Mercurial > repos > other > Puppet

comparison modules/ssh/README.md @ 385:d9009f54eb23

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Migrate to a fully-fledged SSH module This handles lots of the server path differences for us
author IBBoard <dev@ibboard.co.uk>
date Mon, 03 Jan 2022 17:05:54 +0000
parents
children adf6fe9bbc17
comparison
equal deleted inserted replaced
384:22e45bb5ea97 385:d9009f54eb23
1 # puppet-module-ssh
2
3 Manage ssh client and server.
4
5 The module uses exported resources to manage ssh keys and removes ssh keys that
6 are not managed by puppet. This behavior is managed by the parameters
7 ssh_key_ensure and purge_keys.
8
9 This module may be used with a simple `include ::ssh`
10
11 The `ssh::config_entry` defined type may be used directly and is used to manage
12 Host entries in a personal `~/.ssh/config` file.
13
14 ===
15
16 ### Table of Contents
17 1. [Compatibility](#compatibility)
18 1. [Parameters](#parameters)
19 1. [Examples](#sample-usage)
20
21 ===
22
23 # Compatibility
24
25 This module has been tested to work on the following systems with the
26 latest Puppet v3, v3 with future parser, v4, v5 and v6. See `.travis.yml`
27 for the exact matrix of supported Puppet and ruby versions.
28
29 * Debian 7
30 * Debian 8
31 * Debian 9
32 * Debian 10
33 * EL 5
34 * EL 6
35 * EL 7
36 * SLES 10
37 * SLES 11
38 * SLES 12
39 * Ubuntu 12.04 LTS
40 * Ubuntu 14.04 LTS
41 * Ubuntu 16.04 LTS
42 * Ubuntu 18.04 LTS
43 * Ubuntu 20.04 LTS
44 * Solaris 9
45 * Solaris 10
46 * Solaris 11
47
48 If you use the Sun Solaris SSH, please keep in mind that not all parameters can be used.
49
50 Unsupported parameters for ssh_config:
51 AddressFamily, Tunnel, TunnelDevice, PermitLocalCommand, HashKnownHosts
52
53 Unsupported parameters for sshd_config:
54 KerberosOrLocalPasswd, KerberosTicketCleanup, KerberosGetAFSToken, TCPKeepAlive, ShowPatchLevel, MaxSessions, PermitTunnel
55
56 ===
57
58 # Parameters
59 A value of `'USE_DEFAULTS'` will use the defaults specified by the module.
60
61
62 hiera_merge
63 -----------
64 Boolean to merges all found instances of ssh::keys and ssh::config_entries in Hiera.
65 This is useful for specifying SSH keys at different levels of the hierarchy and having
66 them all included in the catalog.
67
68 This will default to 'true' in future versions.
69
70 - *Default*: false
71
72 ssh_config_hash_known_hosts
73 ---------------------------
74 HashKnownHosts in ssh_config.
75 Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts.
76 These hashed names may be used normally by ssh and sshd, but they do not reveal identifying
77 information should the file's contents be disclosed. The default is 'no' on Linux.
78
79 Note that existing names and addresses in known hosts files will not be converted automatically,
80 but may be manually hashed using ssh-keygen. Use of this option may break facilities such as
81 tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts.
82
83 A value of 'unset' will not add this parameter to the configuration file.
84
85 - *Default*: 'USE_DEFAULTS'
86
87 ssh_config_path
88 ---------------
89 Path to ssh_config.
90
91 - *Default*: '/etc/ssh/ssh_config'
92
93 ssh_config_owner
94 ----------------
95 ssh_config's owner.
96
97 - *Default*: 'root'
98
99 ssh_config_group
100 ----------------
101 ssh_config's group.
102
103 - *Default*: 'root'
104
105 ssh_config_mode
106 ---------------
107 ssh_config's mode.
