Mercurial > repos > other > Puppet
diff modules/ssh/README.md @ 385:d9009f54eb23
Migrate to a fully-fledged SSH module
This handles lots of the server path differences for us
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Mon, 03 Jan 2022 17:05:54 +0000 |
| parents | |
| children | adf6fe9bbc17 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/ssh/README.md Mon Jan 03 17:05:54 2022 +0000 @@ -0,0 +1,928 @@ +# puppet-module-ssh + +Manage ssh client and server. + +The module uses exported resources to manage ssh keys and removes ssh keys that +are not managed by puppet. This behavior is managed by the parameters +ssh_key_ensure and purge_keys. + +This module may be used with a simple `include ::ssh` + +The `ssh::config_entry` defined type may be used directly and is used to manage +Host entries in a personal `~/.ssh/config` file. + +=== + +### Table of Contents +1. [Compatibility](#compatibility) +1. [Parameters](#parameters) +1. [Examples](#sample-usage) + +=== + +# Compatibility + +This module has been tested to work on the following systems with the +latest Puppet v3, v3 with future parser, v4, v5 and v6. See `.travis.yml` +for the exact matrix of supported Puppet and ruby versions. + + * Debian 7 + * Debian 8 + * Debian 9 + * Debian 10 + * EL 5 + * EL 6 + * EL 7 + * SLES 10 + * SLES 11 + * SLES 12 + * Ubuntu 12.04 LTS + * Ubuntu 14.04 LTS + * Ubuntu 16.04 LTS + * Ubuntu 18.04 LTS + * Ubuntu 20.04 LTS + * Solaris 9 + * Solaris 10 + * Solaris 11 + +If you use the Sun Solaris SSH, please keep in mind that not all parameters can be used. + +Unsupported parameters for ssh_config: +AddressFamily, Tunnel, TunnelDevice, PermitLocalCommand, HashKnownHosts + +Unsupported parameters for sshd_config: +KerberosOrLocalPasswd, KerberosTicketCleanup, KerberosGetAFSToken, TCPKeepAlive, ShowPatchLevel, MaxSessions, PermitTunnel + +=== + +# Parameters +A value of `'USE_DEFAULTS'` will use the defaults specified by the module. + + +hiera_merge +----------- +Boolean to merges all found instances of ssh::keys and ssh::config_entries in Hiera. +This is useful for specifying SSH keys at different levels of the hierarchy and having +them all included in the catalog. + +This will default to 'true' in future versions. + +- *Default*: false + +ssh_config_hash_known_hosts +--------------------------- +HashKnownHosts in ssh_config. +Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts. +These hashed names may be used normally by ssh and sshd, but they do not reveal identifying +information should the file's contents be disclosed. The default is 'no' on Linux. + +Note that existing names and addresses in known hosts files will not be converted automatically, +but may be manually hashed using ssh-keygen. Use of this option may break facilities such as +tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts. + +A value of 'unset' will not add this parameter to the configuration file. + +- *Default*: 'USE_DEFAULTS' + +ssh_config_path +--------------- +Path to ssh_config. + +- *Default*: '/etc/ssh/ssh_config' + +ssh_config_owner +---------------- +ssh_config's owner. + +- *Default*: 'root' + +ssh_config_group +---------------- +ssh_config's group. + +- *Default*: 'root' + +ssh_config_mode +--------------- +ssh_config's mode. + +- *Default*: '0644' + +ssh_config_forward_x11 +---------------------- +ForwardX11 option in ssh_config. Not set by default. + +- *Default*: undef + +ssh_config_forward_agent +------------------------ +ForwardAgent option in ssh_config. Not set by default. + +- *Default*: undef + +ssh_config_server_alive_interval +-------------------------------- +ServerAliveInterval option in ssh_config. Not set by default. + +- *Default*: undef + +ssh_config_sendenv_xmodifiers +----------------------- +Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on Linux. + +- *Default*: false + +ssh_config_template +-------------------- +*string* The template used to generate ssh_config. + +- *Default*: 'ssh/ssh_config.erb' + +ssh_config_ciphers +------------------ +Array of ciphers to be used with the Ciphers option in ssh_config. + +- *Default*: undef + +ssh_config_kexalgorithms +------------------ +Array of key exchange algorithms to be used with the KexAlgorithms option in ssh_config. + +- *Default*: undef + +ssh_config_macs +--------------- +Array of