add ssh puppet module
Change-Id: I5d0dcd012d240b65fd6777318ffe7d9c2520e283
This commit is contained in:
parent
cdfcb901ad
commit
01a3a4db54
|
@ -0,0 +1,10 @@
|
|||
# Class: ssh::authorized_keys
|
||||
class ssh::authorized_keys {
|
||||
$keys = hiera_hash('ssh::authorized_keys::keys', {})
|
||||
create_resources(ssh_authorized_key,
|
||||
$keys, {
|
||||
ensure => present,
|
||||
user => 'root'
|
||||
}
|
||||
)
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
# Define: ssh::known_host
|
||||
#
|
||||
define ssh::known_host (
|
||||
$host = $title,
|
||||
$overwrite = true,
|
||||
$port = 22,
|
||||
$user = 'root',
|
||||
) {
|
||||
if ($overwrite) {
|
||||
$cmd = "ssh-keyscan -p ${port} -H ${host} > ~${user}/.ssh/known_hosts"
|
||||
$unless = '/bin/false'
|
||||
} else {
|
||||
$cmd = "ssh-keyscan -p ${port} -H ${host} >> ~${user}/.ssh/known_hosts"
|
||||
$unless = "ssh-keygen -F ${host} -f ~${user}/.ssh/known_hosts"
|
||||
}
|
||||
exec { $cmd:
|
||||
user => $user,
|
||||
logoutput => 'on_failure',
|
||||
unless => $unless,
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# Class: ssh::params
|
||||
#
|
||||
class ssh::params {
|
||||
$apply_firewall_rules = false
|
||||
$bind_policy = 'soft'
|
||||
$firewall_allow_sources = {}
|
||||
$pam_password = 'md5'
|
||||
|
||||
$packages = [
|
||||
'openssh-server'
|
||||
]
|
||||
|
||||
|
||||
case $::osfamily {
|
||||
'RedHat': {
|
||||
$service = 'sshd'
|
||||
}
|
||||
'Debian': {
|
||||
$service = 'ssh'
|
||||
}
|
||||
default: {
|
||||
fatal("Unknown osfamily: ${::osfamily}. Probaly your OS is unsupported.")
|
||||
}
|
||||
}
|
||||
|
||||
$sshd_config = '/etc/ssh/sshd_config'
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
# Class: ssh::sshd
|
||||
#
|
||||
class ssh::sshd (
|
||||
$apply_firewall_rules = $::ssh::params::apply_firewall_rules,
|
||||
$firewall_allow_sources = $::ssh::params::firewall_allow_sources,
|
||||
$password_authentication = true,
|
||||
$sftp_group = 'sftpusers',
|
||||
) {
|
||||
include ssh::params
|
||||
|
||||
$packages = $ssh::params::packages
|
||||
$service = $ssh::params::service
|
||||
$sshd_config = $ssh::params::sshd_config
|
||||
|
||||
package { $packages :
|
||||
ensure => latest,
|
||||
}
|
||||
|
||||
file { $sshd_config :
|
||||
ensure => 'present',
|
||||
mode => '0644',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
content => template('ssh/sshd_config.erb'),
|
||||
notify => Service[$service],
|
||||
}
|
||||
|
||||
service { $service :
|
||||
ensure => 'running',
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => false,
|
||||
}
|
||||
|
||||
if ($apply_firewall_rules) {
|
||||
include firewall_defaults::pre
|
||||
create_resources(firewall, $firewall_allow_sources, {
|
||||
dport => 22,
|
||||
action => 'accept',
|
||||
require => Class['firewall_defaults::pre'],
|
||||
})
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
#
|
||||
# /etc/pam.d/common-session - session-related modules common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of modules that define tasks to be performed
|
||||
# at the start and end of sessions of *any* kind (both interactive and
|
||||
# non-interactive).
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
session [default=1] pam_permit.so
|
||||
# here's the fallback if no module succeeds
|
||||
session requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
# since the modules above will each just jump around
|
||||
session required pam_permit.so
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
session required pam_unix.so
|
||||
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0027
|
||||
session optional pam_ck_connector.so nox11
|
||||
# end of pam-auth-update config
|
|
@ -0,0 +1,59 @@
|
|||
Port 22
|
||||
ListenAddress ::
|
||||
ListenAddress 0.0.0.0
|
||||
Protocol 2
|
||||
|
||||
Banner /etc/banner
|
||||
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_dsa_key
|
||||
<% if @osfamily == 'Debian' %>
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
<% end %>
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 768
|
||||
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin without-password
|
||||
StrictModes yes
|
||||
|
||||
RSAAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
|
||||
IgnoreRhosts yes
|
||||
RhostsRSAAuthentication no
|
||||
HostbasedAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
ChallengeResponseAuthentication no
|
||||
PasswordAuthentication <%= @password_authentication ? 'yes' : 'no' %>
|
||||
|
||||
X11Forwarding yes
|
||||
X11DisplayOffset 10
|
||||
PermitTunnel yes
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
UseDNS no
|
||||
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp internal-sftp
|
||||
|
||||
UsePAM yes
|
||||
<% if @osfamily == 'Debian' %>
|
||||
AuthorizedKeysFile /etc/ssh/keys/%u .ssh/authorized_keys
|
||||
<% else %>
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
<% end -%>
|
||||
|
||||
<% if @sftp_group != '' -%>
|
||||
Match Group <%= @sftp_group %>
|
||||
AllowTCPForwarding no
|
||||
X11Forwarding no
|
||||
ForceCommand internal-sftp
|
||||
<% end -%>
|
Loading…
Reference in New Issue