• Stars
    star
    124
  • Rank 288,207 (Top 6 %)
  • Language
    Ruby
  • License
    Other
  • Created over 13 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Puppet module to manage ssh server and client

Puppet SSH Support via Gratipay

Puppet Forge modules by saz Puppet Forge Puppet Forge downloads Puppet Forge score Build Status

Manage SSH client and server via Puppet. Source: https://github.com/saz/puppet-ssh

Requirements

  • Exported resources for host keys management
  • puppetlabs/stdlib
  • puppetlabs/concat

Usage

Since version 2.0.0 only non-default values are written to both, client and server, configuration files.

Multiple occurrences of one config key (e.g. sshd should be listening on port 22 and 2222) should be passed as an array.

options => {
  'Port' => [22, 2222],
}

This is working for both, client and server.

Both client, server and per user client configuration

Host keys will be collected and distributed unless storeconfigs_enabled is false.

include ssh

or

class { 'ssh':
  storeconfigs_enabled => false,
  server_options => {
    'Match User www-data' => {
      'ChrootDirectory' => '%h',
      'ForceCommand' => 'internal-sftp',
      'PasswordAuthentication' => 'yes',
      'AllowTcpForwarding' => 'no',
      'X11Forwarding' => 'no',
    },
    'Port' => [22, 2222, 2288],
  },
  client_options => {
    'Host *.amazonaws.com' => {
      'User' => 'ec2-user',
    },
  },
  users_client_options => {
    'bob' => {
      options => {
        'Host *.alice.fr' => {
          'User' => 'alice',
        },
      },
    },
  },
}

Hiera example

ssh::storeconfigs_enabled: true

ssh::server_options:
    Protocol: '2'
    ListenAddress:
        - '127.0.0.0'
        - '%{::hostname}'
    PasswordAuthentication: 'yes'
    SyslogFacility: 'AUTHPRIV'
    UsePAM: 'yes'
    X11Forwarding: 'yes'

ssh::server::match_block:
  filetransfer:
    type: group
    options:
      ChrootDirectory: /home/sftp
      ForceCommand: internal-sftp

ssh::client_options:
    'Host *':
        SendEnv: 'LANG LC_*'
        ForwardX11Trusted: 'yes'
        ServerAliveInterval: '10'

ssh::users_client_options:
    'bob':
        'options':
            'Host *.alice.fr':
                'User': 'alice'
                'PasswordAuthentication': 'no'

Client only

Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false

include ssh::client

or

class { 'ssh::client':
  storeconfigs_enabled => false,
  options => {
    'Host short' => {
      'User' => 'my-user',
      'HostName' => 'extreme.long.and.complicated.hostname.domain.tld',
    },
    'Host *' => {
      'User' => 'andromeda',
      'UserKnownHostsFile' => '/dev/null',
    },
  },
}

Per user client configuration

User's home is expected to be /home/bob

SSH configuration file will be /home/bob/.ssh/config.

::ssh::client::config::user { 'bob':
  ensure => present,
  options => {
    'HashKnownHosts' => 'yes'
  }
}

User's home is passed to define type

SSH configuration file will be /var/lib/bob/.ssh/config and puppet will manage directory /var/lib/bob/.ssh.

::ssh::client::config::user { 'bob':
  ensure => present,
  user_home_dir => '/var/lib/bob',
  options => {
    'HashKnownHosts' => 'yes'
  }
}

User's ssh directory should not be managed by the define type

SSH configuration file will be /var/lib/bob/.ssh/config.

::ssh::client::config::user { 'bob':
  ensure => present,
  user_home_dir => '/var/lib/bob',
  manage_user_ssh_dir => false,
  options => {
    'HashKnownHosts' => 'yes'
  }
}

User's ssh config is specified with an absolute path

::ssh::client::config::user { 'bob':
  ensure => present,
  target => '/var/lib/bob/.ssh/ssh_config',
  options => {
    'HashKnownHosts' => 'yes'
  }
}

Server only

Host keys will be collected for client distribution unless storeconfigs_enabled is false

include ssh::server

or

class { 'ssh::server':
  storeconfigs_enabled => false,
  options => {
    'Match User www-data' => {
      'ChrootDirectory' => '%h',
      'ForceCommand' => 'internal-sftp',
      'PasswordAuthentication' => 'yes',
      'AllowTcpForwarding' => 'no',
      'X11Forwarding' => 'no',
    },
    'PasswordAuthentication' => 'no',
    'PermitRootLogin'        => 'no',
    'Port'                   => [22, 2222],
  },
}

Validate config before replacing it

validate_sshd_file allows you to run /usr/sbin/sshd -tf against the sshd config file before it gets replaced, and will raise an error if the config is incorrect.

class { 'ssh::server':
  validate_sshd_file => true,
}

Default options

Client

'Host *'                 => {
  'SendEnv'              => 'LANG LC_*',
  'HashKnownHosts'       => 'yes',
  'GSSAPIAuthentication' => 'yes',
}

Server

'ChallengeResponseAuthentication' => 'no',
'X11Forwarding'                   => 'yes',
'PrintMotd'                       => 'no',
'AcceptEnv'                       => 'LANG LC_*',
'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
'UsePAM'                          => 'yes',

Overwriting default options

Default options will be merged with options passed in. If an option is set both as default and via options parameter, the latter will win.

