Added class for setting sshd AllowGroups option
This commit is contained in:
Ossi Salmi
parent
26b9b5941c
commit
e38b399be0
1 changed files with 68 additions and 16 deletions
|
|
@ -97,38 +97,90 @@ class ssh::hostkeys {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Enable SSH server.
|
||||||
|
#
|
||||||
|
class ssh::server {
|
||||||
|
|
||||||
|
if $::operatingsystem != "OpenBSD" {
|
||||||
|
package { "openssh-server":
|
||||||
|
ensure => installed,
|
||||||
|
before => Service["sshd"],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
service { "sshd":
|
||||||
|
name => $::operatingsystem ? {
|
||||||
|
"ubuntu" => "ssh",
|
||||||
|
default => "sshd",
|
||||||
|
},
|
||||||
|
ensure => running,
|
||||||
|
enable => true,
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Disable SSH server.
|
# Disable SSH server.
|
||||||
#
|
#
|
||||||
class ssh::disable {
|
class ssh::disable inherits ssh::server {
|
||||||
|
|
||||||
case $operatingsystem {
|
case $operatingsystem {
|
||||||
ubuntu: {
|
"ubuntu": {
|
||||||
# fix ssh init, the sysv-rc script
|
|
||||||
# doesn't work together with upstart
|
|
||||||
file { "/etc/init.d/ssh":
|
|
||||||
ensure => link,
|
|
||||||
force => true,
|
|
||||||
target => "/lib/init/upstart-job",
|
|
||||||
backup => ".orig",
|
|
||||||
before => Service["sshd"],
|
|
||||||
}
|
|
||||||
file { "/etc/init/ssh.conf":
|
file { "/etc/init/ssh.conf":
|
||||||
ensure => present,
|
ensure => present,
|
||||||
mode => "0644",
|
mode => "0644",
|
||||||
owner => root,
|
owner => root,
|
||||||
group => root,
|
group => root,
|
||||||
source => "puppet:///modules/ssh/ssh.disabled.conf",
|
source => "puppet:///modules/ssh/ssh.disabled.conf",
|
||||||
|
before => Service["sshd"],
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
service { "sshd":
|
Service["sshd"] {
|
||||||
name => $operatingsystem ? {
|
|
||||||
ubuntu => "ssh",
|
|
||||||
default => "sshd",
|
|
||||||
},
|
|
||||||
ensure => stopped,
|
ensure => stopped,
|
||||||
enable => false,
|
enable => false,
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Set AllowGroups in sshd_config.
|
||||||
|
#
|
||||||
|
# === Global variables
|
||||||
|
#
|
||||||
|
# $ssh_allowgroups:
|
||||||
|
# Array of groups, root or wheel is always allowed.
|
||||||
|
#
|
||||||
|
class ssh::allowgroups {
|
||||||
|
|
||||||
|
include ssh::server
|
||||||
|
|
||||||
|
$root_group = $::operatingsystem ? {
|
||||||
|
"openbsd" => "wheel",
|
||||||
|
default => "root",
|
||||||
|
}
|
||||||
|
|
||||||
|
if $ssh_allowgroups {
|
||||||
|
$ssh_allowgroups_real = inline_template("${root_group} <%= ssh_allowgroups.join(' ') %>")
|
||||||
|
} else {
|
||||||
|
$ssh_allowgroups_real = $root_group
|
||||||
|
}
|
||||||
|
|
||||||
|
exec { "ssh-allowgroups-set":
|
||||||
|
path => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
|
||||||
|
cwd => "/etc/ssh",
|
||||||
|
command => "echo 'AllowGroups ${ssh_allowgroups_real}' >> sshd_config",
|
||||||
|
unless => "grep -q '^[^#]*AllowGroups' sshd_config",
|
||||||
|
before => Exec["ssh-allowgroups-sub"],
|
||||||
|
notify => Service["sshd"],
|
||||||
|
}
|
||||||
|
exec { "ssh-allowgroups-sub":
|
||||||
|
path => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
|
||||||
|
cwd => "/etc/ssh",
|
||||||
|
command => "ruby -pi -e 'sub(/(AllowGroups).*/, \"\\\1 ${ssh_allowgroups_real}\")' sshd_config",
|
||||||
|
unless => "grep -q '^[^#]*AllowGroups ${ssh_allowgroups_real}' sshd_config",
|
||||||
|
notify => Service["sshd"],
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue