add ssh puppet module

Change-Id: I5d0dcd012d240b65fd6777318ffe7d9c2520e283
This commit is contained in:
Alexey Elagin 2016-01-14 16:09:15 +03:00
parent cdfcb901ad
commit 01a3a4db54
6 changed files with 188 additions and 0 deletions

View File

@ -0,0 +1,10 @@
# Class: ssh::authorized_keys
class ssh::authorized_keys {
$keys = hiera_hash('ssh::authorized_keys::keys', {})
create_resources(ssh_authorized_key,
$keys, {
ensure => present,
user => 'root'
}
)
}

View File

@ -0,0 +1,21 @@
# Define: ssh::known_host
#
define ssh::known_host (
$host = $title,
$overwrite = true,
$port = 22,
$user = 'root',
) {
if ($overwrite) {
$cmd = "ssh-keyscan -p ${port} -H ${host} > ~${user}/.ssh/known_hosts"
$unless = '/bin/false'
} else {
$cmd = "ssh-keyscan -p ${port} -H ${host} >> ~${user}/.ssh/known_hosts"
$unless = "ssh-keygen -F ${host} -f ~${user}/.ssh/known_hosts"
}
exec { $cmd:
user => $user,
logoutput => 'on_failure',
unless => $unless,
}
}

View File

@ -0,0 +1,27 @@
# Class: ssh::params
#
class ssh::params {
$apply_firewall_rules = false
$bind_policy = 'soft'
$firewall_allow_sources = {}
$pam_password = 'md5'
$packages = [
'openssh-server'
]
case $::osfamily {
'RedHat': {
$service = 'sshd'
}
'Debian': {
$service = 'ssh'
}
default: {
fatal("Unknown osfamily: ${::osfamily}. Probaly your OS is unsupported.")
}
}
$sshd_config = '/etc/ssh/sshd_config'
}

View File

@ -0,0 +1,44 @@
# Class: ssh::sshd
#
class ssh::sshd (
$apply_firewall_rules = $::ssh::params::apply_firewall_rules,
$firewall_allow_sources = $::ssh::params::firewall_allow_sources,
$password_authentication = true,
$sftp_group = 'sftpusers',
) {
include ssh::params
$packages = $ssh::params::packages
$service = $ssh::params::service
$sshd_config = $ssh::params::sshd_config
package { $packages :
ensure => latest,
}
file { $sshd_config :
ensure => 'present',
mode => '0644',
owner => 'root',
group => 'root',
content => template('ssh/sshd_config.erb'),
notify => Service[$service],
}
service { $service :
ensure => 'running',
enable => true,
hasstatus => true,
hasrestart => false,
}
if ($apply_firewall_rules) {
include firewall_defaults::pre
create_resources(firewall, $firewall_allow_sources, {
dport => 22,
action => 'accept',
require => Class['firewall_defaults::pre'],
})
}
}

View File

@ -0,0 +1,27 @@
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0027
session optional pam_ck_connector.so nox11
# end of pam-auth-update config

View File

@ -0,0 +1,59 @@
Port 22
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
Banner /etc/banner
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
<% if @osfamily == 'Debian' %>
HostKey /etc/ssh/ssh_host_ecdsa_key
<% end %>
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication <%= @password_authentication ? 'yes' : 'no' %>
X11Forwarding yes
X11DisplayOffset 10
PermitTunnel yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseDNS no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp
UsePAM yes
<% if @osfamily == 'Debian' %>
AuthorizedKeysFile /etc/ssh/keys/%u .ssh/authorized_keys
<% else %>
AuthorizedKeysFile %h/.ssh/authorized_keys
<% end -%>
<% if @sftp_group != '' -%>
Match Group <%= @sftp_group %>
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
<% end -%>