108
109 - *Default*: '0644'
110
111 ssh_config_forward_x11
112 ----------------------
113 ForwardX11 option in ssh_config. Not set by default.
114
115 - *Default*: undef
116
117 ssh_config_forward_agent
118 ------------------------
119 ForwardAgent option in ssh_config. Not set by default.
120
121 - *Default*: undef
122
123 ssh_config_server_alive_interval
124 --------------------------------
125 ServerAliveInterval option in ssh_config. Not set by default.
126
127 - *Default*: undef
128
129 ssh_config_sendenv_xmodifiers
130 -----------------------
131 Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on Linux.
132
133 - *Default*: false
134
135 ssh_config_template
136 --------------------
137 *string* The template used to generate ssh_config.
138
139 - *Default*: 'ssh/ssh_config.erb'
140
141 ssh_config_ciphers
142 ------------------
143 Array of ciphers to be used with the Ciphers option in ssh_config.
144
145 - *Default*: undef
146
147 ssh_config_kexalgorithms
148 ------------------
149 Array of key exchange algorithms to be used with the KexAlgorithms option in ssh_config.
150
151 - *Default*: undef
152
153 ssh_config_macs
154 ---------------
155 Array of ciphers to be used with the MACs option in ssh_config.
156
157 - *Default*: undef
158
159 ssh_sendenv
160 -------------
161 Boolean to enable SendEnv options for specifying environment variables. Default is set to true on Linux.
162
163 - *Default*: 'USE_DEFAULTS'
164
165 ssh_gssapiauthentication
166 -------------------------
167 GSSAPIAuthentication: Enables/disables GSS-API user authentication in ssh_config. Valid values are 'yes' and 'no'.
168
169 - *Default*: 'yes'
170
171 ssh_gssapidelegatecredentials
172 -----------------------------
173 *string* For GSSAPIDelegateCredentials setting in ssh_config. Valid values are
174 'yes' and 'no' or to leave undef which will ensure the setting is not present
175 in ssh_config.
176
177 - *Default*: undef
178
179 ssh_hostbasedauthentication
180 -------------------------
181 String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'.
182
183 - *Default*: undef
184
185 ssh_config_proxy_command
186 -------------------------
187 String for ProxyCommand option in ssh_config.
188
189 - *Default*: undef
190
191 ssh_strict_host_key_checking
192 -----------------------------
193 *string* For StrictHostKeyChecking setting in ssh_config. Valid values are
194 'yes', 'no' or 'ask'.
195
196 - *Default*: undef
197
198 ssh_enable_ssh_keysign
199 -----------------------------
200 *string* For EnableSSHKeysign setting in ssh_config. Valid values are
201 'yes' and 'no' or to leave undef which will ensure the setting is not present
202 in ssh_config.
203
204 - *Default*: undef
205
206 sshd_addressfamily
207 ----------------
208 Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.
209
210 - *Default*: 'any'
211
212 sshd_config_path
213 ----------------
214 Path to sshd_config.
215
216 - *Default*: '/etc/ssh/sshd_config
217
218 sshd_config_owner
219 -----------------
220 sshd_config's owner.
221
222 - *Default*: 'root'
223
224 sshd_config_group
225 ----------------
226 sshd_config's group.
227
228 - *Default*: 'root'
229
230 sshd_config_loglevel
231 ---------------------------
232 LogLevel option in sshd_config. Acceptable values are QUIET, FATAL, ERROR, INFO, VERBOSE.
233
234 *DEBUG, DEBUG1, DEBUG2, and DEBUG3* are permitted values for sshd, however [setting the logging level to DEBUG or higher violates the privacy of users](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config) and should not be done unless manually debugging.
235
236 - *Default*: 'INFO'
237
238 sshd_config_maxauthtries
239 ---------------
240 MaxAuthTries option in sshd_config. Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
241
242 - *Default*: '6'
243
244 sshd_config_mode
245 ---------------
246 sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris.
