blob: a96ae64bbf0a076dc8619075b9ea1854d5c70baf [file] [log] [blame]
# == Class: ssh
#
# Manage ssh client and server
#
class ssh (
$packages = 'USE_DEFAULTS',
$permit_root_login = 'yes',
$purge_keys = 'true',
$manage_firewall = false,
$ssh_config_hash_known_hosts = 'no',
$ssh_config_path = '/etc/ssh/ssh_config',
$ssh_config_owner = 'root',
$ssh_config_group = 'root',
$ssh_config_mode = '0644',
$ssh_config_forward_x11 = undef,
$ssh_config_forward_agent = undef,
$ssh_config_server_alive_interval = undef,
$ssh_config_sendenv_xmodifiers = false,
$sshd_config_path = '/etc/ssh/sshd_config',
$sshd_config_owner = 'root',
$sshd_config_group = 'root',
$sshd_config_mode = '0600',
$sshd_config_port = '22',
$sshd_config_syslog_facility = 'AUTH',
$sshd_config_login_grace_time = '120',
$sshd_config_challenge_resp_auth = 'yes',
$sshd_config_print_motd = 'yes',
$sshd_config_use_dns = 'yes',
$sshd_config_banner = 'none',
$sshd_config_xauth_location = '/usr/bin/xauth',
$sshd_config_subsystem_sftp = 'USE_DEFAULTS',
$service_ensure = 'running',
$service_name = 'USE_DEFAULTS',
$service_enable = 'true',
$service_hasrestart = 'true',
$service_hasstatus = 'true',
$ssh_key_ensure = 'present',
$ssh_key_type = 'ssh-rsa',
$keys = undef,
$manage_root_ssh_config = 'false',
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
$sshd_password_authentication = 'yes',
$sshd_allow_tcp_forwarding = 'yes',
$sshd_x11_forwarding = 'yes',
$sshd_use_pam = 'yes',
$sshd_client_alive_interval = '0',
) {
# validate params
validate_re($ssh_config_hash_known_hosts, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts}>.")
validate_re($sshd_config_port, '^\d+$', "sshd_config_port must be a valid number and is set to <${sshd_config_port}>")
validate_re($sshd_password_authentication, '^(yes|no)$', "sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
validate_re($sshd_x11_forwarding, '^(yes|no)$', "sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
validate_re($sshd_use_pam, '^(yes|no)$', "sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.")
if is_integer($sshd_client_alive_interval) == false { fail("sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
case type($ssh_config_sendenv_xmodifiers) {
'string': {
$ssh_config_sendenv_xmodifiers_real = str2bool($ssh_config_sendenv_xmodifiers)
}
'boolean': {
$ssh_config_sendenv_xmodifiers_real = $ssh_config_sendenv_xmodifiers
}
default: {
fail("ssh_config_sendenv_xmodifiers type must be true or false.")
}
}
case $permit_root_login {
'no', 'yes', 'without-password', 'forced-commands-only': {
# noop
}
default: {
fail("permit_root_login may be either 'yes', 'without-password', 'forced-commands-only' or 'no' and is set to <${permit_root_login}>")
}
}
case $ssh_key_type {
'ssh-rsa','rsa': {
$key = $::sshrsakey
}
'ssh-dsa','dsa': {
$key = $::sshdsakey
}
default: {
fail("ssh_key_type must be 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is <${ssh_key_type}>")
}
}
case $purge_keys {
'true','false': {
# noop
}
default: {
fail("purge_keys must be 'true' or 'false' and is <${purge_keys}>")
}
}
case $::osfamily {
'RedHat': {
$default_packages = ['openssh-server',
'openssh-clients']
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_service_name = 'sshd'
}
'Suse': {
$default_packages = 'openssh'
$default_service_name = 'sshd'
case $::architecture {
'x86_64': {
$default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
}
'i386' : {
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
}
default: {
fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.")
}
}
}
'Debian': {
$default_packages = [ 'openssh-server',
'openssh-client']
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_service_name = 'ssh'
}
default: {
fail("ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <${::osfamily}>.")
}
}
if $packages == 'USE_DEFAULTS' {
$packages_real = $default_packages
} else {
$packages_real = $packages
}
if $service_name == 'USE_DEFAULTS' {
$service_name_real = $default_service_name
} else {
$service_name_real = $service_name
}
if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' {
$sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp
} else {
$sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp
}
package { 'ssh_packages':
ensure => installed,
name => $packages_real,
}
file { 'ssh_config' :
ensure => file,
path => $ssh_config_path,
owner => $ssh_config_owner,
group => $ssh_config_group,
mode => $ssh_config_mode,
content => template('ssh/ssh_config.erb'),
require => Package['ssh_packages'],
}
file { 'sshd_config' :
ensure => file,
path => $sshd_config_path,
mode => $sshd_config_mode,
owner => $sshd_config_owner,
group => $sshd_config_group,
content => template('ssh/sshd_config.erb'),
require => Package['ssh_packages'],
}
case $manage_root_ssh_config {
'true': {
include common
common::mkdir_p { "${::root_home}/.ssh": }
file { 'root_ssh_dir':
ensure => directory,
path => "${::root_home}/.ssh",
owner => 'root',
group => 'root',
mode => '0700',
require => Common::Mkdir_p["${::root_home}/.ssh"],
}
file { 'root_ssh_config':
ensure => file,
path => "${::root_home}/.ssh/config",
content => $root_ssh_config_content,
owner => 'root',
group => 'root',
mode => '0600',
}
}
'false': {
# noop
}
default: {
fail("manage_root_ssh_config is <${manage_root_ssh_config}> and must be \'true\' or \'false\'.")
}
}
service { 'sshd_service' :
ensure => $service_ensure,
name => $service_name_real,
enable => $service_enable,
hasrestart => $service_hasrestart,
hasstatus => $service_hasstatus,
subscribe => File['sshd_config'],
}
if $manage_firewall == true {
firewall { '22 open port 22 for SSH':
action => 'accept',
dport => 22,
proto => 'tcp',
}
}
# export each node's ssh key
@@sshkey { $::fqdn :
ensure => $ssh_key_ensure,
type => $ssh_key_type,
key => $key,
require => Package['ssh_packages'],
}
# import all nodes' ssh keys
Sshkey <<||>>
# remove ssh key's not managed by puppet
resources { 'sshkey':
purge => $purge_keys,
}
# manage users' ssh authorized keys if present
if $keys != undef {
validate_hash($keys)
create_resources(ssh_authorized_key, $keys)
}
}