Puppet Class: ssh::server::conf

Inherits:
ssh::server::params
Defined in:
manifests/server/conf.pp

Summary

Sets up sshd_config and adds an iptables rule if iptables is being used.

Overview

“sshd“ configuration variables can be set using Augeas outside of this class with no adverse effects.

SSH Parameters ####

Custom Parameters ####

SIMP Parameters ####

Parameters:

  • acceptenv (Array[String]) (defaults to: $ssh::server::params::acceptenv)

    Specifies what environment variables sent by the client will be copied into the sessions environment.

  • allowgroups (Optional[Array[String]]) (defaults to: undef)

    A list of group name patterns. If specified, login is allowed only for users whose primary or supplementary group list matches one of the patterns.

  • allowusers (Optional[Array[String]]) (defaults to: undef)

    A list of user name patterns. If specified, login is allowed only for users whose name matches one of the patterns.

  • manage_authorizedkeysfile (Boolean) (defaults to: true)

    This will allow users to opt out of puppet managing their ssh authorized keys file. If set to false, authorizedkeysfile will be ignored.

  • authorizedkeysfile (String) (defaults to: '/etc/ssh/local_keys/%u')

    This is set to a non-standard location to provide for increased control over who can log in as a given user.

  • authorizedkeyscommand (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Specifies a program to be used for lookup of the user’s public keys.

  • authorizedkeyscommanduser (String) (defaults to: 'nobody')

    Specifies the user under whose account the AuthorizedKeysCommand is run.

  • banner (Stdlib::Absolutepath) (defaults to: '/etc/issue.net')

    The contents of the specified file are sent to the remote user before authentication is allowed.

  • challengeresponseauthentication (Boolean) (defaults to: false)

    Specifies whether challenge-response authentication is allowed.

  • ciphers (Optional[Array[String]]) (defaults to: undef)

    Specifies the ciphers allowed for protocol version 2. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

  • clientalivecountmax (Integer) (defaults to: 0)

    @see man page for sshd_config

  • clientaliveinterval (Integer) (defaults to: 600)

    @see man page for sshd_config

  • compression (Variant[Boolean,Enum['delayed']]) (defaults to: 'delayed')

    Specifies whether compression is allowed, or delayed until the user has authenticated successfully.

  • denygroups (Optional[Array[String]]) (defaults to: undef)

    A list of group name patterns. If specified, login is disallowed for users whose primary or supplementary group list matches one of the patterns.

  • denyusers (Optional[Array[String]]) (defaults to: undef)

    A list of user name patterns. If specified, login is disallowed for users whose name matches one of the patterns.

  • gssapiauthentication (Boolean) (defaults to: $ssh::server::params::gssapiauthentication)

    Specifies whether user authentication based on GSSAPI is allowed. If the system is connected to an IPA domain, this will be default to true, based on the existance of the ‘ipa` fact.

  • hostbasedauthentication (Boolean) (defaults to: false)

    @see man page for sshd_config

  • ignorerhosts (Boolean) (defaults to: true)

    @see man page for sshd_config

  • ignoreuserknownhosts (Boolean) (defaults to: true)

    @see man page for sshd_config

  • kerberosauthentication (Boolean) (defaults to: false)

    @see man page for sshd_config

  • kex_algorithms (Optional[Array[String]]) (defaults to: undef)

    Specifies the key exchange algorithms accepted. When unset, an appropriate set of algorithms is automatically selected by this class, taking into account whether the server is in FIPS mode and whether the version of openssh installed supports this feature.

  • listenaddress (Optional[Variant[Simplib::Host, Array[Simplib::Host]]]) (defaults to: undef)

    Specifies the local addresses sshd should listen on.

  • logingracetime (Integer[0]) (defaults to: 120)

    The max number of seconds the server will wait for a successful login before disconnecting. If the value is 0, there is no limit.

  • ssh_loglevel (Optional[Ssh::Loglevel]) (defaults to: undef)

    Specifies the verbosity level that is used when logging messages from sshd.

  • macs (Optional[Array[String]]) (defaults to: undef)

    Specifies the available MAC algorithms. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

  • maxauthtries (Integer[1]) (defaults to: 6)

    Specifies the maximum number of authentication attempts permitted per connection.

  • passwordauthentication (Boolean) (defaults to: true)

    Specifies whether password authentication is allowed on the sshd server.

