From: mh Date: Thu, 10 Dec 2009 22:15:07 +0000 (+0100) Subject: merged with riseup module, various cleaning up X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=bdf7bd334ee6a6a07eb6cfab17dc9c7fc79ec1a8;p=puppet-sshd.git merged with riseup module, various cleaning up --- bdf7bd334ee6a6a07eb6cfab17dc9c7fc79ec1a8 diff --cc manifests/base.pp index b249974,0000000..2ac2385 mode 100644,000000..100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@@ -1,31 -1,0 +1,35 @@@ +class sshd::base { - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey_key { - '': { info("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey_key, - ensure => present, - } - } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], ++ file { 'sshd_config': ++ path => '/etc/ssh/sshd_config', ++ content => $lsbdistcodename ? { ++ '' => template("sshd/sshd_config/${operatingsystem}.erb"), ++ default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), ++ }, ++ notify => Service[sshd], ++ owner => root, group => 0, mode => 600; ++ } ++ ++ # Now add the key, if we've got one ++ case $sshrsakey_key { ++ '': { info("no sshrsakey on $fqdn") } ++ default: { ++ @@sshkey{"$hostname.$domain": ++ type => ssh-rsa, ++ key => $sshrsakey_key, ++ ensure => present, ++ } ++ @@sshkey{"$ipaddress": ++ type => ssh-rsa, ++ key => $sshrsakey, ++ ensure => present, ++ } + } ++ } ++ service{'sshd': ++ name => 'sshd', ++ enable => true, ++ ensure => running, ++ hasstatus => true, ++ require => File[sshd_config], ++ } +} diff --cc manifests/client/base.pp index 2c3e31f,0000000..33d9f9e mode 100644,000000..100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@@ -1,9 -1,0 +1,9 @@@ +class sshd::client::base { - # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - mode => 0644, owner => root, group => 0; - } ++ # this is needed because the gid might have changed ++ file { '/etc/ssh/ssh_known_hosts': ++ owner => root, group => 0, mode => 0644; ++ } + - # Now collect all server keys - Sshkey <<||>> ++ # Now collect all server keys ++ Sshkey <<||>> +} diff --cc manifests/client/debian.pp index 9ca6da9,0000000..2aaf3fb mode 100644,000000..100644 --- a/manifests/client/debian.pp +++ b/manifests/client/debian.pp @@@ -1,5 -1,0 +1,5 @@@ +class sshd::client::debian inherits sshd::client::linux { - Package['openssh-clients']{ - name => 'openssh-client', - } ++ Package['openssh-clients']{ ++ name => 'openssh-client', ++ } +} diff --cc manifests/client/linux.pp index 522fa50,0000000..8c58ca8 mode 100644,000000..100644 --- a/manifests/client/linux.pp +++ b/manifests/client/linux.pp @@@ -1,5 -1,0 +1,6 @@@ +class sshd::client::linux inherits sshd::client::base { - package {'openssh-clients': - ensure => installed, - } ++ if $ssh_ensure_version == '' { $ssh_ensure_version = 'installed' } ++ package {'openssh-clients': ++ ensure => $ssh_ensure_version, ++ } +} diff --cc manifests/debian.pp index 528779c,0000000..849d9f4 mode 100644,000000..100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@@ -1,16 -1,0 +1,25 @@@ +class sshd::debian inherits sshd::linux { + + # the templates for Debian need lsbdistcodename + include lsb + File['sshd_config']{ - require => Package['lsb'] ++ require +> Package['lsb'] + } + + Package[openssh]{ + name => 'openssh-server', + } ++ ++ $sshd_restartandstatus = $lsbdistcodename ? { ++ etch => false, ++ lenny => true, ++ default => false ++ } ++ + Service[sshd]{ + name => 'ssh', - hasstatus => false, ++ pattern => 'sshd', ++ hasstatus => $sshd_restartandstatus, ++ hasrestart => $sshd_restartandstatus, + } +} diff --cc manifests/gentoo.pp index f56a96d,0000000..631f3d1 mode 100644,000000..100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@@ -1,5 -1,0 +1,5 @@@ +class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } ++ Package[openssh]{ ++ category => 'net-misc', ++ } +} diff --cc manifests/init.pp index 8489a6a,386bd77..83b26c1 --- a/manifests/init.pp +++ b/manifests/init.pp @@@ -113,95 -120,240 +120,105 @@@ # Might be interesting for sftponly usage # Default: empty -> no change of the default # - # sshd_additional_options: Set this to any additional sshd_options which aren't listed above. - # As well this option might be usefull to define complexer Match Blocks - # This string is going to be included, like it is defined. So take care! - # Default: empty -> not added. + # sshd_head_additional_options: Set this to any additional sshd_options which aren't listed above. + # Anything set here will be added to the beginning of the sshd_config file. + # This option might be useful to define complicated Match Blocks + # This string is going to be included, like it is defined. So take care! + # Default: empty -> not added. + # + # sshd_tail_additional_options: Set this to any additional sshd_options which aren't listed above. + # Anything set here will be added to the end of the sshd_config file. + # This option might be useful to define complicated Match Blocks + # This string is going to be included, like it is defined. So take care! + # Default: empty -> not added. class sshd { - # prepare variables to use in templates - case $sshd_listen_address { - '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } - } - case $sshd_allowed_users { - '': { $sshd_allowed_users = '' } - } - case $sshd_allowed_groups { - '': { $sshd_allowed_groups = '' } - } - case $sshd_use_pam { - '': { $sshd_use_pam = 'no' } - } - case $sshd_permit_root_login { - '': { $sshd_permit_root_login = 'without-password' } - } - case $sshd_password_authentication { - '': { $sshd_password_authentication = 'no' } - } - case $sshd_tcp_forwarding { - '': { $sshd_tcp_forwarding = 'no' } - } - case $sshd_x11_forwarding { - '': { $sshd_x11_forwarding = 'no' } - } - case $sshd_agent_forwarding { - '': { $sshd_agent_forwarding = 'no' } - } - case $sshd_challenge_response_authentication { - '': { $sshd_challenge_response_authentication = 'no' } - } - case $sshd_pubkey_authentication { - '': { $sshd_pubkey_authentication = 'yes' } - } - case $sshd_rsa_authentication { - '': { $sshd_rsa_authentication = 'no' } - } - case $sshd_strict_modes { - '': { $sshd_strict_modes = 'yes' } - } - case $sshd_ignore_rhosts { - '': { $sshd_ignore_rhosts = 'yes' } - } - case $sshd_rhosts_rsa_authentication { - '': { $sshd_rhosts_rsa_authentication = 'no' } - } - case $sshd_hostbased_authentication { - '': { $sshd_hostbased_authentication = 'no' } - } - case $sshd_permit_empty_passwords { - '': { $sshd_permit_empty_passwords = 'no' } - } - case $sshd_port { - '': { $sshd_port = 22 } - } - case $sshd_authorized_keys_file { - '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } - } - case $sshd_sftp_subsystem { - '': { $sshd_sftp_subsystem = '' } - } - case $sshd_additional_options { - '': { $sshd_additional_options = '' } - } - - include sshd::client - include sshd::client - - case $operatingsystem { - gentoo: { include sshd::gentoo } - redhat: { include sshd::redhat } - centos: { include sshd::centos } - openbsd: { include sshd::openbsd } - debian: { include sshd::debian } - ubuntu: { include sshd::ubuntu } - default: { include sshd::default } - } -} - - -class sshd::base { - # prepare variables to use in templates ++ # prepare variables to use in templates + case $sshd_listen_address { + '': { $sshd_listen_address = [ '0.0.0.0', '::' ] } + } + case $sshd_allowed_users { + '': { $sshd_allowed_users = '' } + } + case $sshd_allowed_groups { + '': { $sshd_allowed_groups = '' } + } + case $sshd_use_pam { + '': { $sshd_use_pam = 'no' } + } + case $sshd_permit_root_login { + '': { $sshd_permit_root_login = 