ciphers to be used with the MACs option in ssh_config. + +- *Default*: undef + +ssh_sendenv +------------- +Boolean to enable SendEnv options for specifying environment variables. Default is set to true on Linux. + +- *Default*: 'USE_DEFAULTS' + +ssh_gssapiauthentication +------------------------- +GSSAPIAuthentication: Enables/disables GSS-API user authentication in ssh_config. Valid values are 'yes' and 'no'. + +- *Default*: 'yes' + +ssh_gssapidelegatecredentials +----------------------------- +*string* For GSSAPIDelegateCredentials setting in ssh_config. Valid values are +'yes' and 'no' or to leave undef which will ensure the setting is not present +in ssh_config. + +- *Default*: undef + +ssh_hostbasedauthentication +------------------------- +String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'. + +- *Default*: undef + +ssh_config_proxy_command +------------------------- +String for ProxyCommand option in ssh_config. + +- *Default*: undef + +ssh_strict_host_key_checking +----------------------------- +*string* For StrictHostKeyChecking setting in ssh_config. Valid values are +'yes', 'no' or 'ask'. + +- *Default*: undef + +ssh_enable_ssh_keysign +----------------------------- +*string* For EnableSSHKeysign setting in ssh_config. Valid values are +'yes' and 'no' or to leave undef which will ensure the setting is not present +in ssh_config. + +- *Default*: undef + +sshd_addressfamily +---------------- +Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration. + +- *Default*: 'any' + +sshd_config_path +---------------- +Path to sshd_config. + +- *Default*: '/etc/ssh/sshd_config + +sshd_config_owner +----------------- +sshd_config's owner. + +- *Default*: 'root' + +sshd_config_group +---------------- +sshd_config's group. + +- *Default*: 'root' + +sshd_config_loglevel +--------------------------- +LogLevel option in sshd_config. Acceptable values are QUIET, FATAL, ERROR, INFO, VERBOSE. + +*DEBUG, DEBUG1, DEBUG2, and DEBUG3* are permitted values for sshd, however [setting the logging level to DEBUG or higher violates the privacy of users](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config) and should not be done unless manually debugging. + +- *Default*: 'INFO' + +sshd_config_maxauthtries +--------------- +MaxAuthTries option in sshd_config. Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. + +- *Default*: '6' + +sshd_config_mode +--------------- +sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris. + +- *Default*: 'USE_DEFAULTS' + +sshd_listen_address +------------------- +String or Array to specify address(es) for which sshd will bind. Corresponds to ListenAddress in sshd_config. + +- *Default*: undef + +sshd_config_permitemptypasswords +-------------------------------- +PermitEmptyPasswords option in sshd_config. When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. +Valid values are 'yes' and 'no'. + +- *Default*: undef + +sshd_config_permituserenvironment +--------------------------------- +PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is “no”. Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD. +Valid values are 'yes' and 'no'. + + +- *Default*: undef + +sshd_config_compression +--------------------------------- +Compression option in sshd_config. +Specifies whether compression is allowed in an SSH connection prior to authentication. +If specified, valid values are 'yes', 'no' and 'delayed'. + + +- *Default*: undef + +sshd_config_port +--------------------------- +String, Integer or Array to specify listen port[s] for sshd. Port option in sshd_config. + +- *Default*: '22' + +sshd_config_syslog_facility +--------------------------- +SyslogFacility option in sshd_config. + +- *Default*: 'AUTH' + +sshd_config_template +-------------------- +*string* The template used to generate sshd_config. + +- *Default*: 'ssh/sshd_config.erb' + +sshd_config_login_grace_time +---------------------------- +LoginGraceTime option in sshd_config. + +- *Default*: '120' + +sshd_config_challenge_resp_auth +------------------------------- +ChallengeResponseAuthentication option in sshd_config. RedHat defaults +to setting this to no for EL 5, 6 and 7, though the module will set it +to 'yes'. Suggest setting to 'no' with Hiera on EL systems. This will +default to 'no' for those platforms in the next major release. + +- *Default*: 