![Tomasz 'Zen' Napierala](/assets/img/avatar_default.png)
Changed allowed MACs and ciphers, limited forwarding, limited protocol version to 2, added verbose level of logging. Corrected basic lint problems with osnailyfacter/example/site.pp and nailgun::host-only. Ported to granular deployment Change-Id: Id13b7dacb7b8e0494c983f5d671ee3f23a317e6d Related-bug: #1408595
71 lines
2.0 KiB
Puppet
71 lines
2.0 KiB
Puppet
# == Class: osnailyfacter::ssh
|
|
#
|
|
# Configures ssh server
|
|
#
|
|
# === Parameters
|
|
#
|
|
# [*ciphers*]
|
|
# Specifies the ciphers allowed for protocol version 2
|
|
#
|
|
# [*macs*]
|
|
# Specifies the available MAC (message authentication code) algorithms
|
|
#
|
|
# [*protocol_ver*]
|
|
# SSH protocol version to use. Defaults to 2
|
|
#
|
|
# [*ports*]
|
|
# Ports for SSH service to listen to. If more than one it shjould be an array
|
|
# Defaults to 22
|
|
#
|
|
# [*log_lvl*]
|
|
# SSH daemon log level. Defaults to VERBOSE
|
|
#
|
|
# [*password_auth*]
|
|
# Use password authentication. Defaults to no
|
|
#
|
|
|
|
class osnailyfacter::ssh(
|
|
$ciphers = 'aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128',
|
|
$macs = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1',
|
|
$protocol_ver = '2',
|
|
$ports = '22',
|
|
$log_lvl = 'VERBOSE',
|
|
$password_auth = 'no'
|
|
){
|
|
|
|
case $::osfamily {
|
|
'redhat': {
|
|
$subsystem = 'sftp /usr/libexec/openssh/sftp-server'
|
|
}
|
|
'debian': {
|
|
$subsystem = 'sftp /usr/lib/openssh/sftp-server'
|
|
}
|
|
default: {
|
|
$subsystem = 'sftp /usr/lib/openssh/sftp-server'
|
|
}
|
|
}
|
|
|
|
class { 'ssh::server':
|
|
storeconfigs_enabled => false,
|
|
options => {
|
|
'Protocol' => $protocol_ver,
|
|
'Ciphers' => $ciphers,
|
|
'MACs' => $macs,
|
|
'Port' => $ports,
|
|
'LogLevel' => $log_lvl,
|
|
'Subsystem' => $subsystem,
|
|
'PasswordAuthentication' => $password_auth,
|
|
'AllowTcpForwarding' => 'yes',
|
|
'X11Forwarding' => 'no',
|
|
'UsePAM' => 'yes',
|
|
'UseDNS' => 'no',
|
|
'GSSAPIAuthentication' => 'no',
|
|
'ChallengeResponseAuthentication' => 'no',
|
|
'PubkeyAuthentication' => 'yes',
|
|
'RSAAuthentication' => 'yes',
|
|
'UsePrivilegeSeparation' => 'yes',
|
|
'StrictModes' => 'yes',
|
|
}
|
|
}
|
|
}
|