openstack/fuel-library

History

Tomasz 'Zen' Napierala 4c5df22e5d Updated ssh module Updated ssh module to fix sftp subsystem bug in CenOS Upstream version: 2.4.0 Upstream SHA: e5cfeae06a16497382072d80c65c901aa0e696ea Change-Id: I7f72aab77d982a3e47618a82f7dda9312c8699b9 Closes-bug: #1415078		2015-01-28 11:43:38 +01:00
..
files	Sync puppet ssh module to v2.3.6 from upstream	2014-06-18 14:53:26 +04:00
lib/puppet/parser/functions	Updated ssh module	2015-01-28 11:43:38 +01:00
manifests	Updated ssh module	2015-01-28 11:43:38 +01:00
spec	Updated ssh module	2015-01-28 11:43:38 +01:00
templates	Updated ssh module	2015-01-28 11:43:38 +01:00
tests	Sync puppet ssh module to v2.3.6 from upstream	2014-06-18 14:53:26 +04:00
.fixtures.yml	Updated ssh module	2015-01-28 11:43:38 +01:00
.gemfile	Sync puppet ssh module to v2.3.6 from upstream	2014-06-18 14:53:26 +04:00
.gitignore	Sync puppet ssh module to v2.3.6 from upstream	2014-06-18 14:53:26 +04:00
.travis.yml	Sync puppet ssh module to v2.3.6 from upstream	2014-06-18 14:53:26 +04:00
LICENSE	Initial commit	2012-09-07 17:38:58 -07:00
metadata.json	Updated ssh module	2015-01-28 11:43:38 +01:00
Modulefile	Updated ssh module	2015-01-28 11:43:38 +01:00
Rakefile	Sync puppet ssh module to v2.3.6 from upstream	2014-06-18 14:53:26 +04:00
README.markdown	Updated ssh module	2015-01-28 11:43:38 +01:00

README.markdown

puppet-ssh

Manage SSH client and server via Puppet

Gittip

Requirements

Exported resources for host keys management
puppetlabs/stdlib

Usage

Since version 2.0.0 only non-default values are written to both, client and server, configuration files.

Multiple occurrences of one config key (e.g. sshd should be listening on port 22 and 2222) should be passed as an array.

    options => {
      'Port' => [22, 2222],
    }

This is working for both, client and server.

Both client and server

Host keys will be collected and distributed unless storeconfigs_enabled is false.

    include ssh

    class { 'ssh':
      storeconfigs_enabled => false,
      server_options => {
        'Match User www-data' => {
          'ChrootDirectory' => '%h',
          'ForceCommand' => 'internal-sftp',
          'PasswordAuthentication' => 'yes',
          'AllowTcpForwarding' => 'no',
          'X11Forwarding' => 'no',
        },
        'Port' => [22, 2222, 2288],
      },
      client_options => {
        'Host *.amazonaws.com' => {
          'User' => 'ec2-user',
        },
      },
    }

Hiera example

ssh::storeconfigs_enabled: true,

ssh::server_options:
    Protocol: '2'
    ListenAddress:
        - '127.0.0.0'
        - '%{::hostname}'
    PasswordAuthentication: 'yes'
    SyslogFacility: 'AUTHPRIV'
    UsePAM: 'yes'
    X11Forwarding: 'yes'

ssh::client_options:
    'Host *':
        SendEnv: 'LANG LC_*'
        ForwardX11Trusted: 'yes'
        ServerAliveInterval: '10'

Client only

Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false

    include ssh::client

    class { 'ssh::client':
      storeconfigs_enabled => false,
      options => {
        'Host short' => {
          'User' => 'my-user',
          'HostName' => 'extreme.long.and.complicated.hostname.domain.tld',
        },
        'Host *' => {
          'User' => 'andromeda',
          'UserKnownHostsFile' => '/dev/null',
        },
      },
    }

Server only

Host keys will be collected for client distribution unless storeconfigs_enabled is false

    include ssh::server

    class { 'ssh::server':
      storeconfigs_enabled => false,
      options => {
        'Match User www-data' => {
          'ChrootDirectory' => '%h',
          'ForceCommand' => 'internal-sftp',
          'PasswordAuthentication' => 'yes',
          'AllowTcpForwarding' => 'no',
          'X11Forwarding' => 'no',
        },
        'PasswordAuthentication' => 'no',
        'PermitRootLogin'        => 'no',
        'Port'                   => [22, 2222],
      },
    }

Default options

Client

    'Host *'                 => {
      'SendEnv'              => 'LANG LC_*',
      'HashKnownHosts'       => 'yes',
      'GSSAPIAuthentication' => 'yes',
    }

Server

    'ChallengeResponseAuthentication' => 'no',
    'X11Forwarding'                   => 'yes',
    'PrintMotd'                       => 'no',
    'AcceptEnv'                       => 'LANG LC_*',
    'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
    'UsePAM'                          => 'yes',

Overwriting default options

Default options will be merged with options passed in. If an option is set both as default and via options parameter, the latter will will win.

The following example will disable X11Forwarding, which is enabled by default:

    class { 'ssh::server':
      options           => {
        'X11Forwarding' => 'no',
      },
    }

Which will lead to the following sshd_config file:

# File is managed by Puppet

ChallengeResponseAuthentication no
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PasswordAuthentication no

Defining host keys for server

You can define host keys your server will use

ssh::server::host_key {'ssh_host_rsa_key':
  private_key_content => '<the private key>',
  public_key_content  => '<the public key>',
}

Alternately, you could create the host key providing the files, instead of the content:

ssh::server::host_key {'ssh_host_rsa_key':
  private_key_source => 'puppet:///mymodule/ssh_host_rsa_key',
  public_key_source  => 'puppet:///mymodule/ssh_host_rsa_key.pub',
}

Both of these definitions will create /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_rsa_key.pub and restart sshd daemon.

Adding cutom match blocks

  ssh::server::match_block { 'sftp_only':
    type    => 'User',
    options => {
      'ChrootDirectory'        => "/sftp/%u",
      'ForceCommand'           => 'internal-sftp',
      'PasswordAuthentication' => 'no',
      'AllowTcpForwarding'     => 'no',
      'X11Forwarding'          => 'no',
    }
  }