'without-password' } + } + case $sshd_password_authentication { + '': { $sshd_password_authentication = 'no' } + } + case $sshd_tcp_forwarding { + '': { $sshd_tcp_forwarding = 'no' } + } + case $sshd_x11_forwarding { + '': { $sshd_x11_forwarding = 'no' } + } + case $sshd_agent_forwarding { + '': { $sshd_agent_forwarding = 'no' } + } + case $sshd_challenge_response_authentication { + '': { $sshd_challenge_response_authentication = 'no' } + } + case $sshd_pubkey_authentication { + '': { $sshd_pubkey_authentication = 'yes' } + } + case $sshd_rsa_authentication { + '': { $sshd_rsa_authentication = 'no' } + } + case $sshd_strict_modes { + '': { $sshd_strict_modes = 'yes' } + } + case $sshd_ignore_rhosts { + '': { $sshd_ignore_rhosts = 'yes' } + } + case $sshd_rhosts_rsa_authentication { + '': { $sshd_rhosts_rsa_authentication = 'no' } + } + case $sshd_hostbased_authentication { + '': { $sshd_hostbased_authentication = 'no' } + } + case $sshd_permit_empty_passwords { + '': { $sshd_permit_empty_passwords = 'no' } + } + case $sshd_port { + '': { $sshd_port = 22 } + } + case $sshd_authorized_keys_file { + '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } + } + case $sshd_sftp_subsystem { + '': { $sshd_sftp_subsystem = '' } + } + case $sshd_head_additional_options { + '': { $sshd_head_additional_options = '' } + } + case $sshd_tail_additional_options { + '': { $sshd_tail_additional_options = '' } + } + case $sshd_ensure_version { + '': { $sshd_ensure_version = "present" } + } - case $operatingsystem { - gentoo: { include sshd::gentoo } - redhat,centos: { include sshd::redhat } - centos: { include sshd::centos } - openbsd: { include sshd::openbsd } - debian,ubuntu: { include sshd::debian } - default: { include sshd::default } - file { 'sshd_config': - path => '/etc/ssh/sshd_config', - owner => root, - group => 0, - mode => 600, - content => $lsbdistcodename ? { - '' => template("sshd/sshd_config/${operatingsystem}.erb"), - default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"), - }, - notify => Service[sshd], - } - # Now add the key, if we've got one - case $sshrsakey { - '': { warning("no sshrsakey on $fqdn") } - default: { - @@sshkey{"$hostname.$domain": - type => ssh-rsa, - key => $sshrsakey, - ensure => present, - } - @@sshkey{"$ipaddress": - type => ssh-rsa, - key => $sshrsakey, - ensure => present, - } -- } - } - service{'sshd': - name => 'sshd', - enable => true, - ensure => running, - hasstatus => true, - require => File[sshd_config], ++ include sshd::client + - if $use_nagios { - if $nagios_check_ssh { - nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } - } - } ++ case $operatingsystem { ++ gentoo: { include sshd::gentoo } ++ redhat,centos: { include sshd::redhat } ++ centos: { include sshd::centos } ++ openbsd: { include sshd::openbsd } ++ debian,ubuntu: { include sshd::debian } ++ default: { include sshd::default } + } - + - if $use_shorewall{ - include shorewall::rules::ssh + if $use_nagios { + case $nagios_check_ssh { + 'false': { info("We don't do nagioschecks for ssh on ${fqdn}" ) } + default: { nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" } } } + } } - -class sshd::linux inherits sshd::base { - if $sshd_ensure_version == '' { $sshd_ensure_version = 'installed' } - package {'openssh': - ensure => $sshd_ensure_version, - } - File[sshd_config]{ - require +> Package[openssh], - } -} - -class sshd::gentoo inherits sshd::linux { - Package[openssh]{ - category => 'net-misc', - } -} - -class sshd::debian inherits sshd::linux { - - # the templates for Debian need lsbdistcodename - include assert_lsbdistcodename - - Package[openssh]{ - name => 'openssh-server', - } - - $sshd_restartandstatus = $lsbdistcodename ? { - etch => false, - lenny => true, - default => false - } - - Service[sshd]{ - name => 'ssh', - pattern => 'sshd', - hasstatus => $sshd_restartandstatus, - hasrestart => $sshd_restartandstatus, - } -} -class sshd::ubuntu inherits sshd::debian {} - -class sshd::redhat inherits sshd::linux { - Package[openssh]{ - name => 'openssh-server', - } -} -class sshd::centos inherits sshd::redhat {} - -class sshd::openbsd inherits sshd::base { - Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, - } -} - -### defines -# wrapper to have some defaults. -define sshd::ssh_authorized_key( - $type = 'ssh-dss', - $key, - $user = '', - $target = undef, - $options = 'absent' - ) -{ - $real_user = $user ? { - false => $name, - "" => $name, - default => $user, - } - case $target { - undef: { - $real_target = "/home/$real_user/.ssh/authorized_keys" - } - default: { - $real_target = $target - } - } - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $real_user, - target => $real_target, - } - - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } - } -} diff --cc manifests/linux.pp index f659808,0000000..a1f4e2a mode 100644,000000..100644 --- a/manifests/linux.pp +++ b/manifests/linux.pp @@@ -1,8 -1,0 +1,8 @@@ +class sshd::linux inherits sshd::base { - package{openssh: - ensure => present, ++ package{openssh: ++ ensure => $sshd_ensure_version, ++ } ++ File[sshd_config]{ ++ require +> Package[openssh], + } - File[sshd_config]{ - require +> Package[openssh], - } +} diff --cc manifests/ssh_authorized_key.pp index 2d528da,0000000..9374e15 mode 100644,000000..100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@@ -1,36 -1,0 +1,42 @@@ +# wrapper to have some defaults. +define sshd::ssh_authorized_key( + $type = 'ssh-dss', + $key, + $user = 'root', - $target = 'absent', ++ $target = undef, + $options = 'absent' +){ + - case $target { - 'absent': { - case $user { - 'root': { $real_target = '/root/.ssh/authorized_keys' } - default: { $real_target = "/home/${user}/.ssh/authorized_keys" } - } - } - default: { - $real_target = $target - } ++ $real_user = $user ? { ++ false => $name, ++ "" => $name, ++ default => $user, ++ } ++ ++ case $target { ++ undef: { ++ case $user { ++ 'root': { $real_target = '/root/.ssh/authorized_keys' } ++ default: { $real_target = "/home/${user}/.ssh/authorized_keys" } ++ } + } - ssh_authorized_key{$name: - type => $type, - key => $key, - user => $user, - target => $real_target, ++ default: { ++ $real_target = $target + } ++ } ++ ssh_authorized_key{$name: ++ type => $type, ++ key => $key, ++ user => $real_user, ++ target => $real_target, ++ } + - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } - } ++ case $options { ++ 'absent': { info("not setting any option for ssh_authorized_key: $name") } ++ default: { ++ Ssh_authorized_key[$name]{ ++ options => $options, ++ } + } ++ } +} diff --cc templates/sshd_config/CentOS.erb index fcaf4d6,bc5256a..a253029 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@@ -186,21 -194,21 +191,19 @@@ X11Forwarding n #Banner /some/path # override default of no subsystems -<%- if sshd_sftp_subsystem.to_s.empty? then %> +<%- if sshd_sftp_subsystem.to_s.empty? then -%> Subsystem sftp /usr/libexec/openssh/sftp-server -<%- else %> +<%- else -%> Subsystem sftp <%= sshd_sftp_subsystem %> -<%- end %> +<%- end -%> -<%- unless sshd_allowed_users.to_s.empty? then %> +<%- unless sshd_allowed_users.to_s.empty? then -%> AllowUsers <%= sshd_allowed_users %> -<%- end %> -<%- unless sshd_allowed_groups.to_s.empty? then %> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then -%> AllowGroups <%= sshd_allowed_groups %> -<%- end %> - +<%- end -%> - - <%- unless sshd_additional_options.to_s.empty? then -%> - <%= sshd_additional_options %> - <%- end -%> - + <%- unless sshd_tail_additional_options.to_s.empty? then %> + <%= sshd_tail_additional_options %> + <%- end %> -