    • This setting must be managed by default so that switching to and from OATH does not lock you out of your system.

  • permitemptypasswords (Boolean) (defaults to: false)

    When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.

  • permitrootlogin (Ssh::PermitRootLogin) (defaults to: false)

    Specifies whether root can log in using SSH.

  • permituserenvironment (Boolean) (defaults to: false)

    @see man page for sshd_config

  • port (Variant[Array[Simplib::Port],Simplib::Port]) (defaults to: 22)

    Specifies the port number SSHD listens on.

  • printlastlog (Boolean) (defaults to: false)

    Specifies whether SSHD should print the date and time of the last user login when a user logs in interactively.

  • protocol (Array[Integer[1,2]]) (defaults to: [2])

    @see man page for sshd_config

  • rhostsrsaauthentication (Optional[Boolean]) (defaults to: $ssh::server::params::rhostsrsaauthentication)

    This sshd option has been completely removed in openssh 7.4 and will cause an error message to be logged, when present. On systems using openssh 7.4 or later, only set this value if you need ‘RhostsRSAAuthentication` to be in the sshd configuration file to satisfy an outdated, STIG check.

  • strictmodes (Boolean) (defaults to: true)

    @see man page for sshd_config

  • subsystem (String) (defaults to: 'sftp /usr/libexec/openssh/sftp-server')

    Configures an external subsystem for file transfers.

  • syslogfacility (Ssh::Syslogfacility) (defaults to: 'AUTHPRIV')

    Gives the facility code that is used when logging messages.

  • tcpwrappers (Boolean) (defaults to: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }))

    If true, enable sshd tcpwrappers.

  • usepam (Boolean) (defaults to: simplib::lookup('simp_options::pam', { 'default_value' => true }))

    Enables the Pluggable Authentication Module interface.

  • manage_pam_sshd (Boolean) (defaults to: $oath)

    Flag indicating whether or not to manage the pam stack for sshd. This is required for the oath option to work properly.

  • oath (Boolean) (defaults to: simplib::lookup('simp_options::oath', { 'default_value' => false }))

    **EXPERIMENTAL FEATURE** Configures ssh to use pam_oath TOTP in the sshd pam stack. Also configures sshd_config to use required settings. Inherits from simp_options::oath, defaults to false if not found.

  • oath_window (Integer[0]) (defaults to: 1)

    Sets the TOTP window (Defined in RFC 6238 section 5.2)

  • useprivilegeseparation (Variant[Boolean,Enum['sandbox']]) (defaults to: 'sandbox')

    Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic.

    This option has no effect on OpenSSH >= 7.5.0 due to being deprecated.

  • x11forwarding (Boolean) (defaults to: false)

    Specifies whether X11 forwarding is permitted.

  • custom_entries (Optional[Hash[String[1],NotUndef]]) (defaults to: undef)

    A Hash of key/value pairs that will be added as “sshd_config“ resources without any validation.

    • NOTE: Due to complexity, “Match“ entries are not supported and will need to be added using “sshd_config_match“ resources as described in “augeasproviders_ssh“

    @example Set AuthorizedPrincipalsCommand

    ---
ssh::server::conf::custom_entries:
  AuthorizedPrincipalsCommand: '/usr/local/bin/my_auth_command'
  • remove_entries (Optional[Array[String[1]]]) (defaults to: undef)

    List of configuration parameters that will be removed.

    • NOTE: Due to complexity, “Match“ entries are not supported and will need to be removed using “sshd_config_match“ resources as described in “augeasproviders_ssh“

  • remove_subsystems (Optional[Array[String[1]]]) (defaults to: undef)

    List of subsystems that will be removed.

  • app_pki_external_source (String) (defaults to: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }))

    • If pki = ‘simp’ or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

    • If pki = false, this variable has no effect.

  • app_pki_key (Stdlib::Absolutepath) (defaults to: "/etc/pki/simp_apps/sshd/x509/private/${facts['networking']['fqdn']}.pem")

    Path and name of the private SSL key file. This key file is used to generate the system SSH certificates for consistency.

  • enable_fallback_ciphers (Boolean) (defaults to: true)

    If true, add the fallback ciphers from ssh::server::params to the cipher list. This is intended to provide compatibility with non-SIMP systems in a way that properly supports FIPS 140-2.