247
248 - *Default*: 'USE_DEFAULTS'
249
250 sshd_listen_address
251 -------------------
252 String or Array to specify address(es) for which sshd will bind. Corresponds to ListenAddress in sshd_config.
253
254 - *Default*: undef
255
256 sshd_config_permitemptypasswords
257 --------------------------------
258 PermitEmptyPasswords option in sshd_config. When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
259 Valid values are 'yes' and 'no'.
260
261 - *Default*: undef
262
263 sshd_config_permituserenvironment
264 ---------------------------------
265 PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is “no”. Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.
266 Valid values are 'yes' and 'no'.
267
268
269 - *Default*: undef
270
271 sshd_config_compression
272 ---------------------------------
273 Compression option in sshd_config.
274 Specifies whether compression is allowed in an SSH connection prior to authentication.
275 If specified, valid values are 'yes', 'no' and 'delayed'.
276
277
278 - *Default*: undef
279
280 sshd_config_port
281 ---------------------------
282 String, Integer or Array to specify listen port[s] for sshd. Port option in sshd_config.
283
284 - *Default*: '22'
285
286 sshd_config_syslog_facility
287 ---------------------------
288 SyslogFacility option in sshd_config.
289
290 - *Default*: 'AUTH'
291
292 sshd_config_template
293 --------------------
294 *string* The template used to generate sshd_config.
295
296 - *Default*: 'ssh/sshd_config.erb'
297
298 sshd_config_login_grace_time
299 ----------------------------
300 LoginGraceTime option in sshd_config.
301
302 - *Default*: '120'
303
304 sshd_config_challenge_resp_auth
305 -------------------------------
306 ChallengeResponseAuthentication option in sshd_config. RedHat defaults
307 to setting this to no for EL 5, 6 and 7, though the module will set it
308 to 'yes'. Suggest setting to 'no' with Hiera on EL systems. This will
309 default to 'no' for those platforms in the next major release.
310
311 - *Default*: 'yes'
312
313 sshd_config_print_motd
314 ----------------------
315 PrintMotd option in sshd_config.
316
317 - *Default*: 'yes'
318
319 sshd_config_print_last_log
320 ----------------------
321 PrintLastLog option in sshd_config.
322 Verify SSH provides users with feedback on when account accesses last occurred.
323 If specified, valid values are 'yes' and 'no'.
324
325 - *Default*: undef
326
327 sshd_config_use_dns
328 -------------------
329 UseDNS option in sshd_config. The default is 'yes' on Linux.
330
331 - *Default*: 'USE_DEFAULTS'
332
333 sshd_config_authkey_location
334 ----------------------------
335 Specify location of authorized_keys file. Default is to not specify.
336
337 - *Default*: undef
338
339 sshd_config_hostkey
340 ----------------------------
341 Specify an array of server side HostKey files to use. Default is to use only /etc/ssh/ssh_host_rsa_key
342
343 - *Default*: /etc/ssh/ssh_host_rsa_key
344
345 sshd_config_strictmodes
346 ----------------------------
347 Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no.
348
349 - *Default*: undef
350
351 sshd_config_serverkeybits
352 ----------------------------
353 Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024 except for Solaris default value is 768.
354
355 - *Default*: '1024' except for Solaris which is '768'
356
357 sshd_config_banner
358 ------------------
359 Banner option in sshd_config.
360
361 - *Default*: 'none'
362
363 sshd_banner_content
364 -------------------
365 content parameter for file specified in sshd_config_banner
366
367 - *Default*: undef
368
369 sshd_banner_owner
370 -----------------
371 owner parameter for file specified in sshd_config_banner
372
373 - *Default*: 'root'
374
375 sshd_banner_group
376 -----------------
377 group parameter for file specified in sshd_config_banner
378
379 - *Default*: 'root'
380
381 sshd_banner_mode
382 ----------------
383 mode parameter for file specified in sshd_config_banner
384
385 - *Default*: '0644'
386
387 sshd_config_xauth_location
388 --------------------------
389 XAuthLocation option in sshd_config.
390
391 - *Default*: 'USE_DEFAULTS'
392
393 sshd_config_subsystem_sftp
394 --------------------------
395 Path to sftp file transfer subsystem in sshd_config.
396
397 - *Default*: 'USE_DEFAULTS'
398
399 sshd_password_authentication
400 -----------------------------
401 PasswordAuthentication in sshd_config. Specifies whether password authentication is allowed.
402
403 - *Default*: 'yes'
