.

Client ciphers

By default, the system client ciphers in /etc/ssh/ssh_config are configured to strong ciphers that are recommended for use.

If you need to connect to a system that does not support these ciphers but uses older or weaker ciphers, you should either:

• Manage an entry for that specific host using an additional ssh::client::host_config_entry, or:
• Connect to the client with custom ciphers specified by the command line option, ssh -c
  • You can see a list of ciphers that your ssh client supports with ssh -Q cipher.
  • See the ssh man pages for further information.

Either of the choices above are preferable to weakening the system-wide client settings unecessarily.

Managing ssh_authorized_keys

You can manage users authorized_keys file using the ssh::authorized_keys class and the ssh::authorized_keys::keys hiera value.

---
ssh::authorized_keys::keys:
  kelly: ssh-rsa skjfhslkdjfs...
  nick:
  - ssh-rsa sajhgfsaihd...
  - ssh-rsa jrklsahsgfs...
  mike:
    key: ssh-rsa dlfkjsahh...
    user: mlast
    target: /home/gitlab-runner/.ssh/authorized_keys

Limitations

SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.

Development

Please read our Contribution Guide.

If you find any issues, they can be submitted to our JIRA.

To see a list of development tasks available for this module, run

  bundle exec rake -T

Acceptance tests

To run the system tests, you need Vagrant installed.

You can then run the following to execute the acceptance tests:

   bundle exec rake beaker:suites

Some environment variables may be useful:

   BEAKER_debug=true
   BEAKER_destroy=onpass
   BEAKER_provision=no
   BEAKER_fips=yes

• BEAKER_debug: show the commands being run on the SUT and their output.
• BEAKER_destroy=onpass prevent the machine destruction if the tests fail.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_fips=yes: Provision the SUTs in FIPS mode.

Environment variables specific to pupmod-simp-ssh

   SIMP_SSH_report_dir=/PATH/TO/DIRECTORY

• SIMP_SSH_report_dir: If set to a valid directory, will record the Ciphers / MACs / kexalgorithms for each SSH server during the test. This can be used to validate and update the information in the Server ciphers section.

Reference

Table of Contents

Classes

• ssh: Sets up files for ssh.
• ssh::authorized_keys: Add ssh_authorized_keys via hiera in a loop
• ssh::client: Sets up a ssh client and creates /etc/ssh/ssh_config.
• ssh::client::params: Default parameters for the SSH client
• ssh::server: Sets up a ssh server and starts sshd.
• ssh::server::conf: Sets up sshd_config and adds an iptables rule if iptables is being used.
• ssh::server::params: Default parameters for the SSH Server

Defined types

• ssh::client::host_config_entry: Creates a host entry to ssh_config

Resource types

• sshkey_prune: The file that you wish to prune

Functions

• ssh::autokey: Generates a random RSA SSH private and public key pair for a passed
• ssh::config_bool_translate: Translates true|false or 'true'|'false' to 'yes'|'no', respectively
• ssh::format_host_entry_for_sorting: A method to sensibly format sort SSH 'host' entries which contain
• ssh::global_known_hosts: Update the ssh_known_hosts files for all hosts, purging old files,
• ssh::parse_ssh_pubkey: Taka an ssh pugkey that looks like: ssh-rsa jdlkfgjsdfo;i... user@domain.com and turn it into a hash, usable in the ssh_authorized_key type
• ssh_autokey: Generates a random RSA SSH private and public key pair for a passed user.
• ssh_global_known_hosts: DEPRECATED

Classes

ssh

Sets up files for ssh.

Parameters

The following parameters are available in the ssh class.

enable_client

Data type: Boolean

If true, set up the SSH client configuration files.

Default value: true

enable_server

Data type: Boolean

If true, set up an SSH server on the system.

Default value: true

ssh::authorized_keys

This class was designed so you can just paste the output of the ssh pubkey into hiera and it will work. See the example below for details.

WARNING

This creates a user for every key and every user in the Hash. If this is large, please consider moving to a central source for these keys, such as LDAP, so that you do not over-burden your Puppet server.

WARNING

• See also https://puppet.com/docs/puppet/5.5/types/ssh_authorized_key.html

Examples

Adding user keys via Hiera

---
ssh::authorized_keys::keys:
  kelly: ssh-rsa skjfhslkdjfs...
  nick:
  - ssh-rsa sajhgfsaihd...
  - ssh-rsa jrklsahsgfs...
  mike:
    key: ssh-rsa dlfkjsahh...
    user: mlast
    target: /home/gitlab-runner/.ssh/authorized_keys

Parameters

The following parameters are available in the ssh::authorized_keys class.

keys

Data type: Hash

The hash to generate key resouces from

Default value: {}

ssh::client

Sets up a ssh client and creates /etc/ssh/ssh_config.

Parameters

The following parameters are available in the ssh::client class.

add_default_entry

Data type: Boolean

Set this if you wish to automatically have the '*' Host entry set up with some sane defaults.

Default value: true

fips

Data type: Boolean

If set or FIPS is already enabled, adjust for FIPS mode.

Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })

haveged

Data type: Boolean

If true, include the haveged module to assist with entropy generation.

Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })

package_ensure

Data type: String

The ensure status the openssh-clients package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ssh::client::params

Default parameters for the SSH client

ssh::server

Sets up a ssh server and starts sshd.

Parameters

The following parameters are available in the ssh::server class.

server_ensure

Data type: String

The ensure status of the openssh-server package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ldap_ensure

Data type: String

The ensure status of the openssh-ldap package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ssh::server::conf

sshd configuration variables can be set using Augeas outside of this class with no adverse effects.