  • fallback_ciphers (Array[String]) (defaults to: $ssh::server::params::fallback_ciphers)

    The set of ciphers that should be used should no other cipher be declared. This is used when $ssh::server::conf::enable_fallback_ciphers is enabled.

  • fips (Boolean) (defaults to: simplib::lookup('simp_options::fips', { 'default_value' => false }))

    If set or FIPS is already enabled, adjust for FIPS mode.

  • firewall (Boolean) (defaults to: simplib::lookup('simp_options::firewall', { 'default_value' => false }))

    If true, use the SIMP iptables class.

  • haveged (Boolean) (defaults to: simplib::lookup('simp_options::haveged', { 'default_value' => false }))

    If true, include the haveged module to assist with entropy generation.

  • ldap (Boolean) (defaults to: simplib::lookup('simp_options::ldap', { 'default_value' => false }))

    If true, enable LDAP support on the system. If authorizedkeyscommand is empty, this will set the authorizedkeyscommand to ssh-ldap-wrapper so that SSH public keys can be stored directly in LDAP.

  • pki (Variant[Enum['simp'],Boolean]) (defaults to: simplib::lookup('simp_options::pki', { 'default_value' => false }))

    • If ‘simp’, include SIMP’s pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sshd/x509

    • If true, do not include SIMP’s pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sshd/x509

    • If false, do not include SIMP’s pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:

      • app_pki_dir

      • app_pki_key

      • app_pki_cert

      • app_pki_ca

      • app_pki_ca_dir

  • sssd (Boolean) (defaults to: simplib::lookup('simp_options::sssd', { 'default_value' => false }))

    If true, use sssd

  • ensure_sssd_packages (Variant[Boolean,Array[String[1]]]) (defaults to: ['sssd-common'])

    A list of SSSD-related packages to ensure are installed on the system.

    • Set to ‘false` to prevent package management.

  • trusted_nets (Simplib::Netlist) (defaults to: ['ALL'])

    The networks to allow to connect to SSH.

Author:



261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
 
# File 'manifests/server/conf.pp', line 261

class ssh::server::conf (
#### SSH Parameters ####
  Array[String]                                          $acceptenv                       = $ssh::server::params::acceptenv,
  Optional[Array[String]]                                $allowgroups                     = undef,
  Optional[Array[String]]                                $allowusers                      = undef,
  Boolean                                                $manage_authorizedkeysfile       = true,
  String                                                 $authorizedkeysfile              = '/etc/ssh/local_keys/%u',
  Optional[Stdlib::Absolutepath]                         $authorizedkeyscommand           = undef,
  String                                                 $authorizedkeyscommanduser       = 'nobody',
  Stdlib::Absolutepath                                   $banner                          = '/etc/issue.net',
  Boolean                                                $challengeresponseauthentication = false,
  Optional[Array[String]]                                $ciphers                         = undef,
  Integer                                                $clientalivecountmax             = 0,
  Integer                                                $clientaliveinterval             = 600,
  Variant[Boolean,Enum['delayed']]                       $compression                     = 'delayed',
  Optional[Array[String]]                                $denygroups                      = undef,
  Optional[Array[String]]                                $denyusers                       = undef,
  Boolean                                                $gssapiauthentication            = $ssh::server::params::gssapiauthentication,
  Boolean                                                $hostbasedauthentication         = false,
  Boolean                                                $ignorerhosts                    = true,
  Boolean                                                $ignoreuserknownhosts            = true,
  Boolean                                                $kerberosauthentication          = false,
  Optional[Array[String]]                                $kex_algorithms                  = undef,
  Optional[Variant[Simplib::Host, Array[Simplib::Host]]] $listenaddress                   = undef,
  Integer[0]                                             $logingracetime                  = 120,
  Optional[Ssh::Loglevel]                                $ssh_loglevel                    = undef,
  Optional[Array[String]]                                $macs                            = undef,
  Integer[1]                                             $maxauthtries                    = 6,
  Boolean                                                $usepam                          = simplib::lookup('simp_options::pam', { 'default_value' => true }),
  Boolean                                                $passwordauthentication          = true,
  Boolean                                                $permitemptypasswords            = false,
  Ssh::PermitRootLogin                                   $permitrootlogin                 = false,
  Boolean                                                $permituserenvironment           = false,
  Variant[Array[Simplib::Port],Simplib::Port]            $port                            = 22,
  Boolean                                                $printlastlog                    = false,
  Array[Integer[1,2]]                                    $protocol                        = [2],
  Optional[Boolean]                                      $rhostsrsaauthentication         = $ssh::server::params::rhostsrsaauthentication,
  Boolean                                                $strictmodes                     = true,
  String                                                 $subsystem                       = 'sftp /usr/libexec/openssh/sftp-server',
  Ssh::Syslogfacility                                    $syslogfacility                  = 'AUTHPRIV',
  Boolean                                                $tcpwrappers                     = simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }),
  Variant[Boolean,Enum['sandbox']]                       $useprivilegeseparation          = 'sandbox',
  Boolean                                                $x11forwarding                   = false,
  Optional[Hash[String[1],NotUndef]]                     $custom_entries                  = undef,
  Optional[Array[String[1]]]                             $remove_entries                  = undef,
  Optional[Array[String[1]]]                             $remove_subsystems               = undef,

