cd_ssh | Release Notes


Install, configure and manage the client and server parts of openssl ssh implementation.

This module is fully parameterized and intended to be used with External Node Classifiers (ENC).

Settings are pre-set for ssh-key authentication, i.e. passwordless secure remote access.


**__!!! Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previuos confugurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production!!! __**

Git Repo


  • Default:
    • install required packages for SSH client and sshd daemon
    • manage directories and permissions
    • manage server configuration files, contents and permissions, depending on OS version.
    • manage client configuration file and permissions ( content is not managed as this usually is overwritten on various levels on user end).
    • manage service
  • Optional:
    • enable fail2ban monitoring
    • enable nagios monitoring
    • enable and manage firewall

Repo Structure

Repostructure has been moved to


  • native Puppet deployment: via site.pp or nodes.pp
include cd_ssh

  • through Foreman:

In order to apply parameters through Foreman, cd_ssh::params must be added to the host or hostgroup in question.



The following parameters can be overriden in params.pp or ENC (recommended). Values typically can be used as are unless noted otherwise. Most of the parameters are used in configuration files, and will take immediate effect at next puppet run. See man sshd_config for more details.

Mandatory Parameters

There are currently no mandatory parameters, i.e. the module should work out of box as this will basically deploy the same set of values as the default installation of openssh would do under CentOS.

Optional Parameters

  • $sshd_manage_sshclient : Whether to manage the configuration file for ssh clients. Defaults to true.
  • $sshd_enable_nagios : Whether to enable nagios monitoring for the sshd service. Defaults to false.
  • $sshd_target_service : The path for the nagios configuration file for this service definition. Only active if $sshd_enable_nagios is set to true. Defaults to '/etc/nagios/conf.d/ssh_service.cfg'
  • $sshd_fail2ban_enable : Whether to enable fail2ban monitoring for the sshd service. Defaults to false.
  • $sshd_fail2ban_max_retry : Specify the amount of maximum retries for logging on to SSH before fail2ban bans the client IP address temporarily. Defaults to 2.
  • $sshd_fail2ban_config : Specify the name of the jail file. Defaults to sshd.local.
  • $sshd_fail2ban_path : Specify the path for the jail file. Defauls to /etc/fail2ban/jail.d.
  • $sshd_enable_firewall : Whether or not to manage the firewall for sshd. Defaults to true.
  • $sshd_fw_order_ipv4 : Ordering number for the ipv4 firewall, i.e. where in the firewall the rule will show up. Defaults to 008. Adjust to your environment.
  • $sshd_fw_order_ipv6 : Ordering number for the ipv6 firewall, i.e. where in the firewall the rule will show up. Defaults to 009. Adjust to your environment.

See the full list of editable parameters.


All files and directories are set with correct selinux context. If selinux is disabled (not recommended), these contexts will be ignored.


  • OS: CentOS 6,7
  • rpm sources:
    • vendor repos for OS-related packages
  • Puppet 3.x

Known Problems

  • The original sshd_config file with CentOS7 comes with two additional options:
    # Uncomment this if you want to use .local domain
    #Host *.local
    # CheckHostIP no

    However, when uncommenting either option, the sshd daemon fails to start. Both options are also not documented in the man page. For that reason I did not include them in either parameters or teh configuration file.

  • KerberosGetAFSToken: Available in config file with default no, and documented in man page. However when uncommenting this option even set to 'no', an error 'Unsupported option KerberosGetAFSToken'. Likely down to SSHD not compiled with AFS in CentOS. Commented option. If you need this feature, you may need to provide an RPM compiled with AFS support. This goes beyond the scope of this module.


  • Puppet Lint
    • excluded tests:
    • --no-class_inherits_from_params_class-check:relavant only to non-supported outdated puppet versions
    • --no-variable_scope-check: not applicable as we are inheriting parameters from params class. the lint check does not distinguish between facts and inherited parameters.
    • --no-80chars-check: it is not always possible to stay within 80 characters, although typically only occurring on the parameter vault params.pp.
    • --no-arrow_alignment-check: this check leads to actually not having am easily readable arrow alignment, as this checks per block, not per class.
  • Puppet Parser
  • ERB Template Parser
  • Test for unwanted UTF8 files in the Puppet code (see tests/UTF_Files)

Contact Us

contact Us


ConfDroid as entity is entirely independent from Puppet. We provide custom configuration modules, written for specific purposes and specific environments. The modules are tested and supported only as documented, and require testing in designated environments (i.e. lab or development environments) for parameter tuning etc. before deploying into production environments.

Leave a Reply