SSH Parameters ####

Custom Parameters ####

SIMP Parameters ####

Parameters

The following parameters are available in the ssh::server::conf class.

acceptenv

Data type: Array[String]

Specifies what environment variables sent by the client will be copied into the sessions environment.

Default value: $ssh::server::params::acceptenv

allowgroups

Data type: Optional[Array[String]]

A list of group name patterns. If specified, login is allowed only for users whose primary or supplementary group list matches one of the patterns.

Default value: undef

allowusers

Data type: Optional[Array[String]]

A list of user name patterns. If specified, login is allowed only for users whose name matches one of the patterns.

Default value: undef

authorizedkeysfile

Data type: String

This is set to a non-standard location to provide for increased control over who can log in as a given user.

Default value: '/etc/ssh/local_keys/%u'

authorizedkeyscommand

Data type: Optional[Stdlib::Absolutepath]

Specifies a program to be used for lookup of the user's public keys.

Default value: undef

authorizedkeyscommanduser

Data type: String

Specifies the user under whose account the AuthorizedKeysCommand is run.

Default value: 'nobody'

banner

Data type: Stdlib::Absolutepath

The contents of the specified file are sent to the remote user before authentication is allowed.

Default value: '/etc/issue.net'

challengeresponseauthentication

Data type: Boolean

Specifies whether challenge-response authentication is allowed.

Default value: false

ciphers

Data type: Optional[Array[String]]

Specifies the ciphers allowed for protocol version 2. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

clientalivecountmax

Data type: Integer

@see man page for sshd_config

Default value: 0

clientaliveinterval

Data type: Integer

@see man page for sshd_config

Default value: 600

compression

Data type: Variant[Boolean,Enum['delayed']]

Specifies whether compression is allowed, or delayed until the user has authenticated successfully.

Default value: 'delayed'

denygroups

Data type: Optional[Array[String]]

A list of group name patterns. If specified, login is disallowed for users whose primary or supplementary group list matches one of the patterns.

Default value: undef

denyusers

Data type: Optional[Array[String]]

A list of user name patterns. If specified, login is disallowed for users whose name matches one of the patterns.

Default value: undef

gssapiauthentication

Data type: Boolean

Specifies whether user authentication based on GSSAPI is allowed. If the system is connected to an IPA domain, this will be default to true, based on the existance of the ipa fact.

Default value: $ssh::server::params::gssapiauthentication

hostbasedauthentication

Data type: Boolean

@see man page for sshd_config

Default value: false

ignorerhosts

Data type: Boolean

@see man page for sshd_config

Default value: true

ignoreuserknownhosts

Data type: Boolean

@see man page for sshd_config

Default value: true

kerberosauthentication

Data type: Boolean

@see man page for sshd_config

Default value: false

kex_algorithms

Data type: Optional[Array[String]]

Specifies the key exchange algorithms accepted. When unset, an appropriate set of algorithms is automatically selected by this class, taking into account whether the server is in FIPS mode and whether the version of openssh installed supports this feature.

Default value: undef

listenaddress

Data type: Optional[Variant[Simplib::Host, Array[Simplib::Host]]]

Specifies the local addresses sshd should listen on.

• WARNING: On EL6 systems, if sshd was listening on both IPv4 and IPv6 and you set this to an IPv4-only address (even 0.0.0.0), the service restart will erase the file /var/run/sshd.pid and the service will no longer be manageable from the service command until either the system is restarted or the pidfile is recreated correctly.

Default value: undef

logingracetime

Data type: Integer[0]

The max number of seconds the server will wait for a successful login before disconnecting. If the value is 0, there is no limit.

Default value: 120

ssh_loglevel

Data type: Optional[Ssh::Loglevel]

Specifies the verbosity level that is used when logging messages from sshd.

Default value: undef

macs

Data type: Optional[Array[String]]

Specifies the available MAC algorithms. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

maxauthtries

Data type: Integer[1]

Specifies the maximum number of authentication attempts permitted per connection.

Default value: 6

passwordauthentication

Data type: Boolean

Enable password authentication on the sshd server. If set to undef, this setting will not be managed.

• Note: This setting must be managed by default so that switching to and from OATH does not lock you out of your system.

Default value: true

permitemptypasswords

Data type: Boolean

When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.

Default value: false

permitrootlogin

Data type: Ssh::PermitRootLogin

Specifies whether root can log in using SSH.

Default value: false

permituserenvironment

Data type: Boolean

@see man page for sshd_config

Default value: false

port

Data type: Simplib::Port

Specifies the port number SSHD listens on.

Default value: 22

printlastlog

Data type: Boolean

Specifies whether SSHD should print the date and time of the last user login when a user logs in interactively.

Default value: false

protocol

Data type: Array[Integer[1,2]]

@see man page for sshd_config

Default value: [2]

rhostsrsaauthentication

Data type: Optional[Boolean]

This sshd option has been completely removed in openssh 7.4 and will cause an error message to be logged, when present. On systems using openssh 7.4 or later, only set this value if you need RhostsRSAAuthentication to be in the sshd configuration file to satisfy an outdated, STIG check.

Default value: $ssh::server::params::rhostsrsaauthentication

strictmodes

Data type: Boolean

@see man page for sshd_config

Default value: true

subsystem

Data type: String

Configures and external subsystem for file transfers.

Default value: 'sftp /usr/libexec/openssh/sftp-server'

syslogfacility

Data type: Ssh::Syslogfacility

Gives the facility code that is used when logging messages.

Default value: 'AUTHPRIV'

tcpwrappers

Data type: Boolean

If true, enable sshd tcpwrappers.

Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })

usepam

Data type: Boolean

Enables the Pluggable Authentication Module interface.

Default value: simplib::lookup('simp_options::pam', { 'default_value' => true })

manage_pam_sshd

Data type: Boolean

Flag indicating whether or not to mangae the pam stack for sshd. This is required for the oath option to work properly.

Default value: $oath

oath

Data type: Boolean

EXPERIMENTAL FEATURE Configures ssh to use pam_oath TOTP in the sshd pam stack. Also configures sshd_config to use required settings. Inherits from simp_options::oath, defaults to false if not found.

• WARNING: If this setting is enabled then disabled and passwordauthentication is unmanaged, this will be set to no in sshd_config!

Default value: simplib::lookup('simp_options::oath', { 'default_value' => false })

oath_window

Data type: Integer[0]

Sets the TOTP window (Defined in RFC 6238 section 5.2)

Default value: 1

useprivilegeseparation

Data type: Variant[Boolean,Enum['sandbox']]

Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic.

Default value: $ssh::server::params::useprivilegeseparation

x11forwarding

Data type: Boolean

Specifies whether X11 forwarding is permitted.

Default value: false

custom_entries

Data type: Optional[Hash[String[1],NotUndef]]

A Hash of key/value pairs that will be added as sshd_config resources without any validation.

• NOTE: Due to complexity, Match entries are not supported and will need to be added using sshd_config_match resources as described in augeasproviders_ssh

@example Set AuthorizedPrincipalsCommand

---

ssh::server::conf::custom_entries: AuthorizedPrincipalsCommand: '/usr/local/bin/my_auth_command'

Default value: undef

app_pki_external_source

Data type: String

• If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

• If pki = false, this variable has no effect.

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

app_pki_key

Data type: Stdlib::Absolutepath

Path and name of the private SSL key file. This key file is used to generate the system SSH certificates for consistency.

Default value: "/etc/pki/simp_apps/sshd/x509/private/${facts['fqdn']}.pem"

enable_fallback_ciphers

Data type: Boolean

If true, add the fallback ciphers from ssh::server::params to the cipher list. This is intended to provide compatibility with non-SIMP systems in a way that properly supports FIPS 140-2.

Default value: true

fallback_ciphers

Data type: Array[String]

The set of ciphers that should be used should no other cipher be declared. This is used when $ssh::server::conf::enable_fallback_ciphers is enabled.

Default value: $ssh::server::params::fallback_ciphers

fips

Data type: Boolean

If set or FIPS is already enabled, adjust for FIPS mode.

Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })

firewall

Data type: Boolean

If true, use the SIMP iptables class.

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })

haveged

Data type: Boolean

If true, include the haveged module to assist with entropy generation.

Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })

ldap

Data type: Boolean

If true, enable LDAP support on the system. If authorizedkeyscommand is empty, this will set the authorizedkeyscommand to ssh-ldap-wrapper so that SSH public keys can be stored directly in LDAP.

Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })

pki

Data type: Variant[Enum['simp'],Boolean]

• If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sshd/x509
• If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sshd/x509
• If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
  • app_pki_dir
  • app_pki_key
  • app_pki_cert
  • app_pki_ca
  • app_pki_ca_dir

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

sssd

Data type: Boolean

If true, use sssd

Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })

trusted_nets

Data type: Simplib::Netlist

The networks to allow to connect to SSH.

Default value: ['ALL']

ssh::server::params

• KexAlgorithm configuration was not added until openssh 5.7
• Curve exchange was not fully supported until openssh 6.5

Defined types

ssh::client::host_config_entry

GSSAPI may be used.

the client's GSSAPI credentials will force the rekeying of the ssh connection.

trusted to securely canonicalize the name of the host being connected to.

Examples

Adding default entry

ssh::client::host_config_entry { '*':
  gssapiauthentication => true,
  forwardx11trusted    => true'
}

Parameters

The following parameters are available in the ssh::client::host_config_entry defined type.

target

Data type: Stdlib::Absolutepath

Absolute path to the ssh_config file to manage.

Default value: '/etc/ssh/ssh_config'

address_family

Data type: Enum['any', 'inet', 'inet6']

The IP Address family to use when connecting. Valid options: 'any', 'inet', 'inet6'.

Default value: 'any'

batchmode

Data type: Boolean

If set to true, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password.

Default value: false

bindaddress

Data type: Optional[Simplib::Host]

Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address. Note that this option does not work if UsePrivilegedPort is set to false.

Default value: undef

challengeresponseauthentication

Data type: Boolean

Specifies whether to use challenge-response authentication.

Default value: true

checkhostip

Data type: Boolean

If this flag is set to true, ssh will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing and will add addresses of destination hosts to ~/.ssh/known_hosts in the process, regardless of the setting of StrictHostKeyChecking.

Default value: true

cipher

Data type: Enum['blowfish', '3des', 'des']

Specifies the cipher to use for encrypting the session in protocol version 1. Valid Options: 'blowfish', '3des', 'des'.

Default value: '3des'

ciphers

Data type: Optional[Array[String]]

Specifies the ciphers allowed for protocol version 2 in order of preference. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

clearallforwardings

Data type: Boolean

Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared.

Default value: false

compression

Data type: Boolean

Specifies whether to use compression.

Default value: true

compressionlevel

Data type: Integer[1,9]

Specifies the compression level to use if compression is enabled.

Default value: 6

connectionattempts

Data type: Integer[1]

Specifies the number of tries (one per second) to make before exiting.

Default value: 1

connecttimeout

Data type: Integer[0]

Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout.