#### SIMP parameters ####
  String                                                 $app_pki_external_source         = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }),
  Stdlib::Absolutepath                                   $app_pki_key                     = "/etc/pki/simp_apps/sshd/x509/private/${facts['networking']['fqdn']}.pem",
  Boolean                                                $enable_fallback_ciphers         = true,
  Array[String]                                          $fallback_ciphers                = $ssh::server::params::fallback_ciphers,
  Boolean                                                $fips                            = simplib::lookup('simp_options::fips', { 'default_value' => false }),
  Boolean                                                $firewall                        = simplib::lookup('simp_options::firewall', { 'default_value' => false }),
  Boolean                                                $haveged                         = simplib::lookup('simp_options::haveged', { 'default_value' => false }),
  Boolean                                                $ldap                            = simplib::lookup('simp_options::ldap', { 'default_value' => false }),
  Boolean                                                $oath                            = simplib::lookup('simp_options::oath', { 'default_value' => false }),
  Boolean                                                $manage_pam_sshd                 = $oath,
  Integer[0]                                             $oath_window                     = 1,
  Variant[Enum['simp'],Boolean]                          $pki                             = simplib::lookup('simp_options::pki', { 'default_value' => false }),
  Boolean                                                $sssd                            = simplib::lookup('simp_options::sssd', { 'default_value' => false }),
  Variant[Boolean,Array[String[1]]]                      $ensure_sssd_packages            = ['sssd-common'],
  Simplib::Netlist                                       $trusted_nets                    = ['ALL']
) inherits ssh::server::params {
  assert_private()

  $_ports = flatten([$port])

  if $haveged {
    simplib::assert_optional_dependency($module_name, 'simp/haveged')

    include 'haveged'
  }

  if $authorizedkeyscommand {
    if empty($authorizedkeyscommanduser) {
      fail('$authorizedkeyscommanduser must be set if $authorizedkeyscommand is set')
    }
  }

  if $pki {
    simplib::assert_optional_dependency($module_name, 'simp/pki')

    pki::copy { 'sshd':
      source => $app_pki_external_source,
      pki    => $pki,
    }
  }

  if $ldap {
    if $sssd {
      $_use_ldap = false
    }
    else {
      $_use_ldap = $ldap
    }
  }
  else {
    $_use_ldap = $ldap
  }

  if $macs and !empty($macs) {
    $_macs = $macs
  }
  else {
    if $fips or $facts['fips_enabled'] {
      $_macs = $ssh::server::params::fips_macs
    }
    else {
      $_macs = $ssh::server::params::macs
    }
  }

  # sshd_config resource does not treat Protocol as an array
  # NOTE: This appears to be only for openssh 6.x (early CentOS 7), but has not
  # yet been rejected by openssh > 6.
  $_protocol = $protocol.unique.join(',')

  if $ciphers and !empty($ciphers) {
    $_main_ciphers = $ciphers
  }
  else {
    if $fips or $facts['fips_enabled'] {
      $_main_ciphers = $ssh::server::params::fips_ciphers
    }
    else {
      $_main_ciphers = $ssh::server::params::ciphers
    }
  }

  if $enable_fallback_ciphers {
    $_ciphers = unique(flatten([$_main_ciphers,$fallback_ciphers]))
  }
  else {
    $_ciphers = $_main_ciphers
  }

  if $kex_algorithms and !empty($kex_algorithms) {
    $_kex_algorithms = $kex_algorithms
  }
  else {
    if $fips or $facts['fips_enabled'] {
      $_kex_algorithms = $ssh::server::params::fips_kex_algorithms
    }
    else {
      $_kex_algorithms = $ssh::server::params::kex_algorithms
    }
  }

  if $oath {
    $_usepam = true
  }
  else {
    $_usepam = $usepam
  }

  if $_usepam {
    if $oath {
      simplib::assert_optional_dependency($module_name, 'simp/oath')

      include 'oath'