'yes' + +sshd_config_print_motd +---------------------- +PrintMotd option in sshd_config. + +- *Default*: 'yes' + +sshd_config_print_last_log +---------------------- +PrintLastLog option in sshd_config. +Verify SSH provides users with feedback on when account accesses last occurred. +If specified, valid values are 'yes' and 'no'. + +- *Default*: undef + +sshd_config_use_dns +------------------- +UseDNS option in sshd_config. The default is 'yes' on Linux. + +- *Default*: 'USE_DEFAULTS' + +sshd_config_authkey_location +---------------------------- +Specify location of authorized_keys file. Default is to not specify. + +- *Default*: undef + +sshd_config_hostkey +---------------------------- +Specify an array of server side HostKey files to use. Default is to use only /etc/ssh/ssh_host_rsa_key + +- *Default*: /etc/ssh/ssh_host_rsa_key + +sshd_config_strictmodes +---------------------------- +Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no. + +- *Default*: undef + +sshd_config_serverkeybits +---------------------------- +Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024 except for Solaris default value is 768. + +- *Default*: '1024' except for Solaris which is '768' + +sshd_config_banner +------------------ +Banner option in sshd_config. + +- *Default*: 'none' + +sshd_banner_content +------------------- +content parameter for file specified in sshd_config_banner + +- *Default*: undef + +sshd_banner_owner +----------------- +owner parameter for file specified in sshd_config_banner + +- *Default*: 'root' + +sshd_banner_group +----------------- +group parameter for file specified in sshd_config_banner + +- *Default*: 'root' + +sshd_banner_mode +---------------- +mode parameter for file specified in sshd_config_banner + +- *Default*: '0644' + +sshd_config_xauth_location +-------------------------- +XAuthLocation option in sshd_config. + +- *Default*: 'USE_DEFAULTS' + +sshd_config_subsystem_sftp +-------------------------- +Path to sftp file transfer subsystem in sshd_config. + +- *Default*: 'USE_DEFAULTS' + +sshd_password_authentication +----------------------------- +PasswordAuthentication in sshd_config. Specifies whether password authentication is allowed. + +- *Default*: 'yes' + +sshd_allow_tcp_forwarding +------------------------- +AllowTcpForwarding in sshd_config. Specifies whether TCP forwarding is permitted. + +- *Default*: 'yes' + +sshd_authorized_keys_command +---------------------------- +Fully qualified path to command for AuthorizedKeysCommand in sshd_config. + +- *Default*: undef + +sshd_authorized_keys_command_user +--------------------------------- +String of user for AuthorizedKeysCommandUser in sshd_config. + +- *Default*: undef + +sshd_x11_forwarding +------------------- +X11Forwarding in sshd_config. Specifies whether X11 forwarding is permitted. + +- *Default*: 'yes' + +sshd_x11_use_localhost +---------------------- +X11UseLocalhost in sshd_config. Specifies if sshd should bind the X11 forwarding server +to the loopback address or to the wildcard address. + +- *Default*: 'yes' + +sshd_use_pam +------------ +UsePam in sshd_config. +Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM +authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition +to PAM account and session module processing for all authentication types. +This module sets this option to 'yes' on Linux and undef on Solaris. + +- *Default*: 'USE_DEFAULTS' + +ssh_config_use_roaming +---------------------- +String to enable or disable UseRoaming in client configuration ssh_config. +Valid values are 'yes', 'no' and 'unset'. Using 'unset' will not use (print) +this configuration parameter at all. Default is set to 'no' on Linux and +'unset' on Solaris. If you have OpenSSH >= version 5.4, this should be set to +'no' to mitigate CVE-2016-0777 and CVE-2016-0778. + +- *Default*: 'USE_DEFAULTS' + +sshd_client_alive_interval +-------------------------- +ClientAliveInterval in sshd_config. +Sets a timeout interval in seconds after which if no data has been received from the client, +sshd(8) will send a message through the encrypted channel to request a response from the +client. The default is 0, indicating that these messages will not be sent to the client. +This option applies to protocol version 2 only. + +- *Default*: '0' + +sshd_client_alive_count_max +-------------------------- +ClientAliveCountMax in sshd_config. +Sets the number of client alive messages (see below) which may be sent without sshd(8) +receiving any messages back from the client. If this threshold is reached while client alive +messages are being sent, sshd will disconnect the client, terminating the session. It is +important to note that the use of client alive messages is very different from TCPKeepAlive +(below). The client alive messages are sent through the encrypted channel and therefore will +not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client +alive mechanism is valuable when the client or server depend on knowing when a connection has +become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15, +and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected +after approximately 45 seconds. This option applies to protocol version 2 only. + +- *Default*: '3' + +sshd_config_tcp_keepalive +------------------------ +TCPKeepAlive in sshd_config. +Specifies whether the system should send TCP keepalive messages to the other side. If they +are sent, death of the connection or crash of one of the machines will be properly noticed. +However, this means that connections will die if the route is down temporarily, and some +people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may +hang indefinitely on the server, leaving ``ghost'' users and consuming server resources. +A value of 'unset' will not add this parameter to the configuration file. + +On Linux the default is set to ``yes'' (to send TCP keepalive messages), and the server will +notice if the network goes down or the client host crashes. This avoids infinitely hanging +sessions. +On Solaris the default is to not add this parameter to the configuration file. + +- *Default*: undef + +sshd_config_use_privilege_separation +---------------------- +UsePrivilegeSeparation in sshd_config. +Causes the SSH process to drop root privileges when not needed. +If specified, valid values are 'yes', 'no' and 'sandbox'. + +- *Default*: undef + +sshd_config_permittunnel +----------------------- +PermitTunnel in sshd_config. +Specifies whether tun(4) device forwarding is allowed. The argument must be 'yes', +'point-to-point' (layer 3), 'ethernet' (layer 2), 'no', or 'unset' (parameter not used). +Specifying 'yes' permits both 'point-to-point' and 'ethernet'. +Independent of this setting, the permissions of the selected tun(4) device must +allow access to the user. +A value of 'unset' will not add this parameter to the configuration file. + +On Linux the default is set to ``no''. +On Solaris the default is to not add this parameter to the configuration file. + +- *Default*: undef + +sshd_config_ciphers +------------------- +Array of ciphers for the Ciphers setting in sshd_config. + +- *Default*: undef + +sshd_config_kexalgorithms +------------------- +Array of key exchange algorithms for the KexAlgorithms setting in sshd_config. + +- *Default*: undef + +sshd_config_macs +---------------- +Array of macs for the MACs setting in sshd_config. + +- *Default*: undef + +sshd_config_denyusers +--------------------- +Array of users for the DenyUsers setting in sshd_config. + +- *Default*: undef + +sshd_config_denygroups +--------------------- +Array of groups for the DenyGroups setting in sshd_config. + +- *Default*: undef + +sshd_config_allowgroups +----------------------- +Array of users for the AllowGroups setting in sshd_config. + +- *Default*: undef + +sshd_config_allowusers +----------------------- +Array of users for the AllowUsers setting in sshd_config. + +- *Default*: undef + +sshd_config_maxstartups (string) +----------------------- +Specifies the maximum number of concurrent unauthenticated connections +to the SSH daemon. Must be a stringified integer or a string with three +integers separated by colons, such as '10:30:100'. + +- *Default*: undef + +sshd_config_maxsessions +----------------------- +Specifies the maximum number of open sessions permitted per network connection. +A value of 'unset' or undef will not add this parameter to the configuration file. + +- *Default*: undef + +sshd_config_chrootdirectory +--------------------------- +String with absolute path for the ChrootDirectory directive for the SSH daemon. + +- *Default*: undef + +sshd_config_forcecommand +--------------------------- +String with command for the ForceCommand directive for the SSH daemon. + +- *Default*: undef + +sshd_config_match +----------------- +Hash for matches with nested arrays for options for the Match directive for the SSH daemon. +Match directive is supported on SSH >= 5.x. + +- *Default*: undef + +- *Hiera example*: + +``` yaml +ssh::sshd_config_match: + 'User JohnDoe': + - 'AllowTcpForwarding yes' + 'Address 2.4.2.0': + - 'X11Forwarding yes' + - 'PasswordAuthentication no' +``` + +sshd_config_hostcertificate +--------------------------- +An Absolute Path or Array of Absolute Paths to the Host CA Public Key. Each entry *MUST* be tied 1:1 to a Host CA Private Key (see [sshd_config_hostkey](#sshd_config_hostkey)) + +- *Default*: undefined + +sshd_config_trustedusercakeys +----------------------------- +Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users or the string 'none'. + +- *Default*: undefined + +sshd_config_key_revocation_list +----------------------------- +Absolute path to a key revocation list (RevokedKeys) for use with SSH CA Validation for Users or the string 'none'. + +- *Default*: undefined + +sshd_config_authorized_principals_file +-------------------------------------- +String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config` + +See `sshd_config(5)` for more details + +- *Default*: undefined + +sshd_config_allowagentforwarding +-------------------------------- +AllowAgentForwarding option in sshd_config. Specifies if ssh-agent(1) +forwarding is permitted. Valid values are 'yes' and 'no'. + +- *Default*: undef + +config_entries +-------------- +Hash of config entries for a specific user's ~/.ssh/config. Please check the docs for ssd::config_entry for a list and details of the parameters usable here. +Setting hiera_merge to true will activate merging entries through all levels of hiera. + +- *Hiera example*: + +``` yaml +ssh::config_entries: + 'root': + owner: 'root' + group: 'root' + path: '/root/.ssh/config' + host: 'host.example.local' +``` + +- *Default*: {} + +keys +---- +Hash of keys for user's ~/.ssh/authorized_keys + +- *Default*: undefined + +packages +-------- +Array of package names used for installation. + +- *Default*: Based on OS + +permit_root_login +----------------- +Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', and 'no'. + +- *Default*: yes + +ssh_config_forward_x11_trusted +------------------------------ +ForwardX11Trusted. Determine remote X11 client access to the original X11 display. The option is set to 'yes' on Linux. Valid values are 'yes', 'no', and undef. + +- *Default*: 'USE_DEFAULTS' (Not valid on Solaris.) + +ssh_package_source +------------------ +Source to SSH packages. + +- *Default*: 'USE_DEFAULTS' + +ssh_package_adminfile +--------------------- +Path to admin file for SSH packages. + +- *Default*: 'USE_DEFAULTS' + +sshd_gssapiauthentication +------------------------- +GSSAPIAuthentication: Enables/disables GSS-API user authentication. Valid values are 'yes' and 'no'. + +- *Default*: 'yes' + +sshd_gssapikeyexchange +---------------------- +GSSAPIKeyExchange: Enables/disables GSS-API-authenticated key exchanges. Valid values are 'yes', 'no', and undef. + +- *Default*: 'USE_DEFAULTS' + +sshd_pamauthenticationviakbdint +------------------------------- +PAMAuthenticationViaKBDInt: Use PAM via keyboard interactive method for authentication. Valid values are 'yes', 'no', and undef. + +- *Default*: 'USE_DEFAULTS' + +sshd_gssapicleanupcredentials +----------------------------- +GSSAPICleanupCredentials: Specifies whether to automatically destroy the user's credentials on logout. Default is 'yes' on Linux. Valid values are 'yes', 'no', and undef. + +- *Default*: 'USE_DEFAULTS' + +sshd_acceptenv +------------- +Boolean to enable AcceptEnv options for specifying environment variables. Default is set to true on Linux. + +- *Default*: 'USE_DEFAULTS' + +sshd_hostbasedauthentication +------------------------- +String for HostbasedAuthentication option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only. + +- *Default*: 'no' + +sshd_pubkeyacceptedkeytypes +------------------------- +Array of public key types to be used with the PubkeyAcceptedKeyTypes option in sshd_config. + +- *Default*: undef + +sshd_pubkeyauthentication +------------------------- +String