Forge Home

3,381,450 downloads

6,288 latest version

3.4 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 12.1.0 (latest)
  • 12.0.1
  • 12.0.0
  • 11.2.0
  • 11.1.0
  • 11.0.0
  • 10.2.0
  • 10.1.0
  • 10.0.0
  • 9.0.0
  • 8.0.0
  • 7.0.2
  • 7.0.1
  • 7.0.0
  • 6.2.0
  • 6.1.0
  • 6.0.0
  • 5.0.0
  • 4.0.0
  • 3.0.1
  • 3.0.0
  • 2.9.1
  • 2.9.0
  • 2.8.1
  • 2.8.0
  • 2.7.0
  • 2.6.0
  • 2.5.0
  • 2.4.0
  • 2.3.6
  • 2.3.5
  • 2.3.4
  • 2.3.3
  • 2.3.2
  • 2.3.1
  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0
  • 1.4.0
  • 1.2.0
  • 1.1.1
  • 1.1.0
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Feb 25th 2014

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'saz-ssh', '2.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add saz-ssh
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install saz-ssh --version 2.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

saz/ssh — version 2.0.0 Feb 25th 2014

SSH Client and Server Puppet Module

Manage SSH client and server via Puppet

Gittip

Support via Gittip

Requirements

  • Exported resources for host keys management
  • puppetlabs/stdlib

Usage

Since version 2.0.0 only non-default values are written to both, client and server, configuration files.

Multiple occurances of one config key (e.g. sshd should be listening on port 22 and 2222) should be passed as an array.

    options => {
      Port => [22, 2222],
    }

This is working for both, client and server

Both client and server

Host keys will be collected and distributed

    include ssh

or

    class { 'ssh':
      server_options => {
        'Match User www-data' => {
          'ChrootDirectory' => '%h',
          'ForceCommand' => 'internal-sftp',
          'PasswordAuthentication' => 'yes',
          'AllowTcpForwarding' => 'no',
          'X11Forwarding' => 'no',
        },
        Port => [22, 2222, 2288],
      },
      client_options => {
        'Host *.amazonaws.com' => {
          'User' => 'ec2-user',
        },
      },
    }

Client only

Collected host keys from servers will be written to known_hosts

    include ssh::client

or

    class { 'ssh::client':
      options => {
        'Host short' => {
          'User' => 'my-user',
          'HostName' => 'extreme.long.and.complicated.hostname.domain.tld',
        },
        'Host *' => {
          'User' => 'andromeda',
          'UserKnownHostsFile' => '/dev/null',
        },
      },
    }

Server only

Host keys will be collected for client distribution

    include ssh::server

or

    class { 'ssh::server':
      options => {
        'Match User www-data' => {
          'ChrootDirectory' => '%h',
          'ForceCommand' => 'internal-sftp',
          'PasswordAuthentication' => 'yes',
          'AllowTcpForwarding' => 'no',
          'X11Forwarding' => 'no',
        },
        'PasswordAuthentication' => 'no',
        'PermitRootLogin'        => 'no',
        'Port'                   => [22, 2222],
      },
    }

Default options

Client

    'Host *'                 => {
      'SendEnv'              => 'LANG LC_*',
      'HashKnownHosts'       => 'yes',
      'GSSAPIAuthentication' => 'yes',
    }

Server

    'ChallengeResponseAuthentication' => 'no',
    'X11Forwarding'                   => 'yes',
    'PrintMotd'                       => 'no',
    'AcceptEnv'                       => 'LANG LC_*',
    'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
    'UsePAM'                          => 'yes',

Overwriting default options

Default options will be merged with options passed in. If an option is set both as default and via options parameter, the latter will will win.

The following example will disable X11Forwarding, which is enabled by default:

    class { 'ssh::server':
      options           => {
        'X11Forwarding' => 'no',
      },
    }

Which will lead to the following sshd_config file:

# File is managed by Puppet

ChallengeResponseAuthentication no
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PasswordAuthentication no