Mercurial > repos > other > Puppet
view modules/ssh/manifests/init.pp @ 438:bb8f85c35113
Manualy patch SSH module
https://github.com/ghoneycutt/puppet-module-ssh/pull/377
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 14 Aug 2022 11:44:25 +0100 |
| parents | a200bf678bec |
| children |
line wrap: on
line source
# == Class: ssh # # Manage ssh client and server # class ssh ( $hiera_merge = false, $packages = 'USE_DEFAULTS', $permit_root_login = 'yes', $purge_keys = true, $manage_firewall = false, $ssh_package_source = 'USE_DEFAULTS', $ssh_package_adminfile = 'USE_DEFAULTS', $ssh_config_hash_known_hosts = 'USE_DEFAULTS', $ssh_config_path = '/etc/ssh/ssh_config', $ssh_config_owner = 'root', $ssh_config_group = 'root', $ssh_config_mode = '0644', $ssh_config_forward_x11 = undef, $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', $ssh_config_forward_agent = undef, $ssh_config_server_alive_interval = undef, $ssh_config_sendenv_xmodifiers = false, $ssh_hostbasedauthentication = undef, $ssh_config_proxy_command = undef, $ssh_strict_host_key_checking = undef, $ssh_config_ciphers = undef, $ssh_config_kexalgorithms = undef, $ssh_config_macs = undef, $ssh_config_use_roaming = 'USE_DEFAULTS', $ssh_config_template = 'ssh/ssh_config.erb', $ssh_sendenv = 'USE_DEFAULTS', $ssh_gssapiauthentication = 'yes', $ssh_gssapidelegatecredentials = undef, $sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_owner = 'root', $sshd_config_group = 'root', $sshd_config_loglevel = 'INFO', $sshd_config_mode = 'USE_DEFAULTS', $sshd_config_permitemptypasswords = undef, $sshd_config_permituserenvironment = undef, $sshd_config_compression = undef, $sshd_config_port = '22', $sshd_config_syslog_facility = 'AUTH', $sshd_config_template = 'ssh/sshd_config.erb', $sshd_config_login_grace_time = '120', $sshd_config_challenge_resp_auth = 'yes', $sshd_config_print_motd = 'yes', $sshd_config_print_last_log = undef, $sshd_config_use_dns = 'USE_DEFAULTS', $sshd_config_authkey_location = undef, $sshd_config_strictmodes = undef, $sshd_config_serverkeybits = 'USE_DEFAULTS', $sshd_config_banner = 'none', $sshd_config_ciphers = undef, $sshd_config_kexalgorithms = undef, $sshd_config_macs = undef, $ssh_enable_ssh_keysign = undef, $sshd_config_allowgroups = [], $sshd_config_allowusers = [], $sshd_config_denygroups = [], $sshd_config_denyusers = [], $sshd_config_maxauthtries = undef, $sshd_config_maxstartups = undef, $sshd_config_maxsessions = undef, $sshd_config_chrootdirectory = undef, $sshd_config_forcecommand = undef, $sshd_config_match = undef, $sshd_authorized_keys_command = undef, $sshd_authorized_keys_command_user = undef, $sshd_banner_content = undef, $sshd_banner_owner = 'root', $sshd_banner_group = 'root', $sshd_banner_mode = '0644', $sshd_config_xauth_location = 'USE_DEFAULTS', $sshd_config_subsystem_sftp = 'USE_DEFAULTS', $sshd_kerberos_authentication = undef, $sshd_password_authentication = 'yes', $sshd_allow_tcp_forwarding = 'yes', $sshd_x11_forwarding = 'yes', $sshd_x11_use_localhost = 'yes', $sshd_use_pam = 'USE_DEFAULTS', $sshd_client_alive_count_max = '3', $sshd_client_alive_interval = '0', $sshd_gssapiauthentication = 'yes', $sshd_gssapikeyexchange = 'USE_DEFAULTS', $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', $sshd_acceptenv = 'USE_DEFAULTS', $sshd_config_hostkey = 'USE_DEFAULTS', $sshd_listen_address = undef, $sshd_hostbasedauthentication = 'no', $sshd_pubkeyacceptedkeytypes = undef, $sshd_pubkeyauthentication = 'yes', $sshd_ignoreuserknownhosts = 'no', $sshd_ignorerhosts = 'yes', $sshd_config_authenticationmethods = undef, $manage_service = true, $sshd_addressfamily = 'USE_DEFAULTS', $service_ensure = 'running', $service_name = 'USE_DEFAULTS', $service_enable = true, $service_hasrestart = true, $service_hasstatus = 'USE_DEFAULTS', $ssh_key_ensure = 'present', $ssh_key_import = true, $ssh_key_type = 'ssh-rsa', $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', $ssh_config_global_known_hosts_list = undef, $ssh_config_global_known_hosts_owner = 'root', $ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_mode = '0644', $ssh_config_user_known_hosts_file = undef, $ssh_config_include = 'USE_DEFAULTS', $config_entries = {}, $keys = undef, $manage_root_ssh_config = false, $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $sshd_config_tcp_keepalive = undef, $sshd_config_use_privilege_separation = undef, $sshd_config_permittunnel = undef, $sshd_config_hostcertificate = undef, $sshd_config_trustedusercakeys = undef, $sshd_config_key_revocation_list = undef, $sshd_config_authorized_principals_file = undef, $sshd_config_allowagentforwarding = undef, $sshd_config_include = 'USE_DEFAULTS', ) { case $::osfamily { 'RedHat': { $default_packages = ['openssh-server', 'openssh-clients'] $default_service_name = 'sshd' $default_ssh_config_hash_known_hosts = 