From e38b399be0b3b8eee239d6ea51aeed8898543733 Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Wed, 8 Aug 2012 21:37:26 +0300
Subject: [PATCH] Added class for setting sshd AllowGroups option

---
 ssh/manifests/init.pp | 84 ++++++++++++++++++++++++++++++++++---------
 1 file changed, 68 insertions(+), 16 deletions(-)

diff --git a/ssh/manifests/init.pp b/ssh/manifests/init.pp
index cd38647..515e9f5 100644
--- a/ssh/manifests/init.pp
+++ b/ssh/manifests/init.pp
@@ -97,38 +97,90 @@ class ssh::hostkeys {
 }
 
 
+# Enable SSH server.
+#
+class ssh::server {
+
+    if $::operatingsystem != "OpenBSD" {
+        package { "openssh-server":
+            ensure => installed,
+            before => Service["sshd"],
+        }
+    }
+
+    service { "sshd":
+        name   => $::operatingsystem ? {
+            "ubuntu" => "ssh",
+            default  => "sshd",
+        },
+        ensure => running,
+        enable => true,
+    }
+
+}
+
+
 # Disable SSH server.
 #
-class ssh::disable {
+class ssh::disable inherits ssh::server {
 
     case $operatingsystem {
-        ubuntu: {
-            # fix ssh init, the sysv-rc script
-            # doesn't work together with upstart
-            file { "/etc/init.d/ssh":
-                ensure => link,
-                force  => true,
-                target => "/lib/init/upstart-job",
-                backup => ".orig",
-                before => Service["sshd"],
-            }
+        "ubuntu": {
             file { "/etc/init/ssh.conf":
                 ensure => present,
                 mode   => "0644",
                 owner  => root,
                 group  => root,
                 source => "puppet:///modules/ssh/ssh.disabled.conf",
+                before => Service["sshd"],
             }
         }
     }
 
-    service { "sshd":
-        name   => $operatingsystem ? {
-            ubuntu  => "ssh",
-            default => "sshd",
-        },
+    Service["sshd"] {
         ensure => stopped,
         enable => false,
     }
 
 }
+
+
+# Set AllowGroups in sshd_config.
+#
+# === Global variables
+#
+#   $ssh_allowgroups:
+#       Array of groups, root or wheel is always allowed.
+#
+class ssh::allowgroups {
+
+    include ssh::server
+
+    $root_group = $::operatingsystem ? {
+        "openbsd" => "wheel",
+        default   => "root",
+    }
+
+    if $ssh_allowgroups {
+        $ssh_allowgroups_real = inline_template("${root_group} <%= ssh_allowgroups.join(' ') %>")
+    } else {
+        $ssh_allowgroups_real = $root_group
+    }
+
+    exec { "ssh-allowgroups-set":
+        path    => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
+        cwd     => "/etc/ssh",
+        command => "echo 'AllowGroups ${ssh_allowgroups_real}' >> sshd_config",
+        unless  => "grep -q '^[^#]*AllowGroups' sshd_config",
+        before  => Exec["ssh-allowgroups-sub"],
+        notify  => Service["sshd"],
+    }
+    exec { "ssh-allowgroups-sub":
+        path    => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
+        cwd     => "/etc/ssh",
+        command => "ruby -pi -e 'sub(/(AllowGroups).*/, \"\\\1 ${ssh_allowgroups_real}\")' sshd_config",
+        unless  => "grep -q '^[^#]*AllowGroups ${ssh_allowgroups_real}' sshd_config",
+        notify  => Service["sshd"],
+    }
+
+}