      $_challengeresponseauthentication = true
      $_passwordauthentication = false
    }

    if $manage_pam_sshd {
      file { '/etc/pam.d/sshd':
        ensure  => file,
        content => epp('ssh/etc/pam.d/sshd.epp'),
      }
    }
  }

  file { '/etc/ssh/sshd_config':
    owner  => 'root',
    group  => 'root',
    mode   => '0600',
    notify => Service['sshd']
  }

  ssh::add_sshd_config('AcceptEnv', $acceptenv, $remove_entries)
  ssh::add_sshd_config('AllowGroups', $allowgroups, $remove_entries)
  ssh::add_sshd_config('AllowUsers', $allowusers, $remove_entries)
  if $authorizedkeyscommand {
    ssh::add_sshd_config('AuthorizedKeysCommand', $authorizedkeyscommand, $remove_entries)
    ssh::add_sshd_config('AuthorizedKeysCommandUser', $authorizedkeyscommanduser, $remove_entries)
  }
  elsif $sssd {
    if $ensure_sssd_packages {
      if $ensure_sssd_packages =~ Array {
        $_sssd_packages = $ensure_sssd_packages
      }
      else {
        $_sssd_packages = ['sssd-common']
      }

      ensure_packages($_sssd_packages)
    }

    ssh::add_sshd_config('AuthorizedKeysCommand', '/usr/bin/sss_ssh_authorizedkeys', $remove_entries)
    ssh::add_sshd_config('AuthorizedKeysCommandUser', $authorizedkeyscommanduser, $remove_entries)
  }
  elsif $_use_ldap {
    ssh::add_sshd_config('AuthorizedKeysCommand', '/usr/libexec/openssh/ssh-ldap-wrapper', $remove_entries)
    ssh::add_sshd_config('AuthorizedKeysCommandUser', $authorizedkeyscommanduser, $remove_entries)
  }
  if $manage_authorizedkeysfile {
    ssh::add_sshd_config('AuthorizedKeysFile', $authorizedkeysfile, $remove_entries)
  }
  ssh::add_sshd_config('Banner', $banner, $remove_entries)
  ssh::add_sshd_config('ChallengeResponseAuthentication', ssh::config_bool_translate(defined('$_challengeresponseauthentication') ? { true => $_challengeresponseauthentication, default => $challengeresponseauthentication } ), $remove_entries)
  ssh::add_sshd_config('Ciphers', $_ciphers, $remove_entries)
  ssh::add_sshd_config('ClientAliveCountMax', String($clientalivecountmax), $remove_entries)
  ssh::add_sshd_config('ClientAliveInterval', String($clientaliveinterval), $remove_entries)
  ssh::add_sshd_config('Compression', ssh::config_bool_translate($compression), $remove_entries)
  ssh::add_sshd_config('DenyGroups', $denygroups, $remove_entries)
  ssh::add_sshd_config('DenyUsers', $denyusers, $remove_entries)
  ssh::add_sshd_config('GSSAPIAuthentication', ssh::config_bool_translate($gssapiauthentication), $remove_entries)
  ssh::add_sshd_config('HostbasedAuthentication', ssh::config_bool_translate($hostbasedauthentication), $remove_entries)
  ssh::add_sshd_config('IgnoreRhosts', ssh::config_bool_translate($ignorerhosts), $remove_entries)
  ssh::add_sshd_config('IgnoreUserKnownHosts', ssh::config_bool_translate($ignoreuserknownhosts), $remove_entries)
  ssh::add_sshd_config('KerberosAuthentication', ssh::config_bool_translate($kerberosauthentication), $remove_entries)
  ssh::add_sshd_config('KexAlgorithms', $_kex_algorithms, $remove_entries)
  if $listenaddress {
    ssh::add_sshd_config('ListenAddress', $listenaddress, $remove_entries)
  }
  ssh::add_sshd_config('LoginGraceTime', $logingracetime, $remove_entries)
  ssh::add_sshd_config('LogLevel', $ssh_loglevel, $remove_entries)
  ssh::add_sshd_config('MACs', $_macs, $remove_entries)
  ssh::add_sshd_config('MaxAuthTries', $maxauthtries, $remove_entries)
  ssh::add_sshd_config('PasswordAuthentication', ssh::config_bool_translate(defined('$_passwordauthentication') ? { true => $_passwordauthentication, default => $passwordauthentication} ), $remove_entries)
  ssh::add_sshd_config('PermitEmptyPasswords', ssh::config_bool_translate($permitemptypasswords), $remove_entries)
  ssh::add_sshd_config('PermitRootLogin', ssh::config_bool_translate($permitrootlogin), $remove_entries)
  ssh::add_sshd_config('PermitUserEnvironment', ssh::config_bool_translate($permituserenvironment), $remove_entries)
  ssh::add_sshd_config('Port', $_ports, $remove_entries)
  ssh::add_sshd_config('PrintLastLog', ssh::config_bool_translate($printlastlog), $remove_entries)
  ssh::add_sshd_config('Protocol', $_protocol, $remove_entries)
  if $rhostsrsaauthentication != undef {
    ssh::add_sshd_config('RhostsRSAAuthentication', ssh::config_bool_translate($rhostsrsaauthentication), $remove_entries)
  }
  ssh::add_sshd_config('StrictModes', ssh::config_bool_translate($strictmodes), $remove_entries)
  ssh::add_sshd_config('SyslogFacility', $syslogfacility, $remove_entries)
  ssh::add_sshd_config('UsePAM', ssh::config_bool_translate($_usepam), $remove_entries)
  ssh::add_sshd_config('X11Forwarding', ssh::config_bool_translate($x11forwarding), $remove_entries)

