Skip to content

Latest commit

 

History

History
309 lines (214 loc) · 7.42 KB

REFERENCE.md

File metadata and controls

309 lines (214 loc) · 7.42 KB
Raw

Reference

Table of Contents

Classes

  • sshd: Configure default sshd settings

Defined types

Classes

sshd

Configure default sshd settings

Examples

include sshd

Parameters

The following parameters are available in the sshd class:

allow_list

Data type: Hash

Hash to pass to allow_from.pp, where top level key is the name and the values under that is the hash to pass to allow_from.pp

See allow_from.pp for allowed values

Example:

sshd::allow_list:
  "dummyuser":
    hostlist:
      - "1.1.1.1"
    users:
      - "dummyuser"
    additional_match_params:
      PubkeyAuthentication: "yes"
      AuthenticationMethods: "publickey"
      Banner: "none"
      MaxAuthTries: "6"
      MaxSessions: "10"
      X11Forwarding: "no"
      AuthorizedKeysFile: "/delta/home/keys/%u"
  "dummygroup":
    hostlist:
      - "2.2.2.2"
    groups:
      - "dummygroup"
    additional_match_params:
      PubkeyAuthentication: "yes"
      AuthenticationMethods: "publickey"
      Banner: "none"
      MaxAuthTries: "6"
      MaxSessions: "10"
      X11Forwarding: "no"
      AuthorizedKeysFile: "/delta/home/keys/%u"
banner

Data type: Optional[String]

A string to create a banner to display before login. Use to display before authentication. Defining this automatically sets the sshd_config option. If you define the Banner config in hiera, the Puppet agent will not run. Example of hiera data:

sshd::banner: |2+

  Login with NCSA Kerberos + NCSA Duo multi-factor.

  DUO Documentation:  https://go.ncsa.illinois.edu/2fa

Default value: undef

banner_ignore

Data type: Boolean

Disable setting banner in sshd even if banner content is set

config

Data type: Hash

Hash of global config settings Defaults provided by this module Values from multiple sources are merged Key collisions are resolved in favor of the higher priority value

config_file

Data type: String

Full path to sshd_config file

config_matches

Data type: Hash[String,Hash]

Hash of config "match" conditions and settings. Keys are match condition. Vals are a hash of sshd_config settings for the match condition. Expected format:

---
sshd::config_matches:
  Unique condition one:
    SettingOne: val
    SettingTwo:
      - val2
      - val3
  Unique condition two:
    SettingOne: val
    SettingTwo:
      - val2
      - val3

# Example
sshd::config_matches:
  "Address 1.1.1.1,2.2.2.2 Group groupname User user1,user2":
    PubkeyAuthentication: "yes"
    AuthenticationMethods: "publickey"
    Banner: "none"
    MaxAuthTries: "6"
    MaxSessions: "10"
    X11Forwarding: "no"
    AuthorizedKeysFile: "/cluster/home/keys/%u"
  "Address 3.3.3.3 Group groupname2":
    PubkeyAuthentication: "yes"
    AuthenticationMethods: "publickey"
    Banner: "none"
    MaxAuthTries: "6"
    MaxSessions: "10"
    X11Forwarding: "no"
    AuthorizedKeysFile: "/cluster/home/groupname2/%u"

Note that condition strings must be valid sshd_config criteria-pattern pairs
Values from multiple sources are merged
Key collisions are resolved in favor of the higher priority value
Merges are deep to allow use of the knockout_prefix '-' (to remove a key
from the final result).

Also note that unlike the allow_list parameter, adding match blocks using
this param will not edit iptables/sssd/access.conf configs. This might be
preferred if you need to add a match block with a negated user like:
User *,!wa0*
If you tried to use allow_list for a list of users like that it would attempt
to create access.conf/sssd allows for the user !wa0*, which doesn't make sense
and will actually cause puppet errors

This param is also useful for adding a match block where the match line is more
customized than what allow_list can accept
config_subsystems

Data type: Hash

Hash of sshd subsystems to enable and configure

manage_service

Data type: Boolean

Flag of whether to manage sshd service

required_packages

Data type: Array[String]

List of package names to be installed (OS specific). (Defaults provided by module should be sufficient).

revoked_keys

Data type: Array[String]

List of ssh public keys to disallow. Values from multiple sources are merged.

revoked_keys_file

Data type: String

Full path to name of revoked keys file

service_name

Data type: String

Name os sshd service

trusted_subnets

Data type: Array

Array of IPs and CIDRs to be allowed through the firewall Values from multiple sources are merged

Defined types

sshd::allow_from

Enable incoming ssh for a given set of hosts

Update iptables firewall

Update sshd_config with a Match directive and associated settings

Update access.conf

Examples

sshd::allow_from { 'namevar': }
ssh::allow_from { 'allow incoming ssh by users 1,2,3 from hosts X,Y,Z':
    'users'                   => Array,
    'groups'                  => Array,
    'hostlist'                => Array,
    'additional_match_params' => Hash,
}

Parameters

The following parameters are available in the sshd::allow_from defined type:

users

Data type: Array[String]

List of users to allow (from hostlist)

Note: If both "users" and "groups" are empty, error is raised.

Default value: []

groups

Data type: Array[String]

List of groups to allow (from hostlist)

Note: If both "users" and "groups" are empty, error is raised.

Default value: []

hostlist

Data type: Array[String, 1]

List of IPs or Hostnames that (users/groups) are allowed to ssh from

additional_match_params

Data type: Hash[String, Data]

Sshd config keywords and values. Format: additional_match_params = { 'keyword1' => 'value1', 'keyword2' => 'value2', 'keyword3' => [ 'val3_1','val3_2' ], }

Default value: {}