404
405 sshd_allow_tcp_forwarding
406 -------------------------
407 AllowTcpForwarding in sshd_config. Specifies whether TCP forwarding is permitted.
408
409 - *Default*: 'yes'
410
411 sshd_authorized_keys_command
412 ----------------------------
413 Fully qualified path to command for AuthorizedKeysCommand in sshd_config.
414
415 - *Default*: undef
416
417 sshd_authorized_keys_command_user
418 ---------------------------------
419 String of user for AuthorizedKeysCommandUser in sshd_config.
420
421 - *Default*: undef
422
423 sshd_x11_forwarding
424 -------------------
425 X11Forwarding in sshd_config. Specifies whether X11 forwarding is permitted.
426
427 - *Default*: 'yes'
428
429 sshd_x11_use_localhost
430 ----------------------
431 X11UseLocalhost in sshd_config. Specifies if sshd should bind the X11 forwarding server
432 to the loopback address or to the wildcard address.
433
434 - *Default*: 'yes'
435
436 sshd_use_pam
437 ------------
438 UsePam in sshd_config.
439 Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM
440 authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition
441 to PAM account and session module processing for all authentication types.
442 This module sets this option to 'yes' on Linux and undef on Solaris.
443
444 - *Default*: 'USE_DEFAULTS'
445
446 ssh_config_use_roaming
447 ----------------------
448 String to enable or disable UseRoaming in client configuration ssh_config.
449 Valid values are 'yes', 'no' and 'unset'. Using 'unset' will not use (print)
450 this configuration parameter at all. Default is set to 'no' on Linux and
451 'unset' on Solaris. If you have OpenSSH >= version 5.4, this should be set to
452 'no' to mitigate CVE-2016-0777 and CVE-2016-0778.
453
454 - *Default*: 'USE_DEFAULTS'
455
456 sshd_client_alive_interval
457 --------------------------
458 ClientAliveInterval in sshd_config.
459 Sets a timeout interval in seconds after which if no data has been received from the client,
460 sshd(8) will send a message through the encrypted channel to request a response from the
461 client. The default is 0, indicating that these messages will not be sent to the client.
462 This option applies to protocol version 2 only.
463
464 - *Default*: '0'
465
466 sshd_client_alive_count_max
467 --------------------------
468 ClientAliveCountMax in sshd_config.
469 Sets the number of client alive messages (see below) which may be sent without sshd(8)
470 receiving any messages back from the client. If this threshold is reached while client alive
471 messages are being sent, sshd will disconnect the client, terminating the session. It is
472 important to note that the use of client alive messages is very different from TCPKeepAlive
473 (below). The client alive messages are sent through the encrypted channel and therefore will
474 not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client
475 alive mechanism is valuable when the client or server depend on knowing when a connection has
476 become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15,
477 and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected
478 after approximately 45 seconds. This option applies to protocol version 2 only.
479
480 - *Default*: '3'
481
482 sshd_config_tcp_keepalive
483 ------------------------
484 TCPKeepAlive in sshd_config.
485 Specifies whether the system should send TCP keepalive messages to the other side. If they
486 are sent, death of the connection or crash of one of the machines will be properly noticed.
487 However, this means that connections will die if the route is down temporarily, and some
488 people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may
489 hang indefinitely on the server, leaving ``ghost'' users and consuming server resources.
490 A value of 'unset' will not add this parameter to the configuration file.
491
492 On Linux the default is set to ``yes'' (to send TCP keepalive messages), and the server will
493 notice if the network goes down or the client host crashes. This avoids infinitely hanging
494 sessions.
495 On Solaris the default is to not add this parameter to the configuration file.
496
497 - *Default*: undef
498
499 sshd_config_use_privilege_separation
500 ----------------------
501 UsePrivilegeSeparation in sshd_config.
502 Causes the SSH process to drop root privileges when not needed.
503 If specified, valid values are 'yes', 'no' and 'sandbox'.
504
505 - *Default*: undef
506
507 sshd_config_permittunnel
508 -----------------------
509 PermitTunnel in sshd_config.
510 Specifies whether tun(4) device forwarding is allowed. The argument must be 'yes',
511 'point-to-point' (layer 3), 'ethernet' (layer 2), 'no', or 'unset' (parameter not used).
