ssh

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide and visit our developer wiki.

Work in Progress

Please excuse us as we transition this code into the public domain.

ssh::server

Ciphers

By default, the sshd::server class will accept a wide range of ciphers.

At the time of 5.1.0, the default ciphers for ssh::server are:

• aes128-gcm@openssh.com
• aes256-gcm@openssh.com

There are also 'fallback' ciphers, which are required in order to communicate with FIPS-140-2 conformant systems. These are also included by default unless the parameter ssh::server::conf::enable_fallback_ciphers is set to false:

• aes128-cbc
• aes192-cbc
• aes256-cbc

Examples

Default parameters

include 'sshd::server'

This will result in a server that accepts the following ciphers:

• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• aes128-cbc
• aes192-cbc
• aes256-cbc

Disabling fallback ciphers

class{'ssh::config':
  enable_fallback_ciphers => false
}
include 'sshd::server'

This will result in a server that accepts the following ciphers:

• aes128-gcm@openssh.com
• aes256-gcm@openssh.com

ssh::client

The ciphers configured for the ssh client are set to only the strongest ciphers. In order to connect to a system that does not have these ciphers but uses the older ciphers you should use the command line option, ssh -c. See the man pages for further information.

Examples

include 'sshd::client'

• Fri Sep 30 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.12-0

• Fixed dependencies in metadata.json prior to a Forge push.

• Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.11-0

• Fix Forge haveged dependency name

• Tue Sep 06 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.10-0

• Modified AuthorizedKeysCommand to be /usr/bin/sss_ssh_authorizedkeys if sssd is enabled.

• Thu Aug 04 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.9-0

• Updated rpm requires to propery expire old versions

• Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.8-0

• Migration to semantic versioning and fix of the build system

• Tue Jul 05 2016 Nick Miller nick.miller@onyxpoint.com - 4.1.7-0

• The defaults for use_iptables and use_ldap will now follow the global catalysts. Updated acceptance tests.

• Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.6-0

• Use_haveged is now a global catalyst.

• Wed Jun 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.5-0

• Pupmod-haveged now included by default to assist with entropy generation.

• Tue Jun 07 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0

• The openssh_version fact is now compatible with ruby 1.8.7.

• Sat May 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.4-0

• Ensure that we set the proper SELinux port connection options for sshd if using a non-standard port.

• Wed Apr 20 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.3-0

• Created an openssh_version fact.
• Modified kex algorithm set:
  • No longer set kex prior to openssh v 5.7
  • Curve25519 kex only set in openssh v 6.5+

• Tue Mar 22 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.2-0

• Openssh-ldap is no longer installed when use_sssd is true.

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 4.1.1-0

• Migrated use_simp_pki to a global catalyst.

• Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-15

• Ensure that EL6.7+ uses SSSD over NSCD

• Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-14

• Added compliance function support

• Mon Jan 18 2016 Carl Caum carl@puppetlabs.com - 4.1.0-13

• Removed empty logic block that was causing compilation errors in Puppet 4.

• Wed Dec 09 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-12

• CCE-3660-8 compliance. Do not allow empty ssh passwords.

• Fri Dec 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-12

• Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
• Moved parameter validation to the top of each class.

• Fri Nov 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

• Updated the code to work around a bug in the OpenSSH client where FIPS mode fails if the 'Cipher' parameter is present in /etc/ssh/ssh_config

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-11

• migration to simplib and simpcat (lib/ only)

• Fri Sep 18 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-10

• Updated the ssh client ciphers to match the ssh server ciphers.

• Wed Jul 29 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Incorporated the updated SSH Augeas Lenses
• Created a sub-rpm for the lenses to account for the modified license terms
• Added support for default KexAlgorithms
• Added sensible defaults for the SSH server in both FIPS and non-FIPS mode
• Note: I have not yet tested these in FIPS enforcing mode so adjustments may need to be made

• Fri Feb 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Added support for the new augeasproviders_ssh module
• Migrated to the new 'simp' environment.

