17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
# File 'modules/ssh/manifests/server.pp', line 17
class ssh::server (
Stdlib::Port $listen_port = 22,
Array[Stdlib::IP::Address] $listen_addresses = [],
Ssh::Config::PermitRootLogin $permit_root = true,
Array[Stdlib::Unixpath] $authorized_keys_file = ['/etc/ssh/userkeys/%u', '/etc/ssh/userkeys/%u.d/cumin'],
Stdlib::Unixpath $authorized_keys_command = '/usr/sbin/ssh-key-ldap-lookup',
Boolean $disable_nist_kex = true,
Boolean $explicit_macs = true,
Boolean $enable_hba = false,
Boolean $enable_kerberos = false,
Boolean $disable_agent_forwarding = true,
Boolean $challenge_response_auth = true,
Optional[Integer] $max_sessions = undef,
Optional[String[1]] $max_startups = undef,
Boolean $gateway_ports = false,
Array[String[1]] $accept_env = ['LANG', 'LC_*'],
) {
$_permit_root = $permit_root ? {
String => $permit_root,
false => 'no',
default => 'yes',
}
package { 'openssh-server':
ensure => present,
}
service { 'ssh':
ensure => running,
subscribe => File['/etc/ssh/sshd_config'],
}
profile::auto_restarts::service { 'ssh': }
file { '/etc/ssh/userkeys':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0444',
recurse => true,
purge => true,
}
file { '/etc/ssh/sshd_config':
ensure => file,
owner => 'root',
group => 'root',
mode => '0444',
content => template('ssh/sshd_config.erb'),
require => Package['openssh-server'],
}
# we use the legacy facts here specificaly because we override them in
# modules/base/lib/facter/interface_primary.rb
# Although the networking.ip fact now points to a sensible fact
# networking.ip6 still points to IMO the wrong address.
# related: https://tickets.puppetlabs.com/browse/FACT-2907
# related: https://tickets.puppetlabs.com/browse/FACT-2843
$aliases = [
$facts['networking']['hostname'],
$facts['ipaddress'],
$facts['ipaddress6'],
].filter |$x| { $x =~ NotUndef }
@@sshkey { $facts['networking']['fqdn']:
ensure => present,
type => 'ecdsa-sha2-nistp256',
key => $facts['ssh']['ecdsa']['key'],
host_aliases => $aliases,
}
}
|