# Might be interesting for sftponly usage
# Default: empty -> no change of the default
#
- # sshd_additional_options: Set this to any additional sshd_options which aren't listed above.
- # As well this option might be usefull to define complexer Match Blocks
- # This string is going to be included, like it is defined. So take care!
- # Default: empty -> not added.
+ # sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above.
+ # Anything set here will be added to the beginning of the sshd_config file.
+ # This option might be useful to define complicated Match Blocks
+ # This string is going to be included, like it is defined. So take care!
+ # Default: empty -> not added.
+ #
+ # sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above.
+ # Anything set here will be added to the end of the sshd_config file.
+ # This option might be useful to define complicated Match Blocks
+ # This string is going to be included, like it is defined. So take care!
+ # Default: empty -> not added.
class sshd {
- # prepare variables to use in templates
- case $sshd_listen_address {
- '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
- }
- case $sshd_allowed_users {
- '': { $sshd_allowed_users = '' }
- }
- case $sshd_allowed_groups {
- '': { $sshd_allowed_groups = '' }
- }
- case $sshd_use_pam {
- '': { $sshd_use_pam = 'no' }
- }
- case $sshd_permit_root_login {
- '': { $sshd_permit_root_login = 'without-password' }
- }
- case $sshd_password_authentication {
- '': { $sshd_password_authentication = 'no' }
- }
- case $sshd_tcp_forwarding {
- '': { $sshd_tcp_forwarding = 'no' }
- }
- case $sshd_x11_forwarding {
- '': { $sshd_x11_forwarding = 'no' }
- }
- case $sshd_agent_forwarding {
- '': { $sshd_agent_forwarding = 'no' }
- }
- case $sshd_challenge_response_authentication {
- '': { $sshd_challenge_response_authentication = 'no' }
- }
- case $sshd_pubkey_authentication {
- '': { $sshd_pubkey_authentication = 'yes' }
- }
- case $sshd_rsa_authentication {
- '': { $sshd_rsa_authentication = 'no' }
- }
- case $sshd_strict_modes {
- '': { $sshd_strict_modes = 'yes' }
- }
- case $sshd_ignore_rhosts {
- '': { $sshd_ignore_rhosts = 'yes' }
- }
- case $sshd_rhosts_rsa_authentication {
- '': { $sshd_rhosts_rsa_authentication = 'no' }
- }
- case $sshd_hostbased_authentication {
- '': { $sshd_hostbased_authentication = 'no' }
- }
- case $sshd_permit_empty_passwords {
- '': { $sshd_permit_empty_passwords = 'no' }
- }
- case $sshd_port {
- '': { $sshd_port = 22 }
- }
- case $sshd_authorized_keys_file {
- '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
- }
- case $sshd_sftp_subsystem {
- '': { $sshd_sftp_subsystem = '' }
- }
- case $sshd_additional_options {
- '': { $sshd_additional_options = '' }
- }
-
- include sshd::client
- include sshd::client
-
- case $operatingsystem {
- gentoo: { include sshd::gentoo }
- redhat: { include sshd::redhat }
- centos: { include sshd::centos }
- openbsd: { include sshd::openbsd }
- debian: { include sshd::debian }
- ubuntu: { include sshd::ubuntu }
- default: { include sshd::default }
- }
-}
-
-
-class sshd::base {
- # prepare variables to use in templates
++ # prepare variables to use in templates
+ case $sshd_listen_address {
+ '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
+ }
+ case $sshd_allowed_users {
+ '': { $sshd_allowed_users = '' }
+ }
+ case $sshd_allowed_groups {
+ '': { $sshd_allowed_groups = '' }
+ }
+ case $sshd_use_pam {
+ '': { $sshd_use_pam = 'no' }
+ }
+ case $sshd_permit_root_login {
+ '': { $sshd_permit_root_login = 'without-password' }
+ }
+ case $sshd_password_authentication {
+ '': { $sshd_password_authentication = 'no' }
+ }
+ case $sshd_tcp_forwarding {
+ '': { $sshd_tcp_forwarding = 'no' }
+ }
+ case $sshd_x11_forwarding {
+ '': { $sshd_x11_forwarding = 'no' }
+ }
+ case $sshd_agent_forwarding {
+ '': { $sshd_agent_forwarding = 'no' }
+ }
+ case $sshd_challenge_response_authentication {
+ '': { $sshd_challenge_response_authentication = 'no' }
+ }
+ case $sshd_pubkey_authentication {
+ '': { $sshd_pubkey_authentication = 'yes' }
+ }
+ case $sshd_rsa_authentication {
+ '': { $sshd_rsa_authentication = 'no' }
+ }
+ case $sshd_strict_modes {
+ '': { $sshd_strict_modes = 'yes' }
+ }
+ case $sshd_ignore_rhosts {
+ '': { $sshd_ignore_rhosts = 'yes' }
+ }