• Fri Feb 06 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Made all of the custom functions environment aware
• Enhanced the ssh_keygen function to return private keys if so instructed since we can use that to eradicate some automatically generated cruft in the module spaces.
• Changed puppet-server requirement to puppet

• Fri Dec 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Added a function, ssh_format_host_entry_for_sorting, that is explicitly for use by the concat_fragment part of ssh::client::add_entry. It handles proper sorting order when wildcards and question marks are used.

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

• Removed all non FIPS compliant ciphers from ssh server and client configs.

• Thu Jun 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

• Added support for the 'AuthorizedKeysCommandUser' in sshd_config since this is now required in RHEL >= 7.

• Thu Jun 05 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4

• Set compression off in sshd_config by default.

• Thu May 22 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Fixed a resource chaining issue with /etc/ssh/ldap.conf. The source had not been declared properly so the dependency chain was not being enforced.

• Fri Apr 11 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

• Refactored manifests and removed singleton defines for puppet 3 and hiera compatibility.
• Added spec tests.
• Added function sshd_config_bool_translate to translate booleans into yes/no variables.

• Sun Apr 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Added hooks for various top-level variables for increased configuration flexibility.

• Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-1

• Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
• Removed the management of most variables by default from ssh::server::conf. The remainder are now managed by an sshd augeas provider.
• ALL supported variables are now settable via extdata as ssh::server::conf::
• This means that you can easily manipulate any variable as well as setting those that are not natively managed using the augeas provider.
• This work was done for supporting OpenShift

• Thu Jan 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• AVC errors were being generated due to the /etc/ssh/ldap.conf file being a symlink. This is now copied directly from /etc/pam_ldap.conf instead of linked.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-2

• Updated all erb templates to properly scope variables.

• Wed Sep 25 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1

• Added the ability to modify the hosts that can connect to sshd via IPTables using a client_nets variable.

• Thu May 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

• Changed all localtime symlinks to file copies since SELinux does not like symlinks in these cases.

• Tue Apr 16 2013 Nick Markowski nmarkowski@keywcorp.com - 2.0.0-9

• All ssh public key authentication now directly uses LDAP.
• Added ldap.conf to /etc/ssh.
• Added openssh-ldap rpm and authorizedkeyscommand wrapper to template.
• SSH fully manages /etc/ssh/local_keys.

• Mon Dec 10 2012 Maintenance 2.0.0-8

• Created a Cucumber test to ensure that the SSH daemon is running.
• Created a Cucumber test which creates a temporary user, and ensures that they can SSH into the puppet server.

• Thu Nov 08 2012 Maintenance 2.0.0-7

• The ssh_global_known_hosts function now automatically deletes any short name key files that conflict with a long name file prior to manipulating the catalog.

• Fri Jul 20 2012 Maintenance 2.0.0-6

• Added a custom type 'sshkey_prune' that, given a target file, prunes all ssh keys that Puppet doesn't know about.
• Updated the ssh_global_known_hosts function to expire old keys after 7 days by default. Users may specify their own number of expire days or set to 0 to never expire any keys.

• Wed Apr 11 2012 Maintenance 2.0.0-5

• Fixed bug with ssh_global_known_hosts such that it uses 'host_aliases' instead of 'alias' since the latter has be deprecated.
• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 2.0.0-4

• Added the CBC ciphers back to the SSH server default config since their absence was causing issues with various scripting languages.
• Reformatted against the Puppet Labs style guide.
• Improved test stubs.

• Mon Dec 26 2011 Maintenance 2.0.0-3

• Updated the spec file to not require a separate file list.

• Tue May 31 2011 Maintenance - 2.0.0-2

• Set PrintLastLog to 'no' by default since this is now handled by PAM.
• Removed CBC ciphers from the client and server.
• No longer enable X11 forwarding on SSH servers by default.
• Reduce the acceptable SSH cipher set to AES without CBC.

• Fri Feb 11 2011 Maintenance - 2.0.0-1

• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Updated to use concat_build and concat_fragment types.

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Maintenance - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jun 30 2010 Maintenance 1.0-1

• /etc/ssh/ssh_known_hosts is now collected from all puppet managed hosts without using stored configs.

• Tue May 25 2010 Maintenance 1.0-0

• Code refactoring.