Puppet Class: ssh::server

Defined in:
manifests/server.pp

Summary

Sets up a ssh server and starts sshd.

Overview

Parameters:

  • server_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    The ensure status of the openssh-server package

  • ldap_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    The ensure status of the openssh-ldap package

Author:



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
# File 'manifests/server.pp', line 9

class ssh::server (
  String $server_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
  String $ldap_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
) {
  simplib::assert_metadata( $module_name )

  include 'ssh'
  include 'ssh::server::conf'

  file { '/etc/ssh/moduli':
    owner => 'root',
    group => 'root',
    mode  => '0644'
  }

  file { '/var/empty/sshd':
    ensure  => 'directory',
    owner   => 'root',
    group   => 'root',
    mode    => '0711',
    require => Package['openssh-server'],
  }

  file { '/var/empty/sshd/etc':
    ensure  => 'directory',
    owner   => 'root',
    group   => 'root',
    mode    => '0711',
    require => Package['openssh-server']
  }

  file { '/var/empty/sshd/etc/localtime':
    source  => "file://${facts['timezone_file']}",
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    links   => 'follow',
    require => Package['openssh-server']
  }

  group { 'sshd':
    ensure    => 'present',
    allowdupe => false,
    gid       => '74'
  }

  package { 'openssh-server':
    ensure => $server_ensure
  }

  if $::ssh::server::conf::_use_ldap {
    package { 'openssh-ldap':
      ensure => $ldap_ensure
    }
  }

  user { 'sshd':
    ensure     => 'present',
    allowdupe  => false,
    comment    => 'Privilege-separated SSH',
    gid        => '74',
    home       => '/var/empty/sshd',
    membership => 'inclusive',
    shell      => '/sbin/nologin',
    uid        => '74'
  }

  service { 'sshd':
    ensure     => 'running',
    enable     => true,
    hasstatus  => true,
    hasrestart => true,
    require    => [
      Package['openssh-server'],
      User['sshd']
    ],
    subscribe  => Class['ssh::server::conf']
  }

  # Make sure all ssh keys are managed for permissions per compiance settings
  $facts['ssh_host_keys'].each |$key| {
    if ($key =~ /ssh_host_rsa_key/) and $ssh::server::conf::pki {
      file { $key:
        owner     => 'root',
        group     => 'root',
        mode      => '0600',
        source    => "file://${ssh::server::conf::app_pki_key}",
        subscribe => Pki::Copy['sshd'],
        notify    => [ Exec['gensshpub'], Service['sshd'] ],
      }

      file { "${key}.pub":
        owner     => 'root',
        group     => 'root',
        mode      => '0644',
        subscribe => Exec['gensshpub'],
      }

      exec { 'gensshpub':
        command     => "/usr/bin/ssh-keygen -y -f ${key} > ${key}.pub",
        refreshonly => true,
        require     => [ Package['openssh-server'], File[$key] ],
      }
    }
    else {
      file { $key:
        owner => 'root',
        group => 'root',
        mode  => '0600'
      }

      file { "${key}.pub":
        owner => 'root',
        group => 'root',
        mode  => '0644'
      }
    }
  }
}