512 Specifying 'yes' permits both 'point-to-point' and 'ethernet'.
513 Independent of this setting, the permissions of the selected tun(4) device must
514 allow access to the user.
515 A value of 'unset' will not add this parameter to the configuration file.
516
517 On Linux the default is set to ``no''.
518 On Solaris the default is to not add this parameter to the configuration file.
519
520 - *Default*: undef
521
522 sshd_config_ciphers
523 -------------------
524 Array of ciphers for the Ciphers setting in sshd_config.
525
526 - *Default*: undef
527
528 sshd_config_kexalgorithms
529 -------------------
530 Array of key exchange algorithms for the KexAlgorithms setting in sshd_config.
531
532 - *Default*: undef
533
534 sshd_config_macs
535 ----------------
536 Array of macs for the MACs setting in sshd_config.
537
538 - *Default*: undef
539
540 sshd_config_denyusers
541 ---------------------
542 Array of users for the DenyUsers setting in sshd_config.
543
544 - *Default*: undef
545
546 sshd_config_denygroups
547 ---------------------
548 Array of groups for the DenyGroups setting in sshd_config.
549
550 - *Default*: undef
551
552 sshd_config_allowgroups
553 -----------------------
554 Array of users for the AllowGroups setting in sshd_config.
555
556 - *Default*: undef
557
558 sshd_config_allowusers
559 -----------------------
560 Array of users for the AllowUsers setting in sshd_config.
561
562 - *Default*: undef
563
564 sshd_config_maxstartups (string)
565 -----------------------
566 Specifies the maximum number of concurrent unauthenticated connections
567 to the SSH daemon. Must be a stringified integer or a string with three
568 integers separated by colons, such as '10:30:100'.
569
570 - *Default*: undef
571
572 sshd_config_maxsessions
573 -----------------------
574 Specifies the maximum number of open sessions permitted per network connection.
575 A value of 'unset' or undef will not add this parameter to the configuration file.
576
577 - *Default*: undef
578
579 sshd_config_chrootdirectory
580 ---------------------------
581 String with absolute path for the ChrootDirectory directive for the SSH daemon.
582
583 - *Default*: undef
584
585 sshd_config_forcecommand
586 ---------------------------
587 String with command for the ForceCommand directive for the SSH daemon.
588
589 - *Default*: undef
590
591 sshd_config_match
592 -----------------
593 Hash for matches with nested arrays for options for the Match directive for the SSH daemon.
594 Match directive is supported on SSH >= 5.x.
595
596 - *Default*: undef
597
598 - *Hiera example*:
599
600 ``` yaml
601 ssh::sshd_config_match:
602 'User JohnDoe':
603 - 'AllowTcpForwarding yes'
604 'Address 2.4.2.0':
605 - 'X11Forwarding yes'
606 - 'PasswordAuthentication no'
607 ```
608
609 sshd_config_hostcertificate
610 ---------------------------
611 An Absolute Path or Array of Absolute Paths to the Host CA Public Key. Each entry *MUST* be tied 1:1 to a Host CA Private Key (see [sshd_config_hostkey](#sshd_config_hostkey))
612
613 - *Default*: undefined
614
615 sshd_config_trustedusercakeys
616 -----------------------------
617 Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users or the string 'none'.
618
619 - *Default*: undefined
620
621 sshd_config_key_revocation_list
622 -----------------------------
623 Absolute path to a key revocation list (RevokedKeys) for use with SSH CA Validation for Users or the string 'none'.
624
625 - *Default*: undefined
626
627 sshd_config_authorized_principals_file
628 --------------------------------------
629 String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config`
630
631 See `sshd_config(5)` for more details
632
633 - *Default*: undefined
634
635 sshd_config_allowagentforwarding
636 --------------------------------
637 AllowAgentForwarding option in sshd_config. Specifies if ssh-agent(1)
638 forwarding is permitted. Valid values are 'yes' and 'no'.
639
640 - *Default*: undef
641
642 config_entries
643 --------------
644 Hash of config entries for a specific user's ~/.ssh/config. Please check the docs for ssd::config_entry for a list and details of the parameters usable here.