Default value: 0

controlmaster

Data type: Enum['yes','no','ask']

Enables the sharing of multiple sessions over a single network connection.

Default value: 'no'

controlpath

Data type: Optional[Variant[Stdlib::Absolutepath, Enum['none']]]

Specify the path to the control socket used for connection sharing as set by controlmaster.

Default value: undef

dynamicforward

Data type: Optional[Variant[Simplib::Port, Simplib::Host::Port]]

Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.

Default value: undef

enablesshkeysign

Data type: Boolean

Setting this option to true enables the use of the helper program ssh-keysign during HostbasedAuthentication.

Default value: false

escapechar

Data type: Pattern[/^[[:graph:]]$/, /^\^[[:alpha:]]$/, /^none$/]

Sets the default escape character. Must be a single character.

Default value: '~'

exitonforwardfailure

Data type: Boolean

Specifies whether ssh should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings.

Default value: false

forwardagent

Data type: Boolean

Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine.

Default value: false

forwardx11

Data type: Boolean

Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set.

Default value: false

forwardx11trusted

Data type: Boolean

If set to true, remote X11 clients will have full access to the original X11 display.

Default value: false

gatewayports

Data type: Boolean

Specifies whether remote hosts are allowed to connect to local forwarded ports.

Default value: false

globalknownhostsfile

Data type: Optional[Array[Stdlib::Absolutepath]]

Specifies one or more files to use for the global host key database.

Default value: undef

gssapiauthentication

Data type: Boolean

Specifies whether user authentication based on GSSAPI is allowed. If the system is connected to an IPA domain, this will be set to true, regardless of this parameter. It uses the ipa fact to determine domain membership.

Default value: false

gssapidelegatecredentials

Data type: Boolean

Forward credentials to the server.

Default value: false

gssapikeyexchange

Data type: Boolean

Specifies whether key exchange based on

Default value: false

gssapirenewalforcesrekey

Data type: Boolean

If set to true then renewal of

Default value: false

gssapitrustdns

Data type: Boolean

Set to true to indicate that the DNS is

Default value: false

hashknownhosts

Data type: Boolean

Indicates that SSH should hash host names and addresses when they are added to known hosts.

Default value: true

hostbasedauthentication

Data type: Boolean

Specifies whether to try rhosts based authentication with public key authentication.

Default value: false

hostkeyalgorithms

Data type: Array[String]

Specifies the host key algorithms that the client wants to use in order of preference.

Default value: ['ssh-rsa','ssh-dss']

hostkeyalias

Data type: Optional[String]

Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files.

Default value: undef

hostname

Data type: Optional[Simplib::Host]

Specifies the real hostname to log into.

Default value: undef

identitiesonly

Data type: Boolean

Specifies that ssh should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh command-line, even if ssh-agent or a PKCS11Provider offers more identities.

Default value: false

identityfile

Data type: Optional[String]

Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication identity is read.

Default value: undef

kbdinteractiveauthentication

Data type: Boolean

Specifies whether to use keyboard-interactive authentication.

Default value: true

kbdinteractivedevices

Data type: Optional[Array[String]]

Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated.

Default value: undef

localcommand

Data type: Optional[String]

Specifies a command to execute on the local machine after successfully connecting to the server.

Default value: undef

localforward

Data type: Optional[String]

Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport.

Default value: undef

ssh_loglevel

Data type: Ssh::Loglevel

Gives the verbosity level that is used when logging messages. Valid options: 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', and 'DEBUG3'.

Default value: 'INFO'

macs

Data type: Optional[Array[String]]

Specifies the MAC (message authentication code) algorithms in order of preference. When unset, a strong set of algorithms is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

nohostauthenticationforlocalhost

Data type: Boolean

This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys. However, this option disables host authentication for localhost.

Default value: false

numberofpasswordprompts

Data type: Integer[1]

Specifies the number of password prompts before giving up.

Default value: 3

passwordauthentication

Data type: Boolean

Specifies whether to use password authentication.

Default value: true

permitlocalcommand

Data type: Boolean

Allow local command execution via the LocalCommand option or using the !command escape sequence.

Default value: false

port

Data type: Simplib::Port

Specifies the port number to connect on the remote host.

Default value: 22

preferredauthentications

Data type: Array[Ssh::Authentications]

Specifies the order in which the client should try authentication methods. The order will be determined from the start of the array to the end of the array. Default: ['publickey','hostbased','keyboard-interactive','password']

Default value: [ 'publickey', 'hostbased', 'keyboard-interactive', 'password' ]

protocol

Data type: Variant[Integer[1,2], Enum['2,1']]

Specifies the protocol versions SSH should support.

Default value: 2

proxycommand

Data type: Optional[String]

Specifies the command to use to connect to the server.

Default value: undef

pubkeyauthentication

Data type: Boolean

Specifies whether to try public key authentication.

Default value: true

rekeylimit

Data type: Optional[String]

Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated.

Default value: undef

remoteforward

Data type: Optional[String]

Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine.

Default value: undef

rhostsrsaauthentication

Data type: Boolean

Specifies whether to try rhosts based authentication with RSA host authentication.

Default value: false

rsaauthentication

Data type: Boolean

Specifies whether to try RSA Authentication.

Default value: true

sendenv

Data type: Array[String]

Specifies what variables from the local environ should be sent to the server.

Default value: [ 'LANG', 'LC_CTYPE', 'LC_NUMERIC', 'LC_TIME', 'LC_COLLATE', 'LC_MONETARY', 'LC_MESSAGES', 'LC_PAPER', 'LC_NAME', 'LC_ADDRESS', 'LC_TELEPHONE', 'LC_MEASUREMENT', 'LC_IDENTIFICATION', 'LC_ALL' ]

serveralivecountmax

Data type: Integer[1]

Sets the number of server alive messages (see below) which may be sent without ssh receiving any messages back from the server.

