diff --git a/puppet-manifests/modules/ssh/manifests/authorized_keys.pp b/puppet-manifests/modules/ssh/manifests/authorized_keys.pp new file mode 100755 index 0000000..93e09a4 --- /dev/null +++ b/puppet-manifests/modules/ssh/manifests/authorized_keys.pp @@ -0,0 +1,10 @@ +# Class: ssh::authorized_keys +class ssh::authorized_keys { + $keys = hiera_hash('ssh::authorized_keys::keys', {}) + create_resources(ssh_authorized_key, + $keys, { + ensure => present, + user => 'root' + } + ) +} diff --git a/puppet-manifests/modules/ssh/manifests/known_host.pp b/puppet-manifests/modules/ssh/manifests/known_host.pp new file mode 100755 index 0000000..3b343d6 --- /dev/null +++ b/puppet-manifests/modules/ssh/manifests/known_host.pp @@ -0,0 +1,21 @@ +# Define: ssh::known_host +# +define ssh::known_host ( + $host = $title, + $overwrite = true, + $port = 22, + $user = 'root', +) { + if ($overwrite) { + $cmd = "ssh-keyscan -p ${port} -H ${host} > ~${user}/.ssh/known_hosts" + $unless = '/bin/false' + } else { + $cmd = "ssh-keyscan -p ${port} -H ${host} >> ~${user}/.ssh/known_hosts" + $unless = "ssh-keygen -F ${host} -f ~${user}/.ssh/known_hosts" + } + exec { $cmd: + user => $user, + logoutput => 'on_failure', + unless => $unless, + } +} diff --git a/puppet-manifests/modules/ssh/manifests/params.pp b/puppet-manifests/modules/ssh/manifests/params.pp new file mode 100755 index 0000000..6987135 --- /dev/null +++ b/puppet-manifests/modules/ssh/manifests/params.pp @@ -0,0 +1,27 @@ +# Class: ssh::params +# +class ssh::params { + $apply_firewall_rules = false + $bind_policy = 'soft' + $firewall_allow_sources = {} + $pam_password = 'md5' + + $packages = [ + 'openssh-server' + ] + + + case $::osfamily { + 'RedHat': { + $service = 'sshd' + } + 'Debian': { + $service = 'ssh' + } + default: { + fatal("Unknown osfamily: ${::osfamily}. Probaly your OS is unsupported.") + } + } + + $sshd_config = '/etc/ssh/sshd_config' +} diff --git a/puppet-manifests/modules/ssh/manifests/sshd.pp b/puppet-manifests/modules/ssh/manifests/sshd.pp new file mode 100755 index 0000000..1a8393a --- /dev/null +++ b/puppet-manifests/modules/ssh/manifests/sshd.pp @@ -0,0 +1,44 @@ +# Class: ssh::sshd +# +class ssh::sshd ( + $apply_firewall_rules = $::ssh::params::apply_firewall_rules, + $firewall_allow_sources = $::ssh::params::firewall_allow_sources, + $password_authentication = true, + $sftp_group = 'sftpusers', +) { + include ssh::params + + $packages = $ssh::params::packages + $service = $ssh::params::service + $sshd_config = $ssh::params::sshd_config + + package { $packages : + ensure => latest, + } + + file { $sshd_config : + ensure => 'present', + mode => '0644', + owner => 'root', + group => 'root', + content => template('ssh/sshd_config.erb'), + notify => Service[$service], + } + + service { $service : + ensure => 'running', + enable => true, + hasstatus => true, + hasrestart => false, + } + + if ($apply_firewall_rules) { + include firewall_defaults::pre + create_resources(firewall, $firewall_allow_sources, { + dport => 22, + action => 'accept', + require => Class['firewall_defaults::pre'], + }) + } + +} diff --git a/puppet-manifests/modules/ssh/templates/common-session.erb b/puppet-manifests/modules/ssh/templates/common-session.erb new file mode 100755 index 0000000..8866445 --- /dev/null +++ b/puppet-manifests/modules/ssh/templates/common-session.erb @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_mkhomedir.so skel=/etc/skel/ umask=0027 +session optional pam_ck_connector.so nox11 +# end of pam-auth-update config diff --git a/puppet-manifests/modules/ssh/templates/sshd_config.erb b/puppet-manifests/modules/ssh/templates/sshd_config.erb new file mode 100755 index 0000000..496f264 --- /dev/null +++ b/puppet-manifests/modules/ssh/templates/sshd_config.erb @@ -0,0 +1,59 @@ +Port 22 +ListenAddress :: +ListenAddress 0.0.0.0 +Protocol 2 + +Banner /etc/banner + +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +<% if @osfamily == 'Debian' %> +HostKey /etc/ssh/ssh_host_ecdsa_key +<% end %> +UsePrivilegeSeparation yes + +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +SyslogFacility AUTH +LogLevel INFO + +LoginGraceTime 120 +PermitRootLogin without-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes + +IgnoreRhosts yes +RhostsRSAAuthentication no +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication <%= @password_authentication ? 'yes' : 'no' %> + +X11Forwarding yes +X11DisplayOffset 10 +PermitTunnel yes +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +UseDNS no + +AcceptEnv LANG LC_* + +Subsystem sftp internal-sftp + +UsePAM yes +<% if @osfamily == 'Debian' %> +AuthorizedKeysFile /etc/ssh/keys/%u .ssh/authorized_keys +<% else %> +AuthorizedKeysFile %h/.ssh/authorized_keys +<% end -%> + +<% if @sftp_group != '' -%> +Match Group <%= @sftp_group %> + AllowTCPForwarding no + X11Forwarding no + ForceCommand internal-sftp +<% end -%>