645 Setting hiera_merge to true will activate merging entries through all levels of hiera.
646
647 - *Hiera example*:
648
649 ``` yaml
650 ssh::config_entries:
651 'root':
652 owner: 'root'
653 group: 'root'
654 path: '/root/.ssh/config'
655 host: 'host.example.local'
656 ```
657
658 - *Default*: {}
659
660 keys
661 ----
662 Hash of keys for user's ~/.ssh/authorized_keys
663
664 - *Default*: undefined
665
666 packages
667 --------
668 Array of package names used for installation.
669
670 - *Default*: Based on OS
671
672 permit_root_login
673 -----------------
674 Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', and 'no'.
675
676 - *Default*: yes
677
678 ssh_config_forward_x11_trusted
679 ------------------------------
680 ForwardX11Trusted. Determine remote X11 client access to the original X11 display. The option is set to 'yes' on Linux. Valid values are 'yes', 'no', and undef.
681
682 - *Default*: 'USE_DEFAULTS' (Not valid on Solaris.)
683
684 ssh_package_source
685 ------------------
686 Source to SSH packages.
687
688 - *Default*: 'USE_DEFAULTS'
689
690 ssh_package_adminfile
691 ---------------------
692 Path to admin file for SSH packages.
693
694 - *Default*: 'USE_DEFAULTS'
695
696 sshd_gssapiauthentication
697 -------------------------
698 GSSAPIAuthentication: Enables/disables GSS-API user authentication. Valid values are 'yes' and 'no'.
699
700 - *Default*: 'yes'
701
702 sshd_gssapikeyexchange
703 ----------------------
704 GSSAPIKeyExchange: Enables/disables GSS-API-authenticated key exchanges. Valid values are 'yes', 'no', and undef.
705
706 - *Default*: 'USE_DEFAULTS'
707
708 sshd_pamauthenticationviakbdint
709 -------------------------------
710 PAMAuthenticationViaKBDInt: Use PAM via keyboard interactive method for authentication. Valid values are 'yes', 'no', and undef.
711
712 - *Default*: 'USE_DEFAULTS'
713
714 sshd_gssapicleanupcredentials
715 -----------------------------
716 GSSAPICleanupCredentials: Specifies whether to automatically destroy the user's credentials on logout. Default is 'yes' on Linux. Valid values are 'yes', 'no', and undef.
717
718 - *Default*: 'USE_DEFAULTS'
719
720 sshd_acceptenv
721 -------------
722 Boolean to enable AcceptEnv options for specifying environment variables. Default is set to true on Linux.
723
724 - *Default*: 'USE_DEFAULTS'
725
726 sshd_hostbasedauthentication
727 -------------------------
728 String for HostbasedAuthentication option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only.
729
730 - *Default*: 'no'
731
732 sshd_pubkeyacceptedkeytypes
733 -------------------------
734 Array of public key types to be used with the PubkeyAcceptedKeyTypes option in sshd_config.
735
736 - *Default*: undef
737
738 sshd_pubkeyauthentication
739 -------------------------
740 String for PubkeyAuthentication option in sshd_config. Valid values are 'yes' and 'no'.
741
742 - *Default*: 'yes'
743
744 sshd_ignoreuserknownhosts
745 -------------------------
746 String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.
747
748 - *Default*: 'no'
749
750 sshd_config_authenticationmethods
751 -------------------------
752 Array of AuthenticationMethods in sshd_config.
753
754 - *Default*: undef
755
756 sshd_ignorerhosts
757 -------------------------
758 String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.
759
760 - *Default*: 'yes'
761
762 purge_keys
763 ----------
764 Remove keys not managed by puppet.
765
766 - *Default*: 'true'
767
768 manage_firewall
769 ---------------
770 Open firewall for SSH service. Not used on Solaris.
771
772 - *Default*: false
773
774 service_ensure
775 --------------
776 Ensure SSH service is running. Valid values are 'stopped' and 'running'.
777
778 - *Default*: 'running'