The following example will disable X11Forwarding, which is enabled by default:

class { 'ssh::server':
  options           => {
    'X11Forwarding' => 'no',
  },
}

Which will lead to the following sshd_config file:

# File is managed by Puppet

ChallengeResponseAuthentication no
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC\_\*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PasswordAuthentication no

Values can also be arrays, which will result in the option being specified multiple times

class { 'ssh::server':
  options           => {
    'HostKey' => ['/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key'],
  },
}

Which will lead to the following sshd_config file:

# File is managed by Puppet

ChallengeResponseAuthentication no
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
PrintMotd no
AcceptEnv LANG LC_\*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PasswordAuthentication no

Defining host keys for server

You can define host keys your server will use

ssh::server::host_key {'ssh_host_rsa_key':
  private_key_content => '<the private key>',
  public_key_content  => '<the public key>',
}

Alternately, you could create the host key providing the files, instead of the content:

ssh::server::host_key {'ssh_host_rsa_key':
  private_key_source => 'puppet:///mymodule/ssh_host_rsa_key',
  public_key_source  => 'puppet:///mymodule/ssh_host_rsa_key.pub',
}

Both of these definitions will create /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_rsa_key.pub and restart sshd daemon.

Adding custom match blocks

class YOURCUSTOMCLASS {

  include ssh

  ssh::server::match_block { 'sftp_only':
    type    => 'User',
    options => {
      'ChrootDirectory'        => "/sftp/%u",
      'ForceCommand'           => 'internal-sftp',
      'PasswordAuthentication' => 'no',
      'AllowTcpForwarding'     => 'no',
      'X11Forwarding'          => 'no',
    }
  }
}

Tag hostkey

Assign tags to exported sshkey resources (when ssh::storeconfigs_enabled is set to true).

ssh::hostkeys::tags:
  - hostkey_group1
  - hostkey_group2

Host keys then can be imported using:

Sshkey <<| tag == "hostkey_group1" |>>

Excluding network interfaces or ipaddresses

Use hiera to exclude interfaces or ipaddresses from hostkey inclusion

ssh::hostkeys::exclude_interfaces:
  - eth0
  - eth3
ssh::hostkeys::exclude_ipaddresses:
  - 192.168.0.1
  - 10.42.24.242

Facts

This module provides facts detailing the available SSH client and server versions.

  • ssh_*_version_full Provides the full version number including the portable version number.
  • ssh_*_version_major Provides the first two numbers in the version number.
  • ssh_*_version_release Provides the first three number components of the version, no portable version is present.

Example facter output for OpenSSH 6.6.1p1:

ssh_client_version_full => 6.6.1p1
ssh_client_version_major => 6.6
ssh_client_version_release => 6.6.1
ssh_server_version_full => 6.6.1p1
ssh_server_version_major => 6.6
ssh_server_version_release => 6.6.1

More Repositories

1

puppet-sudo

Manage sudo with Puppet on Debian-, RedHat- and SUSE-based linux distributions and some BSDs
HTML
108
star
2

puppet-php

Puppet module to manage php (Apache, CLI, FPM)
Puppet
66
star
3

puppet-memcached

Puppet module for memcached
Ruby
58
star
4

puppet-rsyslog

Manage rsyslog through puppet
Ruby
51
star
5

Naglite3

Nagios/Icinga status monitor for a NOC or operations room
PHP
44
star
6

puppet-timezone

Configure timezone settings through puppet
Ruby
39
star
7

puppet-locales

Manage locales with puppet
Puppet
24
star
8

puppet-limits

Manage user and group limits via Puppet
Ruby
17
star
9

puppet-ntp

Manage NTP client and server via puppet on Debian-, RedHat- and SUSE-based distributions
Puppet
16
star
10

puppet-dnsmasq

Manage dnsmasq with puppet
Puppet
15
star
11

puppet-resolv_conf

Manage /etc/resolv.conf with puppet
Ruby
13
star
12

puppet-vim

Manage vim through puppet
Ruby
12
star
13

puppet-gearman

Puppet module for gearman
Ruby
5
star
14

nagroid

Nagios client for Android
Java
4
star
15

puppet-denyhosts

Manage denyhosts via Puppet
Ruby
4
star
16

socket-push

JavaScript
3
star
17

puppet-pureftpd

Module for configuring pure-ftpd via puppet
Puppet
3
star
18

puppet-snmpd

Puppet
3
star
19

puppet-statsd

Manage statsd via Puppet
Puppet
2
star
20

mic2ha

Report the status of your microphone(s) to Home Assistant
Python
2
star
21

puppet-monit

Puppet
2
star
22

puppet-ipaddress

Manage ipaddresses via Puppet
Puppet
1
star
23

puppet-thin

Manage thin with puppet
Puppet
1
star
24

puppet-icinga

Manage Icinga via Puppet
Puppet
1
star
25

lang-which

Simple REST service to POST a string and receive the guessed language as response
Python
1
star
26

statsd-nagios-plugin

Check statsd with Nagios
Python
1
star
27

puppet-sphinxsearch

Manage Sphinx Search through puppet
Puppet
1
star
28

socket-push_original

my socket-push version before fork of brstgt
JavaScript
1
star
29

puppet-motd

Manage 'Message Of The Day' through puppet
Ruby
1
star
30

APC_Switch

Simple script for switching an outlet of an APC Switched PDU on or off using SNMP
Shell
1
star