+ case $sshd_rhosts_rsa_authentication {
+ '': { $sshd_rhosts_rsa_authentication = 'no' }
+ }
+ case $sshd_hostbased_authentication {
+ '': { $sshd_hostbased_authentication = 'no' }
+ }
+ case $sshd_permit_empty_passwords {
+ '': { $sshd_permit_empty_passwords = 'no' }
+ }
+ case $sshd_port {
+ '': { $sshd_port = 22 }
+ }
+ case $sshd_authorized_keys_file {
+ '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
+ }
+ case $sshd_sftp_subsystem {
+ '': { $sshd_sftp_subsystem = '' }
+ }
+ case $sshd_head_additional_options {
+ '': { $sshd_head_additional_options = '' }
+ }
+ case $sshd_tail_additional_options {
+ '': { $sshd_tail_additional_options = '' }
+ }
+ case $sshd_ensure_version {
+ '': { $sshd_ensure_version = "present" }
+ }
- case $operatingsystem {
- gentoo: { include sshd::gentoo }
- redhat,centos: { include sshd::redhat }
- centos: { include sshd::centos }
- openbsd: { include sshd::openbsd }
- debian,ubuntu: { include sshd::debian }
- default: { include sshd::default }
- file { 'sshd_config':
- path => '/etc/ssh/sshd_config',
- owner => root,
- group => 0,
- mode => 600,
- content => $lsbdistcodename ? {
- '' => template("sshd/sshd_config/${operatingsystem}.erb"),
- default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
- },
- notify => Service[sshd],
- }
- # Now add the key, if we've got one
- case $sshrsakey {
- '': { warning("no sshrsakey on $fqdn") }
- default: {
- @@sshkey{"$hostname.$domain":
- type => ssh-rsa,
- key => $sshrsakey,
- ensure => present,
- }
- @@sshkey{"$ipaddress":
- type => ssh-rsa,
- key => $sshrsakey,
- ensure => present,
- }
-- }
- }
- service{'sshd':
- name => 'sshd',
- enable => true,
- ensure => running,
- hasstatus => true,
- require => File[sshd_config],
++ include sshd::client
+
- if $use_nagios {
- if $nagios_check_ssh {
- nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" }
- }
- }
++ case $operatingsystem {
++ gentoo: { include sshd::gentoo }
++ redhat,centos: { include sshd::redhat }
++ centos: { include sshd::centos }
++ openbsd: { include sshd::openbsd }
++ debian,ubuntu: { include sshd::debian }
++ default: { include sshd::default }
+ }
-
+
- if $use_shorewall{
- include shorewall::rules::ssh
+ if $use_nagios {
+ case $nagios_check_ssh {
+ 'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) }
+ default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } }
}
+ }
}
-
-class sshd::linux inherits sshd::base {
- if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' }
- package {'openssh':
- ensure => $sshd_ensure_version,
- }
- File[sshd_config]{
- require +> Package[openssh],
- }
-}
-
-class sshd::gentoo inherits sshd::linux {
- Package[openssh]{
- category => 'net-misc',
- }
-}
-
-class sshd::debian inherits sshd::linux {
-
- # the templates for Debian need lsbdistcodename
- include assert_lsbdistcodename
-
- Package[openssh]{
- name => 'openssh-server',
- }
-
- $sshd_restartandstatus = $lsbdistcodename ? {
- etch => false,
- lenny => true,
- default => false
- }
-
- Service[sshd]{
- name => 'ssh',
- pattern => 'sshd',
- hasstatus => $sshd_restartandstatus,
- hasrestart => $sshd_restartandstatus,
- }
-}
-class sshd::ubuntu inherits sshd::debian {}
-
-class sshd::redhat inherits sshd::linux {
- Package[openssh]{
- name => 'openssh-server',
- }
-}
-class sshd::centos inherits sshd::redhat {}
-
-class sshd::openbsd inherits sshd::base {
- Service[sshd]{
- restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
- stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
- start => '/usr/sbin/sshd',
- hasstatus => false,
- }
-}
-
-### defines
-# wrapper to have some defaults.
-define sshd::ssh_authorized_key(
- $type = 'ssh-dss',
- $key,
- $user = '',
- $target = undef,
- $options = 'absent'
- )
-{
- $real_user = $user ? {
- false => $name,
- "" => $name,
- default => $user,
- }
- case $target {
- undef: {
- $real_target = "/home/$real_user/.ssh/authorized_keys"
- }
- default: {
- $real_target = $target
- }
- }
- ssh_authorized_key{$name:
- type => $type,
- key => $key,
- user => $real_user,
- target => $real_target,
- }
-
- case $options {
- 'absent': { info("not setting any option for ssh_authorized_key: $name") }
- default: {
- Ssh_authorized_key[$name]{
- options => $options,
- }
- }
- }
-}
projects / puppet-sshd.git / commitdiff