Puppet Class: ssh

Inherits:
ssh::params
Defined in:
manifests/init.pp

Summary

This class manages ssh client and server

Overview

Examples:

Puppet usage

class { 'ssh':
  storeconfigs_enabled         => false,
  server_options               => {
    'Match User www-data'      => {
      'ChrootDirectory'        => '%h',
      'ForceCommand'           => 'internal-sftp',
      'PasswordAuthentication' => 'yes',
      'AllowTcpForwarding'     => 'no',
      'X11Forwarding'          => 'no',
    },
    'Port'                     => [22, 2222, 2288],
  },
  client_options               => {
    'Host *.amazonaws.com'     => {
      'User'                   => 'ec2-user',
    },
  },
  users_client_options         => {
    'bob'                      => {
      options                  => {
        'Host *.alice.fr'      => {
          'User'               => 'alice',
        },
      },
    },
  },
}

hiera usage

ssh::storeconfigs_enabled: true

ssh::server_options:
    Protocol: '2'
    ListenAddress:
        - '127.0.0.0'
        - '%{::hostname}'
    PasswordAuthentication: 'yes'
    SyslogFacility: 'AUTHPRIV'
    UsePAM: 'yes'
    X11Forwarding: 'yes'

ssh::server::match_block:
  filetransfer:
    type: group
    options:
      ChrootDirectory: /home/sftp
      ForceCommand: internal-sftp

ssh::client_options:
    'Host *':
        SendEnv: 'LANG LC_*'
        ForwardX11Trusted: 'yes'
        ServerAliveInterval: '10'

ssh::users_client_options:
    'bob':
        'options':
            'Host *.alice.fr':
                'User': 'alice'
                'PasswordAuthentication': 'no'

Parameters:

  • server_options (Hash) (defaults to: {})

    Add dynamic options for ssh server config

  • server_match_block (Hash) (defaults to: {})

    Add match block for ssh server config

  • client_options (Hash) (defaults to: {})

    Add dynamic options for ssh client config

  • users_client_options (Hash) (defaults to: {})

    Add users options for ssh client config

  • version (String) (defaults to: 'present')

    Define package version (pacakge ressource)

  • storeconfigs_enabled (Boolean) (defaults to: true)

    Default value for storeconfigs_enabled (client and server)

  • validate_sshd_file (Boolean) (defaults to: $ssh::params::validate_sshd_file)

    Default value for validate_sshd_file (server)

  • use_augeas (Boolean) (defaults to: false)

    Default value to use augeas (client and server)

  • server_options_absent (Array) (defaults to: [])

    List of options to remove for server config (augeas only)

  • client_options_absent (Array) (defaults to: [])

    List of options to remove for client config (augeas only)

  • use_issue_net (Boolean) (defaults to: false)

    Use issue_net header

  • purge_unmanaged_sshkeys (Boolean) (defaults to: true) 


100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
# File 'manifests/init.pp', line 100

class ssh (
  Hash    $server_options          = {},
  Hash    $server_match_block      = {},
  Hash    $client_options          = {},
  Hash    $users_client_options    = {},
  String  $version                 = 'present',
  Boolean $storeconfigs_enabled    = true,
  Boolean $validate_sshd_file      = $ssh::params::validate_sshd_file,
  Boolean $use_augeas              = false,
  Array   $server_options_absent   = [],
  Array   $client_options_absent   = [],
  Boolean $use_issue_net           = false,
  Boolean $purge_unmanaged_sshkeys = true,
) inherits ssh::params {
  # Merge hashes from multiple layer of hierarchy in hiera
  $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', {})
  $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', {})
  $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'deep', {})
  $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'deep', {})

  $fin_server_options = deep_merge($hiera_server_options, $server_options)
  $fin_server_match_block = deep_merge($hiera_server_match_block, $server_match_block)
  $fin_client_options = deep_merge($hiera_client_options, $client_options)
  $fin_users_client_options = deep_merge($hiera_users_client_options, $users_client_options)

  class { 'ssh::server':
    ensure               => $version,
    storeconfigs_enabled => $storeconfigs_enabled,
    options              => $fin_server_options,
    validate_sshd_file   => $validate_sshd_file,
    use_augeas           => $use_augeas,
    options_absent       => $server_options_absent,
    use_issue_net        => $use_issue_net,
  }

  class { 'ssh::client':
    ensure               => $version,
    storeconfigs_enabled => $storeconfigs_enabled,
    options              => $fin_client_options,
    use_augeas           => $use_augeas,
    options_absent       => $client_options_absent,
  }

  # If host keys are being managed, optionally purge unmanaged ones as well.
  if ($storeconfigs_enabled and $purge_unmanaged_sshkeys) {
    resources { 'sshkey':
      purge => true,
    }
  }

  create_resources('ssh::client::config::user', $fin_users_client_options)
  create_resources('ssh::server::match_block', $fin_server_match_block)
}