Install, configure and manage the client and server parts of openssl ssh implementation.
This module is fully parameterized and intended to be used with External Node Classifiers (ENC).
Settings are pre-set for ssh-key authentication, i.e. passwordless secure remote access.
**__!!! Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previuos confugurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production!!! __**
- install required packages for SSH client and sshd daemon
- manage directories and permissions
- manage server configuration files, contents and permissions, depending on OS version.
- manage client configuration file and permissions ( content is not managed as this usually is overwritten on various levels on user end).
- manage service
- enable fail2ban monitoring
- enable nagios monitoring
- enable and manage firewall
Repostructure has been moved to REPOSTRUCTURE.md
- native Puppet deployment: via site.pp or nodes.pp
- through Foreman:
In order to apply parameters through Foreman, cd_ssh::params must be added to the host or hostgroup in question.
- cd_resources for repo management
- puppetlabs firewall for iptables management (optional)
- cd_fail2ban for Fail2ban monitoring (optional)
- cd_nagios for Nagios monitoring (optional)
The following parameters can be overriden in params.pp or ENC (recommended). Values typically can be used as are unless noted otherwise. Most of the parameters are used in configuration files, and will take immediate effect at next puppet run. See man
sshd_config for more details.
There are currently no mandatory parameters, i.e. the module should work out of box as this will basically deploy the same set of values as the default installation of openssh would do under CentOS.
$sshd_manage_sshclient: Whether to manage the configuration file for ssh clients. Defaults to
$sshd_enable_nagios: Whether to enable nagios monitoring for the sshd service. Defaults to
$sshd_target_service: The path for the nagios configuration file for this service definition. Only active if
$sshd_enable_nagiosis set to
true. Defaults to '/etc/nagios/conf.d/ssh_service.cfg'
$sshd_fail2ban_enable: Whether to enable fail2ban monitoring for the sshd service. Defaults to
$sshd_fail2ban_max_retry: Specify the amount of maximum retries for logging on to SSH before fail2ban bans the client IP address temporarily. Defaults to
$sshd_fail2ban_config: Specify the name of the jail file. Defaults to
$sshd_fail2ban_path: Specify the path for the jail file. Defauls to
$sshd_enable_firewall: Whether or not to manage the firewall for sshd. Defaults to
$sshd_fw_order_ipv4: Ordering number for the ipv4 firewall, i.e. where in the firewall the rule will show up. Defaults to
008. Adjust to your environment.
$sshd_fw_order_ipv6: Ordering number for the ipv6 firewall, i.e. where in the firewall the rule will show up. Defaults to
009. Adjust to your environment.
All files and directories are set with correct selinux context. If selinux is disabled (not recommended), these contexts will be ignored.
- OS: CentOS 6,7
- rpm sources:
- vendor repos for OS-related packages
- Puppet 3.x
- The original sshd_config file with CentOS7 comes with two additional options:
# Uncomment this if you want to use .local domain #Host *.local # CheckHostIP no
However, when uncommenting either option, the sshd daemon fails to start. Both options are also not documented in the man page. For that reason I did not include them in either parameters or teh configuration file.
- KerberosGetAFSToken: Available in config file with default
no, and documented in man page. However when uncommenting this option even set to 'no', an error 'Unsupported option KerberosGetAFSToken'. Likely down to SSHD not compiled with AFS in CentOS. Commented option. If you need this feature, you may need to provide an RPM compiled with AFS support. This goes beyond the scope of this module.
- Puppet Lint
- excluded tests:
--no-class_inherits_from_params_class-check:relavant only to non-supported outdated puppet versions
--no-variable_scope-check: not applicable as we are inheriting parameters from params class. the lint check does not distinguish between facts and inherited parameters.
--no-80chars-check: it is not always possible to stay within 80 characters, although typically only occurring on the parameter vault
--no-arrow_alignment-check: this check leads to actually not having am easily readable arrow alignment, as this checks
per block, not per class.
- Puppet Parser
- ERB Template Parser
- Test for unwanted UTF8 files in the Puppet code (see tests/UTF_Files)
ConfDroid as entity is entirely independent from Puppet. We provide custom configuration modules, written for specific purposes and specific environments. The modules are tested and supported only as documented, and require testing in designated environments (i.e. lab or development environments) for parameter tuning etc. before deploying into production environments.