779
780 service_name
781 ------------
782 Name of the SSH service.
783
784 - *Default*: Based on OS
785
786 service_enable
787 --------------
788 Start SSH at boot. Valid values are 'true', 'false' and 'manual'.
789
790 - *Default*: 'true'
791
792 service_hasrestart
793 ------------------
794 Specify that the init script has a restart command. Valid values are 'true' and 'false'.
795
796 - *Default*: 'true'
797
798 service_hasstatus
799 -----------------
800 Boolean to declare whether the service's init script has a functional status command.
801
802 - *Default*: 'USE_DEFAULTS'
803
804 ssh_key_ensure
805 --------------
806 Export node SSH key. Valid values are 'present' and 'absent'.
807
808 - *Default*: 'present'
809
810 ssh_key_import
811 --------------
812 Import all exported node SSH keys. Valid values are 'true' and 'false'.
813
814 - *Default*: 'true'
815
816 ssh_key_type
817 ------------
818 Encryption type for SSH key. Valid values are 'ecdsa-sha2-nistp256', 'rsa', 'dsa', 'ssh-dss' and 'ssh-rsa'
819
820 - *Default*: 'ssh-rsa'
821
822 ssh_config_global_known_hosts_file
823 ----------------------------------
824 File of the global known_hosts file
825
826 - *Default*: '/etc/ssh/ssh_known_hosts'
827
828 ssh_config_global_known_hosts_list
829 ----------------------------------
830 Array of additional known_hosts files to be added to GlobalKnownHostsFile
831 option together with `ssh_config_global_known_hosts_file`.
832
833 - *Default*: undef
834
835 ssh_config_global_known_hosts_owner
836 ----------------------------------
837 Owner of the global known_hosts file
838
839 - *Default*: 'root'
840
841 ssh_config_global_known_hosts_group
842 ----------------------------------
843 Group of the global known_hosts file
844
845 - *Default*: 'root'
846
847 ssh_config_global_known_hosts_mode
848 ----------------------------------
849 File mode of the global known_hosts file
850
851 - *Default*: '0644'
852
853 ssh_config_user_known_hosts_file
854 --------------------------------
855 Array of user's known_hosts files used in the ssh config option
856 UserKnownHostsFile.
857
858 - *Default*: undef
859
860 manage_root_ssh_config
861 ----------------------
862 Manage SSH config of root. Valid values are 'true' and 'false'.
863
864 - *Default*: 'false'
865
866 root_ssh_config_content
867 -----------------------
868 Content of root's ~/.ssh/config.
869
870 - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
871
872 manage_service
873 --------------
874 Manage the sshd service through this module or not. Valid values are 'true' and 'false'.
875
876 - *Default*: 'true'
877
878 ===
879 # Manage user's ssh_authorized_keys
880 This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key. See the [Type Reference](http://docs.puppetlabs.com/references/stable/type.html#ssh_authorized_key) for a complete list.
881
882 ## Sample usage:
883 Push authorized key "root_for_userX" and remove key "root_for_userY" through Hiera.
884
885 ``` yaml
886 ssh::keys:
887 root_for_userX:
888 ensure: present
889 user: root
890 type: dsa
891 key: AAAA...==
892 apachehup:
893 ensure: present
894 user: apachehup
895 type: rsa
896 key: 'AAAA...=='
897 options: 'command="/sbin/service httpd restart"'
898 root_for_userY:
899 ensure: absent
900 user: root
901 ```
902
903 Manage config entries in a personal ssh/config file.
904
905 ```
906 Ssh::Config_entry {
907 ensure => present,
908 path => '/home/jenkins/.ssh/config',
909 owner => 'jenkins',
910 group => 'jenkins',
911 }
912
913
914 ssh::config_entry { 'jenkins *':
915 host => '*',
916 lines => [
917 ' ForwardX11 no',
918 ' StrictHostKeyChecking no',
919 ],
920 order => '10',
921 }
922
923 ssh::config_entry { 'jenkins github.com':
924 host => 'github.com',
925 lines => [" IdentityFile /home/jenkins/.ssh/jenkins-gihub.key"],
926 order => '20',
927 }
928 ```