  # Version dependent items
  if versioncmp($facts['openssh_version'], '7.5') < 0 {
    ssh::add_sshd_config('UsePrivilegeSeparation', ssh::config_bool_translate($useprivilegeseparation), $remove_entries)
  }
  elsif !$remove_entries or ($remove_entries and !('UsePrivilegeSeparation' in $remove_entries)) {
    sshd_config { 'UsePrivilegeSeparation': ensure =>  absent }
  }

  # Custom manipulation
  if $custom_entries {
    $custom_entries.each |$key, $value| {
      sshd_config { $key: value => $value }
    }
  }

  if $remove_entries {
    $remove_entries.unique.each |$key| { sshd_config { $key: ensure => absent } }
  }

  $subsystem_array = split($subsystem, ' +')
  sshd_config_subsystem { $subsystem_array[0]: command => join($subsystem_array[1,-1], ' ') }

  if $remove_subsystems {
    $remove_subsystems.unique.each |$subsystem| {
      sshd_config_subsystem { $subsystem: ensure => absent }
    }
  }

  file { '/etc/ssh/local_keys':
    ensure  => 'directory',
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    recurse => true,
  }

  $_ports.each |Simplib::Port $sel_port| {
    if ($sel_port != 22) and $facts['os']['selinux']['enforced'] {
      if simplib::module_exist('simp/selinux') {
        simplib::assert_optional_dependency($module_name, 'simp/selinux')
        simplib::assert_optional_dependency($module_name, 'simp/vox_selinux')

        include vox_selinux

      }
      else {
        simplib::assert_optional_dependency($module_name, 'puppet/selinux')
        include selinux
      }

      selinux_port { "tcp_${sel_port}-${sel_port}":
        low_port  => $sel_port,
        high_port => $sel_port,
        seltype   => 'ssh_port_t',
        protocol  => 'tcp'
      }
    }
  }

  if $firewall {
    simplib::assert_optional_dependency($module_name, 'simp/iptables')

    include 'iptables'

    iptables::listen::tcp_stateful { 'allow_sshd':
      order        => 8,
      trusted_nets => $trusted_nets,
      dports       => $_ports,
    }
  }

  if $tcpwrappers {
    simplib::assert_optional_dependency($module_name, 'simp/tcpwrappers')

    include 'tcpwrappers'

    tcpwrappers::allow { 'sshd':
      pattern => simplib::nets2ddq($trusted_nets),
      order   => 1
    }
  }
}