Added class for setting sshd AllowGroups option

2012-08-08 21:37:26 +03:00 · 2012-08-08 21:37:26 +03:00 · e38b399be0
commit e38b399be0
parent 26b9b5941c
1 changed files with 68 additions and 16 deletions
--- a/ssh/manifests/init.pp
+++ b/ssh/manifests/init.pp
@ -97,38 +97,90 @@ class ssh::hostkeys {
 }


-# Disable SSH server.
+# Enable SSH server.
 #
-class ssh::disable {
+class ssh::server {

-    case $operatingsystem {
-        ubuntu: {
-            # fix ssh init, the sysv-rc script
-            # doesn't work together with upstart
-            file { "/etc/init.d/ssh":
-                ensure => link,
-                force  => true,
-                target => "/lib/init/upstart-job",
-                backup => ".orig",
+    if $::operatingsystem != "OpenBSD" {
+        package { "openssh-server":
+            ensure => installed,
            before => Service["sshd"],
        }
+    }
+
+    service { "sshd":
+        name   => $::operatingsystem ? {
+            "ubuntu" => "ssh",
+            default  => "sshd",
+        },
+        ensure => running,
+        enable => true,
+    }
+
+}
+
+
+# Disable SSH server.
+#
+class ssh::disable inherits ssh::server {
+
+    case $operatingsystem {
+        "ubuntu": {
            file { "/etc/init/ssh.conf":
                ensure => present,
                mode   => "0644",
                owner  => root,
                group  => root,
                source => "puppet:///modules/ssh/ssh.disabled.conf",
+                before => Service["sshd"],
            }
        }
    }

-    service { "sshd":
-        name   => $operatingsystem ? {
-            ubuntu  => "ssh",
-            default => "sshd",
-        },
+    Service["sshd"] {
        ensure => stopped,
        enable => false,
    }

 }
+
+
+# Set AllowGroups in sshd_config.
+#
+# === Global variables
+#
+#   $ssh_allowgroups:
+#       Array of groups, root or wheel is always allowed.
+#
+class ssh::allowgroups {
+
+    include ssh::server
+
+    $root_group = $::operatingsystem ? {
+        "openbsd" => "wheel",
+        default   => "root",
+    }
+
+    if $ssh_allowgroups {
+        $ssh_allowgroups_real = inline_template("${root_group} <%= ssh_allowgroups.join(' ') %>")
+    } else {
+        $ssh_allowgroups_real = $root_group
+    }
+
+    exec { "ssh-allowgroups-set":
+        path    => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
+        cwd     => "/etc/ssh",
+        command => "echo 'AllowGroups ${ssh_allowgroups_real}' >> sshd_config",
+        unless  => "grep -q '^[^#]*AllowGroups' sshd_config",
+        before  => Exec["ssh-allowgroups-sub"],
+        notify  => Service["sshd"],
+    }
+    exec { "ssh-allowgroups-sub":
+        path    => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
+        cwd     => "/etc/ssh",
+        command => "ruby -pi -e 'sub(/(AllowGroups).*/, \"\\\1 ${ssh_allowgroups_real}\")' sshd_config",
+        unless  => "grep -q '^[^#]*AllowGroups ${ssh_allowgroups_real}' sshd_config",
+        notify  => Service["sshd"],
+    }
+
+}