Default value: 3

serveraliveinterval

Data type: Integer[0]

Sets a timeout interval in seconds after which if no data has been received from the server. The default is 0, indicating that these messages will not be sent to the server.

Default value: 0

smartcarddevice

Data type: Optional[String]

Specifies which smartcard device to use.

Default value: undef

stricthostkeychecking

Data type: Enum['yes','no','ask']

If set to yes, ssh will never automatically add host keys to the known_hosts file, and refuses to connect to hosts whose keys have changed. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. Valid Options: 'yes', 'no', 'ask'

Default value: 'ask'

tcpkeepalive

Data type: Boolean

Specifies whether the system should send TCP keepalive messages to the other side.

Default value: true

tunnel

Data type: Enum['yes','no','point-to-point','ethernet']

If 'yes', request device forwarding between the client and server.

Default value: 'yes'

tunneldevice

Data type: Optional[String]

Specifies the devices to open on the client and the server.

Default value: undef

useprivilegedport

Data type: Boolean

Specifies whether to use a privileged port for outgoing connections.

Default value: false

user

Data type: Optional[String]

Specifies the user to log in as.

Default value: undef

userknownhostsfile

Data type: Optional[Array[Stdlib::Absolutepath]]

Specifies one or more files to use for the user host key database, separated by whitespace.

Default value: undef

verifyhostkeydns

Data type: Enum['yes','no','ask']

Specifies whether to verify the remote key using DNS and SSHFP resource records.

Default value: 'no'

visualhostkey

Data type: Boolean

If this flag is set to true, an ASCII art representation of the remote host key fingerprint is printed in addition to the fingerprint string at login and for unknown host keys.

Default value: false

xauthlocation

Data type: Stdlib::Absolutepath

Specifies the full pathname of the xauth program.

Default value: '/usr/bin/xauth'

Resource types

sshkey_prune

The file that you wish to prune

Properties

The following properties are available in the sshkey_prune type.

prune

Valid values: true, false

Whether or not to prune the file in $name

Default value: true

Parameters

The following parameters are available in the sshkey_prune type.

name

namevar

The file that you wish to prune

Functions

ssh::autokey

Type: Ruby 4.x API

user.

Keys are stored in "Puppet[:vardir]/simp/environments//simp_autofiles/ssh_autokeys"

Note: This function if marked as an InternalFunction because it changes the state of the system by writing key files.

ssh::autokey(String $username, Optional[Hash] $options)

The following options are supported:

• 'key_strength': key length, Integer, defaults to 2048
• 'return_private': whether to return the private key, Boolean, defaults to false NOTE: A minimum key strength of 1024 is enforced!

Returns: String The public key of the user

username

Data type: String

username for which SSH key pairs will be generated

options

Data type: Optional[Hash]

Options hash

ssh::autokey(String $username, Optional[Integer] $key_strength, Optional[Boolean] $return_private)

NOTE: A minimum key strength of 1024 is enforced!

Returns: String The public key of the user or the private key if return_private is specified.

username

Data type: String

username for which SSH key pairs will be generated

key_strength

Data type: Optional[Integer]

key length, defaults to 2048

return_private

Data type: Optional[Boolean]

whether to return the private key, defaults to false

ssh::config_bool_translate

Type: Ruby 4.x API

All other values are passed-through unchanged

ssh::config_bool_translate(String $config_item)

The ssh::config_bool_translate function.

Returns: Any transformed config_item

config_item

Data type: String

Configuration item to be translated

ssh::config_bool_translate(Boolean $config_item)

The ssh::config_bool_translate function.

Returns: Any transformed config_item

config_item

Data type: Boolean

Configuration item to be translated

ssh::format_host_entry_for_sorting

Type: Ruby 4.x API

wildcards and question marks.

The output is intended for use with the simpcat_fragment type and is not meant for use as a host entry itself.

The general idea is that it places all items at the bottom of the list using zzzz, then sorts by question marks first per section then wildcards per section.

Example: Input: '*' Output: 'zzzz98_st__'

Input: '*.foo.bar' Output: 'zzzz96_st__.foo.bar'

Input: 'foo.?.bar' Output: 'foo.zzzz95_qu__.bar'

Input: 'foo?.*.bar' Output: 'foozzzz96_qu.zzzz95_st.bar'

ssh::format_host_entry_for_sorting(String $host_entry)

wildcards and question marks.

The output is intended for use with the simpcat_fragment type and is not meant for use as a host entry itself.

The general idea is that it places all items at the bottom of the list using zzzz, then sorts by question marks first per section then wildcards per section.

Example: Input: '*' Output: 'zzzz98_st__'

Input: '*.foo.bar' Output: 'zzzz96_st__.foo.bar'

Input: 'foo.?.bar' Output: 'foo.zzzz95_qu__.bar'

Input: 'foo?.*.bar' Output: 'foozzzz96_qu.zzzz95_st.bar'

Returns: Any transformed host_entry

host_entry

Data type: String

SSH host entry, which may contain wildcards

ssh::global_known_hosts

Type: Ruby 4.x API

removing duplicates, and creating catalog resources that are found

Note: This function if marked as an InternalFunction because it changes the state of the system by adding/removing files and adding catalog resources.

ssh::global_known_hosts(Optional[Integer] $expire_days)

removing duplicates, and creating catalog resources that are found

Note: This function if marked as an InternalFunction because it changes the state of the system by adding/removing files and adding catalog resources.

