249 lines
5.4 KiB
Puppet
249 lines
5.4 KiB
Puppet
# Export and collect public host keys.
|
|
#
|
|
class ssh::known_hosts {
|
|
|
|
file { "/etc/ssh/ssh_known_hosts":
|
|
ensure => present,
|
|
mode => "0644",
|
|
owner => root,
|
|
group => $::operatingsystem ? {
|
|
OpenBSD => wheel,
|
|
default => root,
|
|
},
|
|
}
|
|
|
|
$aliases = merge(inline_template("<%= @homename.split('.')[0] %>"),
|
|
$::ipaddress,
|
|
$::ipaddress6,
|
|
$::ec2_public_ipv4)
|
|
|
|
@@sshkey { $::homename:
|
|
ensure => present,
|
|
type => rsa,
|
|
key => $::sshrsakey,
|
|
host_aliases => $aliases,
|
|
require => File["/etc/ssh/ssh_known_hosts"],
|
|
}
|
|
|
|
Sshkey <<| |>>
|
|
|
|
}
|
|
|
|
|
|
# Install SSH host keys.
|
|
#
|
|
class ssh::hostkeys {
|
|
|
|
tag("bootstrap")
|
|
|
|
file { "/etc/ssh/ssh_host_dsa_key":
|
|
ensure => present,
|
|
source => "puppet:///private/ssh_host_dsa_key",
|
|
mode => "0600",
|
|
owner => root,
|
|
group => $::operatingsystem ? {
|
|
openbsd => wheel,
|
|
default => root,
|
|
},
|
|
}
|
|
file { "/etc/ssh/ssh_host_dsa_key.pub":
|
|
ensure => present,
|
|
source => "puppet:///private/ssh_host_dsa_key.pub",
|
|
mode => "0644",
|
|
owner => root,
|
|
group => $::operatingsystem ? {
|
|
openbsd => wheel,
|
|
default => root,
|
|
},
|
|
}
|
|
|
|
file { "/etc/ssh/ssh_host_rsa_key":
|
|
ensure => present,
|
|
source => "puppet:///private/ssh_host_rsa_key",
|
|
mode => "0600",
|
|
owner => root,
|
|
group => $::operatingsystem ? {
|
|
openbsd => wheel,
|
|
default => root,
|
|
},
|
|
}
|
|
file { "/etc/ssh/ssh_host_rsa_key.pub":
|
|
ensure => present,
|
|
source => "puppet:///private/ssh_host_rsa_key.pub",
|
|
mode => "0644",
|
|
owner => root,
|
|
group => $::operatingsystem ? {
|
|
openbsd => wheel,
|
|
default => root,
|
|
},
|
|
}
|
|
|
|
file { "/etc/ssh/ssh_host_key":
|
|
ensure => present,
|
|
source => "puppet:///private/ssh_host_key",
|
|
mode => "0600",
|
|
owner => root,
|
|
group => $::operatingsystem ? {
|
|
openbsd => wheel,
|
|
default => root,
|
|
},
|
|
}
|
|
file { "/etc/ssh/ssh_host_key.pub":
|
|
ensure => present,
|
|
source => "puppet:///private/ssh_host_key.pub",
|
|
mode => "0644",
|
|
owner => root,
|
|
group => $::operatingsystem ? {
|
|
openbsd => wheel,
|
|
default => root,
|
|
},
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# Enable SSH server.
|
|
#
|
|
class ssh::server {
|
|
|
|
if $::operatingsystem != "OpenBSD" {
|
|
package { "ssh-server":
|
|
ensure => installed,
|
|
name => $::operatingsystem ? {
|
|
"openwrt" => "dropbear",
|
|
default => "openssh-server",
|
|
},
|
|
before => Service["sshd"],
|
|
}
|
|
|
|
# Needed for X11 Forwarding
|
|
case $::operatingsystem {
|
|
"centos","redhat","fedora": {
|
|
package { "xorg-x11-xauth":
|
|
ensure => installed,
|
|
}
|
|
}
|
|
"debian","ubuntu": {
|
|
package { "libxau6":
|
|
ensure => installed,
|
|
}
|
|
}
|
|
default: {}
|
|
}
|
|
}
|
|
|
|
service { "sshd":
|
|
ensure => running,
|
|
enable => true,
|
|
name => $::operatingsystem ? {
|
|
"debian" => "ssh",
|
|
"openwrt" => "dropbear",
|
|
"ubuntu" => "ssh",
|
|
default => "sshd",
|
|
},
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# Disable SSH server.
|
|
#
|
|
class ssh::disable inherits ssh::server {
|
|
|
|
case $::operatingsystem {
|
|
"ubuntu": {
|
|
file { "/etc/init/ssh.conf":
|
|
ensure => present,
|
|
mode => "0644",
|
|
owner => root,
|
|
group => root,
|
|
source => "puppet:///modules/ssh/ssh.disabled.conf",
|
|
before => Service["sshd"],
|
|
}
|
|
}
|
|
default: { }
|
|
}
|
|
|
|
Service["sshd"] {
|
|
ensure => stopped,
|
|
enable => false,
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# Set AllowGroups in sshd_config.
|
|
#
|
|
# === Global variables
|
|
#
|
|
# $ssh_allowgroups:
|
|
# Array of groups, root or wheel is always allowed.
|
|
#
|
|
class ssh::allowgroups {
|
|
|
|
warning("ssh::allowgroups is deprecated, use ssh::allow")
|
|
|
|
class { "ssh::allow":
|
|
groups => $ssh_allowgroups,
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# Set AllowUsers and AllowGroups in sshd_config.
|
|
#
|
|
# === Parameters
|
|
#
|
|
# $root:
|
|
# Always allow root. Defaults to true.
|
|
# $users:
|
|
# Array of allowed users. Allow all if undefined.
|
|
# $groups:
|
|
# Array of allowed groups. Allow all if undefined.
|
|
#
|
|
class ssh::allow(
|
|
$root=true,
|
|
$users=undef,
|
|
$groups=undef,
|
|
) {
|
|
|
|
include ssh::server
|
|
|
|
if $users {
|
|
if $root {
|
|
$users_real = merge('root', $users)
|
|
} else {
|
|
$users_real = $users
|
|
}
|
|
} else {
|
|
$users_real = []
|
|
}
|
|
|
|
$root_group = $::operatingsystem ? {
|
|
'openbsd' => 'wheel',
|
|
default => 'root',
|
|
}
|
|
|
|
if $groups {
|
|
if $root {
|
|
$groups_real = merge($root_group, $groups)
|
|
} else {
|
|
$groups_real = $groups
|
|
}
|
|
} else {
|
|
$groups_real = []
|
|
}
|
|
|
|
augeas { 'ssh-allow-users':
|
|
context => '/files/etc/ssh/sshd_config',
|
|
changes => augeas_set_children('AllowUsers', $users_real),
|
|
notify => Service['sshd'],
|
|
}
|
|
|
|
augeas { 'ssh-allow-groups':
|
|
context => '/files/etc/ssh/sshd_config',
|
|
changes => augeas_set_children('AllowGroups', $groups_real),
|
|
notify => Service['sshd'],
|
|
}
|
|
|
|
}
|