Puppet Class: ssh::server

Inherits:
ssh::params
Defined in:
manifests/server.pp

Overview

This class installs and manages an SSH server

Parameters:

  • print_motd (Boolean) (defaults to: $ssh::params::print_motd)

    Whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively.

  • permit_x11_forwarding (Boolean) (defaults to: false)

    Whether X11 forwarding should be enabled or not.

  • accept_env (Array[String[1]]) (defaults to: [])

    An array of environment variables to be accepted that will be copied into the session’s environment.

  • kex_algorithm (Optional[String[1]]) (defaults to: undef)

    The available KEX (Key Exchange) algorithms to accept.

  • permit_root_login (Ssh::PermitRootLogin) (defaults to: $ssh::params::permit_root_login)

    Whether root can log in using ssh.

  • cyg_server_password (Optional[Sensitive[String[1]]]) (defaults to: undef)

    Only required on Cygwin. It’s the password for the ssh daemon user.

  • config_mode (Optional[String[3]]) (defaults to: $ssh::params::config_mode)

    The file mode to set for the ssh config file.



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'manifests/server.pp', line 16

class ssh::server (
  Boolean                        $print_motd            = $ssh::params::print_motd,
  Boolean                        $permit_x11_forwarding = false,
  Array[String[1]]               $accept_env            = [],
  Optional[String[1]]            $kex_algorithm         = undef,
  Ssh::PermitRootLogin           $permit_root_login     = $ssh::params::permit_root_login,
  Optional[Sensitive[String[1]]] $cyg_server_password   = undef,
  Optional[String[3]]            $config_mode           = $ssh::params::config_mode,
) inherits ssh::params {
  include ssh

  if $ssh::params::server_class {
    include $ssh::params::server_class
  }

  if $ssh::params::server_package {
    ensure_packages([$ssh::params::server_package],
      {
        provider => $ssh::params::package_provider,
      }
    )

    Package[$ssh::params::server_package] ~> Service['sshd']

    if $ssh::params::manage_config_dir {
      Package[$ssh::params::server_package] -> File[$ssh::params::config_dir]
    }
  }

  if $ssh::params::manage_config_dir {
    file { $ssh::params::config_dir:
      ensure => directory,
      owner  => $ssh::params::config_owner,
      group  => $ssh::params::config_group,
      mode   => $ssh::params::config_dir_mode,
      before => Concat['ssh::params::sshd_config'],
    }
  }

  # Use $ssh::params::config_mode instead of $config_mode. This must be world
  # readable, and $config_mode might not be.
  file { $ssh::params::known_hosts:
    ensure => file,
    owner  => $ssh::params::config_owner,
    group  => $ssh::params::config_group,
    mode   => $ssh::params::config_mode,
    notify => Service['sshd'],
  }

  concat { 'ssh::params::sshd_config':
    path           => $ssh::params::sshd_config,
    owner          => $ssh::params::config_owner,
    group          => $ssh::params::config_group,
    mode           => $config_mode,
    ensure_newline => false, # might want CRLF instead of LF
    notify         => Service['sshd'],
  }

  $sshd_configuration = ssh::fix_eol(
    epp('ssh/sshd_config.epp',
      {
        accept_env            => $accept_env,
        authorized_keys       => $ssh::params::authorized_keys,
        kex_algorithm         => $kex_algorithm,
        permit_root_login     => $permit_root_login,
        permit_x11_forwarding => $permit_x11_forwarding,
        print_motd            => $print_motd,
        root_group            => $ssh::params::root_access_group,
        sftp_subsystem        => $ssh::params::sftp_subsystem,
        strict_modes          => $ssh::params::strict_modes,
        syslog_facility       => $ssh::params::syslog_facility,
      }
    )
  )

  # Add a trailing newline for legibility.
  concat::fragment { 'ssh::params::sshd_config header':
    order   => '00',
    target  => 'ssh::params::sshd_config',
    content => ssh::fix_eol("${sshd_configuration}\n"),
  }

  service { 'sshd':
    ensure     => running,
    name       => $ssh::params::ssh_service,
    enable     => true,
    hasstatus  => true,
    hasrestart => $ssh::params::has_restart,
  }
}