Returns: None

expire_days

Data type: Optional[Integer]

expire time in days; defaults to 7; value of 0 means never purge

ssh::parse_ssh_pubkey

Type: Puppet Language

Taka an ssh pugkey that looks like: ssh-rsa jdlkfgjsdfo;i... user@domain.com and turn it into a hash, usable in the ssh_authorized_key type

ssh::parse_ssh_pubkey(String $key)

Taka an ssh pugkey that looks like: ssh-rsa jdlkfgjsdfo;i... user@domain.com and turn it into a hash, usable in the ssh_authorized_key type

Returns: Hash

key

Data type: String

The ssh key, can be pasted from ~/.ssh/id_rsa.pub or similar

ssh_autokey

Type: Ruby 3.x API

Keys are stored in "Puppet[:vardir]/simp/environments//simp_autofiles/ssh_autokeys"

Arguments: username, [option_hash|integer], [return_private]

• If an integer is the second argument, it will be used as the key strength

• If a third option is passed AND the second option is not a Hash, the function will return the private key

• option_hash

  • If option_hash is passed (as a Hash) then the following options are supported:
    • 'key_strength' => Integer
    • 'return_private' => Boolean (Anything but false|nil will be treated as 'true')

  NOTE: A minimum key strength of 1024 will be enforc

ssh_autokey()

Keys are stored in "Puppet[:vardir]/simp/environments//simp_autofiles/ssh_autokeys"

Arguments: username, [option_hash|integer], [return_private]

• If an integer is the second argument, it will be used as the key strength

• If a third option is passed AND the second option is not a Hash, the function will return the private key

• option_hash

  • If option_hash is passed (as a Hash) then the following options are supported:
    • 'key_strength' => Integer
    • 'return_private' => Boolean (Anything but false|nil will be treated as 'true')

  NOTE: A minimum key strength of 1024 will be enforc

Returns: String The public cert of the passed user or the private key if requested.

ssh_global_known_hosts

Type: Ruby 3.x API

This function updates the ssh_known_hosts file for all hosts and updates any new ones that are found.

This function takes one argument, expire time which is specified in days.

Default expire time is 7 days. Set to '0' to never p

ssh_global_known_hosts()

This function updates the ssh_known_hosts file for all hosts and updates any new ones that are found.

This function takes one argument, expire time which is specified in days.

Default expire time is 7 days. Set to '0' to never p

Returns: None

• Wed May 29 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.7.1-0

• Replace calls to 'system' with Puppet::Execution.execute in the ssh_autokey and ssh::autokeys functions.

• Mon Apr 29 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.7.0-0

• Switched to selinux_port type for alternate SSH ports
• Added the ability for users to set custom sshd config entries via a Hash in Hiera.
• Made ListenAddress optional and documented EL6 bug

• Tue Apr 16 2019 Zach turtles.be.the.best@gmail.com - 6.7.0-0

• Add OATH support

• Thu Apr 11 2019 Bob Vincent pillarsdotnet@gmail.com - 6.7.0-0

• Added support for the following SSH server configuration parameters:
  • AllowGroups
  • AllowUsers
  • DenyGroups
  • DenyUsers
  • LoginGraceTime
  • LogLevel
  • MaxAuthTries

• Tue Apr 09 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.7.0-0

• Remove Elasticsearch and Grafana
• Updated tests in support of puppet6, and removed puppet4 support

• Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.6.1-0

• Use Puppet String in lieu of simplib's deprecated Puppet 3 to_string
• Use simplib::nets2ddq in lieu of deprecated Puppet 3 nets2ddq

• Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.6.0-0

• Expanded the upper limit of the stdlib Puppet module version
• Updated URLs in the README.md

• Tue Dec 04 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.6.0-0

• Fix bug in which the sshd 'Subsystem' configuration specified by ssh::server::conf::subsystem was erroneously stripped of whitespace

• Thu Nov 15 2018 Nick Miller nick.miller@onyxpoint.com - 6.6.0-0

• Added a new class, ssh::authorized_keys, that consumes a hash of ssh pubkeys
  • Users are meant to be able to paste the output of their pubkey into hiera
  • Arrays and hashes work too, though the hash option is not as smart as the others
  • Update README with a section on it
• Add REFERENCE.md

• Fri Oct 26 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.5.1-0

• Add ssh_host_keys fact to gather configured hostkey values from sshd
• Loop through all hostkeys and manage permissions for security and compliance

• Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.5.0-0

• Added the following package ensure parameters
  • $ssh::client::package_ensure
  • $ssh::server::server_ensure
  • $ssh::server::ldap_ensure
• Changed the defaults for all package ensures from 'latest' to the following:
  • simp_options::package_ensure when that parameter is present
  • 'installed' otherwise

• Thu Oct 11 2018 Zach turtles.be.the.best@gmail.com - 6.5.0-0

• Altered 00_default_spec.rb to stop deleting all ssh keys in test
• Replaced puppet_environment with puppet_collection in nodesets

• Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.5.0-0

• Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.

• Wed Aug 29 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.4-0

• Added a Ssh::PermitRootLogin data type
• Updated tests
• Added a check to fail on EL6 if 'prohibit-password' is set since it is not allowed on that platform.

• Thu Aug 23 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.4.4-0

• Added support for Oracle Linux
• Added support for Puppet 5

• Mon Aug 20 2018 Bryan Howard bryan@alumni.caltech.edu - 6.4.4-0

• PermitRootLogin accepts more values than 'yes' and 'no'. Add support for 'without-password', 'prohibit-password', and 'forced-commands-only'.
• It was not possible to set PasswordAuthentication to 'no' because the conditional treated false the same as undef, which are intended to be different.

