puppet/ssh/manifests/init.pp

# Class: ssh::known_hosts
#
# Install global ssh_known_hosts file generated from LDAP directory.
#
# === Depencies:
#
# Template file generation requires Ruby LDAP bindings[http://ruby-ldap.sourceforge.net/] on puppet server.
#
class ssh::known_hosts {

    file { "/etc/ssh/ssh_known_hosts":
        ensure  => present,
        content => template("ssh/ssh_known_hosts.erb"),
        mode    => 0644,
        owner   => root,
        group   => $operatingsystem ? {
            OpenBSD => wheel,
            default => root,
        },
    }

}


# Install SSH host keys.
#
class ssh::hostkeys {

    file { "/etc/ssh/ssh_host_dsa_key":
        ensure => present,
        source => "puppet:///private/ssh_host_dsa_key",
        mode   => 0600,
        owner  => root,
        group  => $operatingsystem ? {
            openbsd => wheel,
            default => root,
        },
    }
    file { "/etc/ssh/ssh_host_dsa_key.pub":
        ensure => present,
        source => "puppet:///private/ssh_host_dsa_key.pub",
        mode   => 0644,
        owner  => root,
        group  => $operatingsystem ? {
            openbsd => wheel,
            default => root,
        },
    }

    file { "/etc/ssh/ssh_host_rsa_key":
        ensure => present,
        source => "puppet:///private/ssh_host_rsa_key",
        mode   => 0600,
        owner  => root,
        group  => $operatingsystem ? {
            openbsd => wheel,
            default => root,
        },
    }
    file { "/etc/ssh/ssh_host_rsa_key.pub":
        ensure => present,
        source => "puppet:///private/ssh_host_rsa_key.pub",
        mode   => 0644,
        owner  => root,
        group  => $operatingsystem ? {
            openbsd => wheel,
            default => root,
        },
    }

    file { "/etc/ssh/ssh_host_key":
        ensure => present,
        source => "puppet:///private/ssh_host_key",
        mode   => 0600,
        owner  => root,
        group  => $operatingsystem ? {
            openbsd => wheel,
            default => root,
        },
    }
    file { "/etc/ssh/ssh_host_key.pub":
        ensure => present,
        source => "puppet:///private/ssh_host_key.pub",
        mode   => 0644,
        owner  => root,
        group  => $operatingsystem ? {
            openbsd => wheel,
            default => root,
        },
    }

}


# Disable SSH server.
#
class ssh::disable {

    case $operatingsystem {
        ubuntu: {
            # fix ssh init, the sysv-rc script
            # doesn't work together with upstart
            file { "/etc/init.d/ssh":
                ensure => link,
                force  => true,
                target => "/lib/init/upstart-job",
                backup => ".orig",
                before => Service["sshd"],
            }
            file { "/etc/init/ssh.conf":
                ensure => present,
                mode   => 0644,
                owner  => root,
                group  => root,
                source => "puppet:///modules/ssh/ssh.disabled.conf",
            }
        }
    }

    service { "sshd":
        name   => $operatingsystem ? {
            ubuntu  => "ssh",
            default => "sshd",
        },
        ensure => stopped,
        enable => false,
    }

}