for PubkeyAuthentication option in sshd_config. Valid values are 'yes' and 'no'. + +- *Default*: 'yes' + +sshd_ignoreuserknownhosts +------------------------- +String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication. + +- *Default*: 'no' + +sshd_config_authenticationmethods +------------------------- +Array of AuthenticationMethods in sshd_config. + +- *Default*: undef + +sshd_ignorerhosts +------------------------- +String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. + +- *Default*: 'yes' + +purge_keys +---------- +Remove keys not managed by puppet. + +- *Default*: 'true' + +manage_firewall +--------------- +Open firewall for SSH service. Not used on Solaris. + +- *Default*: false + +service_ensure +-------------- +Ensure SSH service is running. Valid values are 'stopped' and 'running'. + +- *Default*: 'running' + +service_name +------------ +Name of the SSH service. + +- *Default*: Based on OS + +service_enable +-------------- +Start SSH at boot. Valid values are 'true', 'false' and 'manual'. + +- *Default*: 'true' + +service_hasrestart +------------------ +Specify that the init script has a restart command. Valid values are 'true' and 'false'. + +- *Default*: 'true' + +service_hasstatus +----------------- +Boolean to declare whether the service's init script has a functional status command. + +- *Default*: 'USE_DEFAULTS' + +ssh_key_ensure +-------------- +Export node SSH key. Valid values are 'present' and 'absent'. + +- *Default*: 'present' + +ssh_key_import +-------------- +Import all exported node SSH keys. Valid values are 'true' and 'false'. + +- *Default*: 'true' + +ssh_key_type +------------ +Encryption type for SSH key. Valid values are 'ecdsa-sha2-nistp256', 'rsa', 'dsa', 'ssh-dss' and 'ssh-rsa' + +- *Default*: 'ssh-rsa' + +ssh_config_global_known_hosts_file +---------------------------------- +File of the global known_hosts file + +- *Default*: '/etc/ssh/ssh_known_hosts' + +ssh_config_global_known_hosts_list +---------------------------------- +Array of additional known_hosts files to be added to GlobalKnownHostsFile +option together with `ssh_config_global_known_hosts_file`. + +- *Default*: undef + +ssh_config_global_known_hosts_owner +---------------------------------- +Owner of the global known_hosts file + +- *Default*: 'root' + +ssh_config_global_known_hosts_group +---------------------------------- +Group of the global known_hosts file + +- *Default*: 'root' + +ssh_config_global_known_hosts_mode +---------------------------------- +File mode of the global known_hosts file + +- *Default*: '0644' + +ssh_config_user_known_hosts_file +-------------------------------- +Array of user's known_hosts files used in the ssh config option +UserKnownHostsFile. + +- *Default*: undef + +manage_root_ssh_config +---------------------- +Manage SSH config of root. Valid values are 'true' and 'false'. + +- *Default*: 'false' + +root_ssh_config_content +----------------------- +Content of root's ~/.ssh/config. + +- *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n" + +manage_service +-------------- +Manage the sshd service through this module or not. Valid values are 'true' and 'false'. + +- *Default*: 'true' + +=== +# Manage user's ssh_authorized_keys +This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key. See the [Type Reference](http://docs.puppetlabs.com/references/stable/type.html#ssh_authorized_key) for a complete list. + +## Sample usage: +Push authorized key "root_for_userX" and remove key "root_for_userY" through Hiera. + +``` yaml +ssh::keys: + root_for_userX: + ensure: present + user: root + type: dsa + key: AAAA...== + apachehup: + ensure: present + user: apachehup + type: rsa + key: 'AAAA...==' + options: 'command="/sbin/service httpd restart"' + root_for_userY: + ensure: absent + user: root +``` + +Manage config entries in a personal ssh/config file. + +``` +Ssh::Config_entry { + ensure => present, + path => '/home/jenkins/.ssh/config', + owner => 'jenkins', + group => 'jenkins', +} + + +ssh::config_entry { 'jenkins *': + host => '*', + lines => [ + ' ForwardX11 no', + ' StrictHostKeyChecking no', + ], + order => '10', +} + +ssh::config_entry { 'jenkins github.com': + host => 'github.com', + lines => [" IdentityFile /home/jenkins/.ssh/jenkins-gihub.key"], + order => '20', +} +```