• Thu Aug 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.4.3-0

• By default, do not specify the obsolete RhostsRSAAuthentication configuration parameter in sshd_config on systems running openssh 7.4 or later. Beginning with openshh 7.4, sshd emits an error message when this parameter is present in sshd_config.

• Thu May 03 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.4.2-0

• Added some variables for sshd_config to meet STIG requirements. Most are just confirmation of defaults with the exception of ClientAliveInterval and ClientAliveMaxCount which have been set to activate Client Alive checks.
• Added compliance tests to install setting from compliance markup module and then run inspec tests to check for compliance.
• Update version range of auditd dependency in metadata.json

• Wed Mar 14 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.1-0

• Removed unused Augeas lens sshd.aug

• Mon Mar 05 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.0-0

• Re-implemented ssh::client::host_config_entry using ssh_config:
  • Users can now customize additional SSH client options
  • Customizing ssh_config is consistent with sshd_config
  • Tweaked Augeas lens ssh.aug to handle HostKeyAlgorithms correctly
  • No change to the module's API
  • Removed concat + .erb templates from old implementation
• Fixed idempotency bug with /var/empty/sshd/etc/localtime
  • Removed vestigial SIMP-1143 workaround from acceptance tests
• Fixed errors in README.md
  • Ciphers and Usage sections rewritten and verified, with tests
  • Added new environment variable SIMP_SSH_report_dir to acceptance tests to validate ciphers in README
  • Documented solution to SIMP-4440 and added acceptance test
• Removed cruft:
  • Removed grub from metadata.json and .fixtures.yml because nothing uses it
  • Removed NSCD-related cruft (/etc/pam_ldap.conf) from ancient ldap code

• Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.3.0-0

• Update upperbound on puppetlabs/concat version to < 5.0.0

• Fri Jan 19 2018 Nick Miller nick.miller@onyxpoint.com - 6.3.0-0

• If the host has joined an IPA domain, set GSSAPIAuthentication to 'yes' in the ssh server and client configuration files.

• Wed Aug 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.1-0

• Update to augeasproviders_grub 3

• Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0

• Update concat version in metadata.json & build/rpm_metadata/requires

• Tue Jun 20 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0

• Convert internally-used Puppet 3 functions to Puppet 4
  • ssh_config_bool_translate is now ssh::config_bool_translate
  • ssh_format_host_entry_for_sorting now ssh::format_host_entry_for_sorting
• Create Puppet 4 versions of externally-used Puppet 3 functions and mark the Puppet 3 functions as deprecated. They will be removed in a later release.
  • ssh_autokey should be replaced with ssh::autokey
  • ssh_global_known_hosts should be replaced with ssh::global_known_hosts

• Tue Mar 28 2017 Nicholas Hughes - 6.1.0-0

• Set permissions back to what the RPM sets and security scans expect
  • /etc/ssh/moduli
  • /var/empty/sshd
  • /var/empty/sshd/etc
  • /var/empty/sshd/etc/localtime

• Thu Mar 23 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0

• Reverted 'ssh::server::conf::trusted_nets' to 'ALL' by default to prevent lockouts from cloud systems

• Mon Mar 20 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.1-0

• move passgen to Puppet[:vardir]

• Thu Mar 9 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 6.0.1-0

• Remove some utf-8 smart quotes that were accidentally added to host_config_entry.pp

• Thu Feb 23 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.1-0

• Changed the default UsePrivilegeSeparation setting in sshd_config to use the vendor default of 'sandbox'
• Changed the default value of simp_options::trusted_nets to ['ALL'] to prevent permanent lockouts when a console isn't available.

• Thu Jan 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Updated pki scheme, application certs now managed in /etc/pki/simp_apps/sshd/x509

• Tue Jan 10 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

• Updated to use CTR ciphers instead of CBC as a fallback

• Tue Dec 20 2016 Liz Nemsick lnemsick.simp@gmail.com - 6.0.0-0

• Use simp_options module for global catalysts
• Use strongly typed parameters
• Rename defined type ssh::client::add_entry to ssh::client::host_config_entry

• Wed Nov 23 2016 Jeanne Greulich jgreulich@onyxpoint.com - 5.0.0-0

• Fix dependencies for simp 6 bump

• Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0

• Updated to compliance_markup version 2

• Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

• Updated iptables dependency version

• Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Fri Sep 30 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.12-0

• Fixed dependencies in metadata.json prior to a Forge push.

• Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.11-0

• Fix Forge haveged dependency name

• Tue Sep 06 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.10-0

• Modified AuthorizedKeysCommand to be /usr/bin/sss_ssh_authorizedkeys if sssd is enabled.

• Thu Aug 04 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.9-0

• Updated rpm requires to properly expire old versions

• Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.8-0

• Migration to semantic versioning and fix of the build system

• Tue Jul 05 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.7-0

• The defaults for use_iptables and use_ldap will now follow the global catalysts. Updated acceptance tests.

• Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.6-0

• Use_haveged is now a global catalyst.

• Wed Jun 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.5-0

• Pupmod-haveged now included by default to assist with entropy generation.

• Tue Jun 07 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0

• The openssh_version fact is now compatible with ruby 1.8.7.

• Sat May 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.4-0

• Ensure that we set the proper SELinux port connection options for sshd if using a non-standard port.

• Wed Apr 20 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.3-0

• Created an openssh_version fact.
• Modified kex algorithm set:
  • No longer set kex prior to openssh v 5.7
  • Curve25519 kex only set in openssh v 6.5+

• Tue Mar 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.2-0

• Openssh-ldap is no longer installed when use_sssd is true.

