Puppet Class: ssh::server

Defined in:
modules/ssh/manifests/server.pp

Overview

Parameters:

  • listen_port (Any) (defaults to: '22')
  • listen_address (Any) (defaults to: undef)
  • permit_root (Any) (defaults to: true)
  • authorized_keys_file (Any) (defaults to: undef)
  • authorized_keys_command (Any) (defaults to: '/usr/sbin/ssh-key-ldap-lookup')
  • disable_nist_kex (Any) (defaults to: true)
  • explicit_macs (Any) (defaults to: true)
  • enable_hba (Any) (defaults to: false)
  • disable_agent_forwarding (Any) (defaults to: true)
  • challenge_response_auth (Any) (defaults to: true)
  • max_sessions (Any) (defaults to: undef)
  • max_startups (Any) (defaults to: undef) 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# File 'modules/ssh/manifests/server.pp', line 1

class ssh::server (
    $listen_port = '22',
    $listen_address = undef,
    $permit_root = true,
    $authorized_keys_file = undef,
    $authorized_keys_command = '/usr/sbin/ssh-key-ldap-lookup',
    $disable_nist_kex = true, # Allow labs projects to temporarily opt out of nist kex disabling
    $explicit_macs = true, # Allow labs projects to temporarily opt out of more secure MACs
    $enable_hba = false,
    $disable_agent_forwarding = true,
    $challenge_response_auth = true,  # Disable all password auth in labs, we don't use 2fa there
    $max_sessions = undef,  # Allow Cloud VPS restricted bastions to override it for Cumin
    $max_startups = undef,  # Allow Cloud VPS restricted bastions to override it for Cumin
) {
    package { 'openssh-server':
        ensure => present,
    }

    service { 'ssh':
        ensure    => running,
        subscribe => File['/etc/ssh/sshd_config'],
    }

    if os_version('debian >= jessie') {
        base::service_auto_restart { 'ssh': }
    }

    if $authorized_keys_file {
        $ssh_authorized_keys_file = $authorized_keys_file
    } else {
        $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u /etc/ssh/userkeys/%u.d/cumin'
    }

    file { '/etc/ssh/userkeys':
        ensure  => directory,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        recurse => true,
        purge   => true,
    }

    # TODO: Revisit this once scap can declare which SSH identity wants to use
    include network::constants
    $deployment_hosts = $network::constants::special_hosts[$::realm]['deployment_hosts']
    file { '/etc/ssh/sshd_config':
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('ssh/sshd_config.erb'),
        require => Package['openssh-server'],
    }

    # publish this hosts's host key; prefer ECDSA -> RSA (no DSA)
    #
    # Puppet sshkey hardcodes acceptable types in its code, and ed25519 is not
    # a valid type in trusty's version (3.4.3). It is in jessie's version
    # (3.7.3), though. So this is waiting until trusty is gone, or until we
    # backport a newer version of puppet to trusty.

    if $::sshecdsakey {
        # facter bug: one key regardless of ECDSA keytype;
        # no type exported as a separate variable
        $key  = $::sshecdsakey
        $type = 'ecdsa-sha2-nistp256'
    } elsif $::sshrsakey {
        $key  = $::sshrsakey
        $type = 'ssh-rsa'
    } else {
        err("No valid SSH host key found for ${::fqdn}")
    }

    if $::ipaddress6 == undef {
        $aliases = [ $::hostname, $::ipaddress ]
    } else {
        $aliases = [ $::hostname, $::ipaddress, $::ipaddress6 ]
    }

    debug("Storing ${type} SSH hostkey for ${::fqdn}")
    @@sshkey { $::fqdn:
        ensure       => present,
        type         => $type,
        key          => $key,
        host_aliases => $aliases,
    }
}