'no' $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' $default_sshd_use_pam = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true if versioncmp($::operatingsystemrelease, '7.4') < 0 { $default_sshd_config_serverkeybits = '1024' } else { $default_sshd_config_serverkeybits = undef } $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_sshd_config_include = undef } 'Suse': { $default_packages = 'openssh' $default_service_name = 'sshd' $default_ssh_config_hash_known_hosts = 'no' $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_config_include = undef $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' $default_sshd_use_pam = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_sshd_config_include = undef case $::architecture { 'x86_64': { if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) { $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' } else { $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' } } 'i386' : { $default_sshd_config_serverkeybits = '1024' $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' } default: { fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.") } } } 'Debian': { # common for debian and ubuntu $default_packages = ['openssh-server', 'openssh-client'] $default_service_name = 'ssh' case $::operatingsystemrelease { '16.04': { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', ] $default_ssh_config_hash_known_hosts = 'yes' $default_sshd_config_xauth_location = undef $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_use_pam = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_sshd_config_include = undef } '18.04': { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', ] $default_ssh_config_hash_known_hosts = 'yes' $default_sshd_config_xauth_location = undef $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_use_pam = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_sshd_config_include = undef } '20.04': { $default_service_hasstatus = true $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' $default_ssh_gssapiauthentication = 'yes' $default_ssh_package_adminfile = undef $default_ssh_package_source = undef $default_ssh_sendenv = true $default_sshd_acceptenv = true $default_sshd_addressfamily = 'any' $default_sshd_config_hostkey = [] $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' $default_sshd_config_mode = '0600' $default_sshd_config_permittunnel = undef $default_sshd_config_print_motd = 'no' $default_sshd_config_serverkeybits = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_tcp_keepalive = undef $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = undef $default_sshd_gssapiauthentication = 'yes' $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_use_pam = 'yes' $default_sshd_x11_forwarding = 'yes' } '22.04': { $default_service_hasstatus = true $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' $default_ssh_gssapiauthentication = 'yes' $default_ssh_package_adminfile = undef $default_ssh_package_source = undef $default_ssh_sendenv = true $default_sshd_acceptenv = true $default_sshd_addressfamily = 'any' $default_sshd_config_hostkey = [] $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' $default_sshd_config_mode = '0644' $default_sshd_config_permittunnel = undef $default_sshd_config_print_motd = 'no' $default_sshd_config_serverkeybits = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_tcp_keepalive = undef $default_sshd_config_use_dns = 'no' $default_sshd_config_xauth_location = undef $default_sshd_gssapiauthentication = undef $default_sshd_gssapicleanupcredentials = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_use_pam = 'yes' $default_sshd_x11_forwarding = 'yes' } /^10.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', ] $default_sshd_config_mode = '0600' $default_sshd_use_pam = 'yes' $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_config_include = undef $default_sshd_acceptenv = true $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_sendenv = true $default_sshd_addressfamily = undef $default_sshd_config_serverkeybits = undef $default_sshd_gssapicleanupcredentials = undef $default_sshd_config_use_dns = undef $default_sshd_config_xauth_location = undef $default_sshd_config_permittunnel = undef $default_sshd_config_tcp_keepalive = undef $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_service_hasstatus = true $default_sshd_config_include = undef } /^9.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', ] $default_sshd_config_mode = '0600' $default_sshd_use_pam = 'yes' $default_ssh_config_forward_x11_trusted = 'yes' $default_sshd_acceptenv = true $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_sendenv = true $default_ssh_config_include = undef $default_sshd_addressfamily = undef $default_sshd_config_serverkeybits = undef $default_sshd_gssapicleanupcredentials = undef $default_sshd_config_use_dns = undef $default_sshd_config_xauth_location = undef $default_sshd_config_permittunnel = undef $default_sshd_config_tcp_keepalive = undef $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_config_include = undef $default_service_hasstatus = true } /^7.