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 4.1.1-0

• Migrated use_simp_pki to a global catalyst.

• Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-15

• Ensure that EL6.7+ uses SSSD over NSCD

• Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-14

• Added compliance function support

• Mon Jan 18 2016 Carl Caum carl@puppetlabs.com - 4.1.0-13

• Removed empty logic block that was causing compilation errors in Puppet 4.

• Wed Dec 09 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-12

• CCE-3660-8 compliance. Do not allow empty ssh passwords.

• Fri Dec 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-12

• Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
• Moved parameter validation to the top of each class.

• Fri Nov 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

• Updated the code to work around a bug in the OpenSSH client where FIPS mode fails if the 'Cipher' parameter is present in /etc/ssh/ssh_config

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-11

• migration to simplib and simpcat (lib/ only)

• Fri Sep 18 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-10

• Updated the ssh client ciphers to match the ssh server ciphers.

• Wed Jul 29 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Incorporated the updated SSH Augeas Lenses
• Created a sub-rpm for the lenses to account for the modified license terms
• Added support for default KexAlgorithms
• Added sensible defaults for the SSH server in both FIPS and non-FIPS mode
• Note: I have not yet tested these in FIPS enforcing mode so adjustments may need to be made

• Fri Feb 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Added support for the new augeasproviders_ssh module
• Migrated to the new 'simp' environment.

• Fri Feb 06 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Made all of the custom functions environment aware
• Enhanced the ssh_keygen function to return private keys if so instructed since we can use that to eradicate some automatically generated cruft in the module spaces.
• Changed puppet-server requirement to puppet

• Fri Dec 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Added a function, ssh_format_host_entry_for_sorting, that is explicitly for use by the concat_fragment part of ssh::client::add_entry. It handles proper sorting order when wildcards and question marks are used.

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

• Removed all non FIPS compliant ciphers from ssh server and client configs.

• Thu Jun 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

• Added support for the 'AuthorizedKeysCommandUser' in sshd_config since this is now required in RHEL >= 7.

• Thu Jun 05 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4

• Set compression off in sshd_config by default.

• Thu May 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Fixed a resource chaining issue with /etc/ssh/ldap.conf. The source had not been declared properly so the dependency chain was not being enforced.

• Fri Apr 11 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

• Refactored manifests and removed singleton defines for puppet 3 and hiera compatibility.
• Added spec tests.
• Added function sshd_config_bool_translate to translate booleans into yes/no variables.

• Sun Apr 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Added hooks for various top-level variables for increased configuration flexibility.

• Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-1

• Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
• Removed the management of most variables by default from ssh::server::conf. The remainder are now managed by an sshd augeas provider.
• ALL supported variables are now settable via extdata as ssh::server::conf::
• This means that you can easily manipulate any variable as well as setting those that are not natively managed using the augeas provider.
• This work was done for supporting OpenShift

• Thu Jan 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• AVC errors were being generated due to the /etc/ssh/ldap.conf file being a symlink. This is now copied directly from /etc/pam_ldap.conf instead of linked.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-2

• Updated all erb templates to properly scope variables.

• Wed Sep 25 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1

• Added the ability to modify the hosts that can connect to sshd via IPTables using a client_nets variable.

• Thu May 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

• Changed all localtime symlinks to file copies since SELinux does not like symlinks in these cases.

• Tue Apr 16 2013 Nick Markowski nmarkowski@keywcorp.com - 2.0.0-9

• All ssh public key authentication now directly uses LDAP.
• Added ldap.conf to /etc/ssh.
• Added openssh-ldap rpm and authorizedkeyscommand wrapper to template.
• SSH fully manages /etc/ssh/local_keys.

• Mon Dec 10 2012 Maintenance 2.0.0-8

• Created a Cucumber test to ensure that the SSH daemon is running.
• Created a Cucumber test which creates a temporary user, and ensures that they can SSH into the puppet server.

• Thu Nov 08 2012 Maintenance 2.0.0-7

• The ssh_global_known_hosts function now automatically deletes any short name key files that conflict with a long name file prior to manipulating the catalog.

• Fri Jul 20 2012 Maintenance 2.0.0-6

• Added a custom type 'sshkey_prune' that, given a target file, prunes all ssh keys that Puppet doesn't know about.
• Updated the ssh_global_known_hosts function to expire old keys after 7 days by default. Users may specify their own number of expire days or set to 0 to never expire any keys.

• Wed Apr 11 2012 Maintenance 2.0.0-5

• Fixed bug with ssh_global_known_hosts such that it uses 'host_aliases' instead of 'alias' since the latter has be deprecated.
• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 2.0.0-4

• Added the CBC ciphers back to the SSH server default config since their absence was causing issues with various scripting languages.
• Reformatted against the Puppet Labs style guide.
• Improved test stubs.

• Mon Dec 26 2011 Maintenance 2.0.0-3

• Updated the spec file to not require a separate file list.

• Tue May 31 2011 Maintenance - 2.0.0-2

• Set PrintLastLog to 'no' by default since this is now handled by PAM.
• Removed CBC ciphers from the client and server.
• No longer enable X11 forwarding on SSH servers by default.
• Reduce the acceptable SSH cipher set to AES without CBC.

• Fri Feb 11 2011 Maintenance - 2.0.0-1

• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Updated to use concat_build and concat_fragment types.

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Maintenance - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jun 30 2010 Maintenance 1.0-1

• /etc/ssh/ssh_known_hosts is now collected from all puppet managed hosts without using stored configs.

• Tue May 25 2010 Maintenance 1.0-0

• Code refactoring.