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_ssh_config_hash_known_hosts = 'no' $default_sshd_config_xauth_location = '/usr/bin/xauth' $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_use_pam = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_sshd_config_include = undef } /^8.*/: { $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_include = undef $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', ] $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_use_pam = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = undef $default_sshd_acceptenv = true $default_sshd_config_xauth_location = undef $default_sshd_config_serverkeybits = '1024' $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_service_hasstatus = true $default_sshd_config_include = undef } default: { fail ("Operating System : ${::operatingsystemrelease} not supported") } } } 'Solaris': { $default_ssh_config_hash_known_hosts = undef $default_ssh_sendenv = false $default_ssh_config_forward_x11_trusted = undef $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_mode = '0644' $default_sshd_config_use_dns = undef $default_sshd_config_xauth_location = '/usr/openwin/bin/xauth' $default_sshd_use_pam = undef $default_sshd_gssapikeyexchange = 'yes' $default_sshd_pamauthenticationviakbdint = 'yes' $default_sshd_gssapicleanupcredentials = undef $default_sshd_acceptenv = false $default_sshd_config_serverkeybits = '768' $default_ssh_package_adminfile = undef $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_sshd_addressfamily = undef $default_sshd_config_tcp_keepalive = undef $default_sshd_config_permittunnel = undef $default_sshd_config_include = undef case $::kernelrelease { '5.11': { $default_packages = ['network/ssh', 'network/ssh/ssh-key', 'service/network/ssh'] $default_service_name = 'ssh' $default_service_hasstatus = true $default_ssh_package_source = undef } '5.10': { $default_packages = ['SUNWsshcu', 'SUNWsshdr', 'SUNWsshdu', 'SUNWsshr', 'SUNWsshu'] $default_service_name = 'ssh' $default_service_hasstatus = true $default_ssh_package_source = '/var/spool/pkg' } '5.9' : { $default_packages = ['SUNWsshcu', 'SUNWsshdr', 'SUNWsshdu', 'SUNWsshr', 'SUNWsshu'] $default_service_name = 'sshd' $default_service_hasstatus = false $default_ssh_package_source = '/var/spool/pkg' } default: { fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.') } } } default: { fail("ssh supports osfamilies RedHat, Suse, Debian and Solaris. Detected osfamily is <${::osfamily}>.") } } if "${::ssh_version}" =~ /^OpenSSH/ { # lint:ignore:only_variable_string $ssh_version_array = split($::ssh_version_numeric, '\.') $ssh_version_maj_int = Integer($ssh_version_array[0]) $ssh_version_min_int = Integer($ssh_version_array[1]) if $ssh_version_maj_int > 5 { $default_ssh_config_use_roaming = 'no' } elsif $ssh_version_maj_int == 5 and $ssh_version_min_int >= 4 { $default_ssh_config_use_roaming = 'no' } else { $default_ssh_config_use_roaming = 'unset' } } else { $default_ssh_config_use_roaming = 'unset' } if $packages == 'USE_DEFAULTS' { $packages_real = $default_packages } else { $packages_real = $packages } case $ssh_config_hash_known_hosts { 'unset': { $ssh_config_hash_known_hosts_real = undef } 'USE_DEFAULTS': { $ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts } default: { $ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts } } if $service_name == 'USE_DEFAULTS' { $service_name_real = $default_service_name } else { $service_name_real = $service_name } if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' { $sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp } else { $sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp } if $sshd_config_mode == 'USE_DEFAULTS' { $sshd_config_mode_real = $default_sshd_config_mode } else { $sshd_config_mode_real = $sshd_config_mode } if $sshd_config_xauth_location == 'USE_DEFAULTS' { $sshd_config_xauth_location_real = $default_sshd_config_xauth_location } else { $sshd_config_xauth_location_real = $sshd_config_xauth_location } if $sshd_config_xauth_location_real != undef { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_config_xauth_location_real) } if $ssh_package_source == 'USE_DEFAULTS' { $ssh_package_source_real = $default_ssh_package_source } else { $ssh_package_source_real = $ssh_package_source } if $ssh_package_source_real != undef { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $ssh_package_source_real) } if $ssh_package_adminfile == 'USE_DEFAULTS' { $ssh_package_adminfile_real = $default_ssh_package_adminfile } else { $ssh_package_adminfile_real = $ssh_package_adminfile } if $ssh_package_adminfile_real != undef { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $ssh_package_adminfile_real) } if $sshd_config_use_dns == 'USE_DEFAULTS' { $sshd_config_use_dns_real = $default_sshd_config_use_dns } else { $sshd_config_use_dns_real = $sshd_config_use_dns } if $sshd_use_pam == 'USE_DEFAULTS' { $sshd_use_pam_real = $default_sshd_use_pam } else { $sshd_use_pam_real = $sshd_use_pam } if $sshd_config_serverkeybits == 'USE_DEFAULTS' { $sshd_config_serverkeybits_real = $default_sshd_config_serverkeybits } else { $sshd_config_serverkeybits_real = $sshd_config_serverkeybits } if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' { $ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted } else { $ssh_config_forward_x11_trusted_real = $ssh_config_forward_x11_trusted } if $ssh_config_forward_x11_trusted_real != undef { validate_legacy("String", "validate_re", $ssh_config_forward_x11_trusted_real, '^(yes|no)$', "ssh::ssh_config_forward_x11_trusted may be either 'yes' or 'no' and is set to <${ssh_config_forward_x11_trusted_real}>.") } if $sshd_gssapikeyexchange == 'USE_DEFAULTS' { $sshd_gssapikeyexchange_real = $default_sshd_gssapikeyexchange } else { $sshd_gssapikeyexchange_real = $sshd_gssapikeyexchange } if $sshd_pamauthenticationviakbdint == 'USE_DEFAULTS' { $sshd_pamauthenticationviakbdint_real = $default_sshd_pamauthenticationviakbdint } else { $sshd_pamauthenticationviakbdint_real = $sshd_pamauthenticationviakbdint } if $sshd_gssapicleanupcredentials == 'USE_DEFAULTS' { $sshd_gssapicleanupcredentials_real = $default_sshd_gssapicleanupcredentials } else { $sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials } if $ssh_config_use_roaming == 'USE_DEFAULTS' { $ssh_config_use_roaming_real = $default_ssh_config_use_roaming } else { $ssh_config_use_roaming_real = $ssh_config_use_roaming } if $ssh_config_include == 'USE_DEFAULTS' { $ssh_config_include_real = $default_ssh_config_include } else { case $ssh_config_include { Array: { validate_legacy("Array[String]", "validate_array", $ssh_config_include) } String: { validate_legacy("String", "validate_string", $ssh_config_include) } default: { fail('ssh::ssh_config_include type must be a string or array.') } } $ssh_config_include_real = $ssh_config_include } if $ssh_sendenv == 'USE_DEFAULTS' { $ssh_sendenv_real = $default_ssh_sendenv } else { case $ssh_sendenv { String: { validate_legacy("String", "validate_re", $ssh_sendenv, "^(true|false)$", "ssh::ssh_sendenv may be either 'true' or 'false' and is set to <${ssh_sendenv}>.") $ssh_sendenv_real = Boolean($ssh_sendenv) } Boolean: { $ssh_sendenv_real = $ssh_sendenv } default: { fail('ssh::ssh_sendenv type must be true or false.') } } } if $sshd_acceptenv == 'USE_DEFAULTS' { $sshd_acceptenv_real = $default_sshd_acceptenv } else { case $sshd_acceptenv { String: { validate_legacy("String", "validate_re", $sshd_acceptenv, '^(true|false)$', "ssh::sshd_acceptenv may be either 'true' or 'false' and is set to <${sshd_acceptenv}>.") $sshd_acceptenv_real = Boolean($sshd_acceptenv) } Boolean: { $sshd_acceptenv_real = $sshd_acceptenv } default: { fail('ssh::sshd_acceptenv type must be true or false.') } } } if $sshd_config_hostkey == 'USE_DEFAULTS' { $sshd_config_hostkey_real = $default_sshd_config_hostkey } else { validate_legacy("Array[String]", "validate_array", $sshd_config_hostkey) validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_config_hostkey) $sshd_config_hostkey_real = $sshd_config_hostkey } if $sshd_listen_address { validate_legacy("Array[String]", "validate_array", $sshd_listen_address) } if $service_hasstatus == 'USE_DEFAULTS' { $service_hasstatus_real = $default_service_hasstatus } else { case $service_hasstatus { String: { validate_legacy('String', 'validate_re', $service_hasstatus, '^(true|false)$', "ssh::service_hasstatus must be 'true' or 'false' and is set to <${service_hasstatus}>.") $service_hasstatus_real = Boolean($service_hasstatus) } Boolean: { $service_hasstatus_real = $service_hasstatus } default: { fail('ssh::service_hasstatus must be true or false.') } } } if $sshd_addressfamily == 'USE_DEFAULTS' { $sshd_addressfamily_real = $default_sshd_addressfamily } else { $sshd_addressfamily_real = $sshd_addressfamily } if $sshd_config_include == 'USE_DEFAULTS' { $sshd_config_include_real = $default_sshd_config_include } else { case $sshd_config_include { Array: { validate_legacy("Array[String]", "validate_array", $sshd_config_include) } String: { validate_legacy("String", "validate_string", $sshd_config_include) } default: { fail('ssh::sshd_config_include type must be a strting or array.') } } $sshd_config_include_real = $sshd_config_include } case $sshd_config_maxsessions { 'unset', undef: { $sshd_config_maxsessions_integer = undef } default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) } } case $sshd_config_tcp_keepalive { 'unset': { $sshd_config_tcp_keepalive_real = undef } undef: { $sshd_config_tcp_keepalive_real = $default_sshd_config_tcp_keepalive } default: { $sshd_config_tcp_keepalive_real = $sshd_config_tcp_keepalive } } case $sshd_config_permittunnel { 'unset': { $sshd_config_permittunnel_real = undef } undef: { $sshd_config_permittunnel_real = $default_sshd_config_permittunnel } default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel } } case $sshd_config_hostcertificate { 'unset', undef: { $sshd_config_hostcertificate_real = undef } default: { $sshd_config_hostcertificate_real = $sshd_config_hostcertificate } } case $sshd_config_trustedusercakeys { 'unset', undef: { $sshd_config_trustedusercakeys_real = undef } default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys } } case $sshd_config_key_revocation_list { 'unset', undef: { $sshd_config_key_revocation_list_real = undef } default: { $sshd_config_key_revocation_list_real = $sshd_config_key_revocation_list } } case $sshd_config_authorized_principals_file { 'unset', undef: { $sshd_config_authorized_principals_file_real = undef } default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file } } # validate params if $ssh_config_ciphers != undef { validate_legacy("Array[String]", "validate_array", $ssh_config_ciphers) } if $sshd_config_ciphers != undef { validate_legacy("Array[String]", "validate_array", $sshd_config_ciphers) } if $ssh_config_kexalgorithms != undef { validate_legacy("Array[String]", "validate_array", $ssh_config_kexalgorithms) } if $sshd_config_kexalgorithms != undef { validate_legacy("Array[String]", "validate_array", $sshd_config_kexalgorithms) } if $ssh_config_macs != undef { validate_legacy("Array[String]", "validate_array", $ssh_config_macs) } if $sshd_config_macs != undef { validate_legacy("Array[String]", "validate_array", $sshd_config_macs) } if $ssh_config_hash_known_hosts_real != undef { validate_legacy('String', 'validate_re', $ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes', 'no' or 'unset' and is set to <${ssh_config_hash_known_hosts_real}>.") } if $sshd_config_permitemptypasswords != undef { validate_legacy('String', 'validate_re', $sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.") } if $sshd_config_permituserenvironment != undef { validate_legacy('String', 'validate_re', $sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.") } if $sshd_config_compression != undef { validate_legacy('String', 'validate_re', $sshd_config_compression, '^(yes|no|delayed)$', "ssh::sshd_config_compression may be either 'yes', 'no' or 'delayed' and is set to <${sshd_config_compression}>.") } case $sshd_config_port { String: { validate_legacy('String', 'validate_re', $sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") $sshd_config_port_array = [ Integer($sshd_config_port) ] } Array: { $sshd_config_port_array = $sshd_config_port } Integer: { $sshd_config_port_array = [ $sshd_config_port ] } default: { fail('ssh:sshd_config_port must be a string, an integer or an array. ') } } validate_legacy(Stdlib::Compat::Numeric, 'validate_numeric', $sshd_config_port_array, 65535, 1) if $sshd_kerberos_authentication != undef { validate_legacy('String', 'validate_re', $sshd_kerberos_authentication, '^(yes|no)$', "ssh::sshd_kerberos_authentication may be either 'yes' or 'no' and is set to <${sshd_kerberos_authentication}>.") } validate_legacy('String', 'validate_re', $sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.") validate_legacy('String', 'validate_re', $sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_legacy('String', 'validate_re', $sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") validate_legacy('String', 'validate_re', $sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.") if $sshd_config_print_last_log != undef { validate_legacy('String', 'validate_re', $sshd_config_print_last_log, '^(yes|no)$', "ssh::sshd_config_print_last_log may be either 'yes' or 'no' and is set to <${sshd_config_print_last_log}>.") } if $sshd_use_pam_real != undef { validate_legacy('String', 'validate_re', $sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") } if $sshd_config_serverkeybits_real != undef { if is_integer($sshd_config_serverkeybits_real) == false { fail("ssh::sshd_config_serverkeybits must be an integer and is set to <${sshd_config_serverkeybits}>.") } } if $ssh_config_use_roaming_real != undef { validate_legacy('String', 'validate_re', $ssh_config_use_roaming_real, '^(yes|no|unset)$', "ssh::ssh_config_use_roaming may be either 'yes', 'no' or 'unset' and is set to <${$ssh_config_use_roaming}>.") } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") } if $sshd_config_banner != 'none' { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_config_banner) } if $sshd_banner_content != undef and $sshd_config_banner == 'none' { fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.') } validate_legacy('String', 'validate_re', $ssh_gssapiauthentication, '^(yes|no)$', "ssh::ssh_gssapiauthentication may be either 'yes' or 'no' and is set to <${ssh_gssapiauthentication}>.") if $ssh_gssapidelegatecredentials != undef { validate_legacy('String', 'validate_re', $ssh_gssapidelegatecredentials, '^(yes|no)$', "ssh::ssh_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <${ssh_gssapidelegatecredentials}>.") } validate_legacy('String', 'validate_re', $sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.") if $sshd_gssapikeyexchange_real != undef { validate_legacy('String', 'validate_re', $sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.") } if $sshd_pamauthenticationviakbdint_real != undef { validate_legacy('String', 'validate_re', $sshd_pamauthenticationviakbdint_real, '^(yes|no)$', "ssh::sshd_pamauthenticationviakbdint may be either 'yes' or 'no' and is set to <${sshd_pamauthenticationviakbdint_real}>.") } if $sshd_gssapicleanupcredentials_real != undef { validate_legacy('String', 'validate_re', $sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") } if $ssh_strict_host_key_checking != undef { validate_legacy('String', 'validate_re', $ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.") } if $ssh_config_proxy_command != undef { validate_legacy("String", "validate_string", $ssh_config_proxy_command) } if $ssh_enable_ssh_keysign != undef { validate_legacy('String', 'validate_re', $ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.") } if $sshd_config_authkey_location != undef { validate_legacy("String", "validate_string", $sshd_config_authkey_location) } if $sshd_config_maxauthtries != undef { if is_integer($sshd_config_maxauthtries) == false { fail("ssh::sshd_config_maxauthtries must be a valid number and is set to <${sshd_config_maxauthtries}>.") } } if $sshd_config_maxstartups != undef { validate_legacy('String', 'validate_re', $sshd_config_maxstartups,'^((\d+)|(\d+?:\d+?:\d+)?)$', "ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.") } if $sshd_config_chrootdirectory != undef { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_config_chrootdirectory) } if $sshd_config_forcecommand != undef { validate_legacy("String", "validate_string", $sshd_config_forcecommand) } if $sshd_authorized_keys_command != undef { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_authorized_keys_command) } if $sshd_authorized_keys_command_user != undef { validate_legacy("String", "validate_string", $sshd_authorized_keys_command_user) } if $sshd_config_match != undef { validate_hash($sshd_config_match) } if $sshd_config_strictmodes != undef { validate_legacy('String', 'validate_re', $sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.") } if $ssh_hostbasedauthentication != undef { validate_legacy('String', 'validate_re', $ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.") } validate_legacy('String', 'validate_re', $sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.") if $sshd_pubkeyacceptedkeytypes != undef { validate_legacy("Array[String]", "validate_array", $sshd_pubkeyacceptedkeytypes) } if $sshd_config_authenticationmethods != undef { validate_legacy("Array[String]", "validate_array", $sshd_config_authenticationmethods) } validate_legacy('String', 'validate_re', $sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.") validate_legacy('String', 'validate_re', $sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.") validate_legacy('String', 'validate_re', $sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.") case $hiera_merge { String: { validate_legacy('String', 'validate_re', $hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.") $hiera_merge_real = Boolean($hiera_merge) } Boolean: { $hiera_merge_real = $hiera_merge } default: { fail('ssh::hiera_merge type must be true or false.') } } case $ssh_key_import { String: { validate_legacy('String', 'validate_re', $ssh_key_import, '^(true|false)$', "ssh::ssh_key_import may be either 'true' or 'false' and is set to <${ssh_key_import}>.") $ssh_key_import_real = Boolean($ssh_key_import) } Boolean: { $ssh_key_import_real = $ssh_key_import } default: { fail('ssh::ssh_key_import type must be true or false.') } } validate_legacy(Stdlib::Compat::Bool, 'validate_bool', $ssh_key_import_real) case $ssh_config_sendenv_xmodifiers { String: { $ssh_config_sendenv_xmodifiers_real = Boolean($ssh_config_sendenv_xmodifiers) } Boolean: { $ssh_config_sendenv_xmodifiers_real = $ssh_config_sendenv_xmodifiers } default: { fail('ssh::ssh_config_sendenv_xmodifiers type must be true or false.') } } case $permit_root_login { 'no', 'yes', 'without-password', 'forced-commands-only': { # noop } default: { fail("ssh::permit_root_login may be either 'yes', 'without-password', 'forced-commands-only' or 'no' and is set to <${permit_root_login}>.") } } case $ssh_key_type { 'ssh-rsa','rsa': { $key = $::sshrsakey } 'ssh-dsa','dsa': { $key = $::sshdsakey } 'ecdsa-sha2-nistp256': { $key = $::sshecdsakey } default: { fail("ssh::ssh_key_type must be 'ecdsa-sha2-nistp256', 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is <${ssh_key_type}>.") } } validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $ssh_config_global_known_hosts_file) $ssh_config_global_known_hosts_file_real = any2array($ssh_config_global_known_hosts_file) if $ssh_config_global_known_hosts_list != undef { validate_legacy("Array[String]", "validate_array", $ssh_config_global_known_hosts_list) validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $ssh_config_global_known_hosts_list) $ssh_config_global_known_hosts_list_real = concat($ssh_config_global_known_hosts_file_real, $ssh_config_global_known_hosts_list) } else { $ssh_config_global_known_hosts_list_real = $ssh_config_global_known_hosts_file_real } if $ssh_config_user_known_hosts_file != undef { validate_legacy("Array[String]", "validate_array", $ssh_config_user_known_hosts_file) } validate_legacy("String", "validate_string", $ssh_config_global_known_hosts_owner) validate_legacy("String", "validate_string", $ssh_config_global_known_hosts_group) validate_legacy('String', 'validate_re', $ssh_config_global_known_hosts_mode, '^[0-7]{4}$', "ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is <${ssh_config_global_known_hosts_mode}>.") if $purge_keys =~ String { $purge_keys_real = Boolean($purge_keys) } else { $purge_keys_real = $purge_keys } validate_legacy(Stdlib::Compat::Bool, 'validate_bool', $purge_keys_real) if $manage_service =~ String { $manage_service_real = Boolean($manage_service) } else { $manage_service_real = $manage_service } validate_legacy(Stdlib::Compat::Bool, 'validate_bool', $manage_service_real) if $service_enable =~ String { $service_enable_real = Boolean($service_enable) } else { $service_enable_real = $service_enable } validate_legacy(Stdlib::Compat::Bool, 'validate_bool', $service_enable_real) if $service_hasrestart =~ String { $service_hasrestart_real = Boolean($service_hasrestart) } else { $service_hasrestart_real = $service_hasrestart } validate_legacy(Stdlib::Compat::Bool, 'validate_bool', $service_hasrestart_real) if $manage_root_ssh_config =~ String { $manage_root_ssh_config_real = Boolean($manage_root_ssh_config) } else { $manage_root_ssh_config_real = $manage_root_ssh_config } validate_legacy(Stdlib::Compat::Bool, 'validate_bool', $manage_root_ssh_config_real) #ssh_config template validate_legacy("String", "validate_string", $ssh_config_template) #sshd_config template validate_legacy("String", "validate_string", $sshd_config_template) #loglevel $supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE'] validate_legacy('String', 'validate_re', $sshd_config_loglevel, $supported_loglevel_vals) #enable hiera merging for groups, users, and config_entries if $hiera_merge_real == true { $sshd_config_allowgroups_real = hiera_array('ssh::sshd_config_allowgroups',[]) $sshd_config_allowusers_real = hiera_array('ssh::sshd_config_allowusers',[]) $sshd_config_denygroups_real = hiera_array('ssh::sshd_config_denygroups',[]) $sshd_config_denyusers_real = hiera_array('ssh::sshd_config_denyusers',[]) $config_entries_real = hiera_hash('ssh::config_entries',{}) } else { $sshd_config_allowgroups_real = $sshd_config_allowgroups $sshd_config_allowusers_real = $sshd_config_allowusers $sshd_config_denygroups_real = $sshd_config_denygroups $sshd_config_denyusers_real = $sshd_config_denyusers $config_entries_real = $config_entries } validate_legacy(Stdlib::Compat::Hash, 'validate_hash', $config_entries_real) if $sshd_config_denyusers_real != [] { validate_legacy("Array[String]", "validate_array", $sshd_config_denyusers_real) } if $sshd_config_denygroups_real != [] { validate_legacy("Array[String]", "validate_array", $sshd_config_denygroups_real) } if $sshd_config_allowusers_real != [] { validate_legacy("Array[String]", "validate_array", $sshd_config_allowusers_real) } if $sshd_config_allowgroups_real != [] { validate_legacy("Array[String]", "validate_array", $sshd_config_allowgroups_real) } if $sshd_config_tcp_keepalive_real != undef { validate_legacy('String', 'validate_re', $sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.") } if $sshd_config_use_privilege_separation != undef { validate_legacy('String', 'validate_re', $sshd_config_use_privilege_separation, '^(yes|no|sandbox)$', "ssh::sshd_config_use_privilege_separation may be either 'yes', 'no' or 'sandbox' and is set to <${sshd_config_use_privilege_separation}>.") } if $sshd_config_permittunnel_real != undef { validate_legacy('String', 'validate_re', $sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.") } if $sshd_config_hostcertificate_real != undef { if is_array($sshd_config_hostcertificate_real) { validate_legacy("Array[String]", "validate_array", $sshd_config_hostcertificate_real) } validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_config_hostcertificate_real) } if $sshd_config_trustedusercakeys_real != undef { # TrustedUserCAKeys may be a path to the keys or 'none' if $sshd_config_trustedusercakeys_real != 'none' { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_config_trustedusercakeys_real) } } if $sshd_config_key_revocation_list_real != undef { # RevokedKeys may be a path to the key revocation list or 'none' if $sshd_config_key_revocation_list_real != 'none' { validate_legacy(Stdlib::Compat::Absolute_Path, "validate_absolute_path", $sshd_config_key_revocation_list) } } if $sshd_config_authorized_principals_file_real != undef { validate_legacy("String", "validate_string", $sshd_config_authorized_principals_file_real) } if $sshd_config_allowagentforwarding != undef { validate_legacy('String', 'validate_re', $sshd_config_allowagentforwarding, '^(yes|no)$', "ssh::sshd_config_allowagentforwarding may be either 'yes' or 'no' and is set to <${sshd_config_allowagentforwarding}>.") } package { $packages_real: ensure => installed, source => $ssh_package_source_real, adminfile => $ssh_package_adminfile_real, } file { 'ssh_config' : ensure => file, path => $ssh_config_path, owner => $ssh_config_owner, group => $ssh_config_group, mode => $ssh_config_mode, content => template($ssh_config_template), require => Package[$packages_real], } file { 'sshd_config' : ensure => file, path => $sshd_config_path, mode => $sshd_config_mode_real, owner => $sshd_config_owner, group => $sshd_config_group, content => template($sshd_config_template), require => Package[$packages_real], } if $sshd_config_banner != 'none' and $sshd_banner_content != undef { file { 'sshd_banner' : ensure => file, path => $sshd_config_banner, owner => $sshd_banner_owner, group => $sshd_banner_group, mode => $sshd_banner_mode, content => $sshd_banner_content, require => Package[$packages_real], } } if $manage_root_ssh_config_real == true { include ::common common::mkdir_p { "${::root_home}/.ssh": } file { 'root_ssh_dir': ensure => directory, path => "${::root_home}/.ssh", owner => 'root', group => 'root', mode => '0700', require => Common::Mkdir_p["${::root_home}/.ssh"], } file { 'root_ssh_config': ensure => file, path => "${::root_home}/.ssh/config", content => $root_ssh_config_content, owner => 'root', group => 'root', mode => '0600', } } if $manage_service_real { service { 'sshd_service' : ensure => $service_ensure, name => $service_name_real, enable => $service_enable_real, hasrestart => $service_hasrestart_real, hasstatus => $service_hasstatus_real, subscribe => File['sshd_config'], } } if $manage_firewall == true { firewall { '22 open port 22 for SSH': action => 'accept', dport => 22, proto => 'tcp', } } # If either IPv4 or IPv6 stack is not configured on the agent, the # corresponding $::ipaddress(6)? fact is not present. So, we cannot assume # these variables are defined. Getvar (Stdlib 4.13+, ruby 1.8.7+) handles # this correctly. if getvar('::ipaddress') and getvar('::ipaddress6') { $host_aliases = [$::hostname, $::ipaddress, $::ipaddress6] } elsif getvar('::ipaddress6') { $host_aliases = [$::hostname, $::ipaddress6] } else { $host_aliases = [$::hostname, $::ipaddress] } # export each node's ssh key sshkey { $::fqdn : ensure => $ssh_key_ensure, host_aliases => $host_aliases, type => $ssh_key_type, key => $key, } file { 'ssh_known_hosts': ensure => file, path => $ssh_config_global_known_hosts_file, owner => $ssh_config_global_known_hosts_owner, group => $ssh_config_global_known_hosts_group, mode => $ssh_config_global_known_hosts_mode, require => Package[$packages_real], } # import all nodes' ssh keys if $ssh_key_import_real == true { Sshkey <||> { target => $ssh_config_global_known_hosts_file, } } # remove ssh key's not managed by puppet resources { 'sshkey': purge => $purge_keys_real, } # manage users' ssh config entries if present create_resources('ssh::config_entry',$config_entries_real) # manage users' ssh authorized keys if present if $keys != undef { if $hiera_merge_real == true { $keys_real = hiera_hash('ssh::keys') } else { $keys_real = $keys notice('Future versions of the ssh module will default ssh::hiera_merge_real to true') } validate_hash($keys_real) create_resources('ssh_authorized_key', $keys_real) } if $sshd_addressfamily_real != undef { if $::osfamily == 'Solaris' { fail("ssh::sshd_addressfamily is not supported on Solaris and is set to <${sshd_addressfamily}>.") } else { validate_legacy('String', 'validate_re', $sshd_addressfamily_real, '^(any|inet|inet6)$', "ssh::sshd_addressfamily can be undef, 'any', 'inet' or 'inet6' and is set to ${sshd_addressfamily_real}.") } } }