Introducing confdroid_ssh: Reliable and Hardened SSH Access for Your Rocky 9 Servers
SSH is the primary way we access and manage Linux servers. When SSH stops working, everything else grinds to a halt — troubleshooting becomes painful, and automation pipelines can fail.
To solve this, I created confdroid_ssh, a new Puppet 8 module that ensures the SSH daemon (sshd) is always installed, properly configured, running, and reachable.
The module provides a hardened, consistent SSH setup across your entire infrastructure while making it easy to apply custom security policies.
Why This Module Matters
- Guarantees SSH access is always available.
- Applies secure defaults for ciphers, MAC algorithms, and other important settings
- Manages the main sshd_config safely through drop-in files in /etc/ssh/sshd_config.d/
- Handles SELinux contexts automatically (works great together with confdroid_selinux)
- Optionally manages firewall rules to keep the SSH port open
- Prevents configuration drift and manual overrides that often cause problems
It fits perfectly into the Confdroid collection alongside confdroid_selinux (for global SELinux enforcement) and confdroid_fail2ban (for brute-force protection on SSH).
Key Features
- Installs the SSH server packages and required binaries
- Manages the sshd service (ensures it is enabled and running)
- Supports custom configuration snippets via the confdroid_ssh::custom::custom_config define
- Automatically applies correct SELinux contexts
- Optionally opens the SSH port in the firewall (iptables/nftables)
- Designed for Rocky 9 (and other RHEL 9-based systems)
Example: Adding Custom Configuration
You can easily add your own secure settings without touching the main config file:
confdroid_ssh::custom::custom_config { '30-my-hardening':
config_name => '30-my-hardening',
config_content => [
'PasswordAuthentication no',
'PermitRootLogin no',
'MaxAuthTries 3',
],
}
This creates a cleanly managed file /etc/ssh/sshd_config.d/30-my-hardening.conf, overriding default settings from the main configuration file.
How It Fits in the Confdroid Ecosystem
confdroid_ssh works hand-in-hand with the rest of the collection:
confdroid_selinuxensures the global SELinux mode is set correctlyconfdroid_fail2banprotects SSH against brute-force attacks
All other modules benefit from reliable SSH access for management and deployment.
Important Notes
Warning: This module overwrites SSH configuration. Do not use it right on systems that have heavy manual SSH customizations. Always test first in a non-production environment, and move your manual configuration into the module via the provided define see example. It is likely best practice to use small snippets depending on various conditions only when they apply. Not every Linux system follows the same pattern depending on the applications it hosts.
The module follows the Confdroid “ENC-first” philosophy — configure everything comfortably through Foreman smart class parameters.
You can find the full module, source code, parameter reference, and documentation here: https://sourcecode.confdroid.com/confdroid/confdroid_ssh
Final Thoughts
With confdroid_ssh, you no longer have to worry about SSH breaking after updates or configuration changes. It provides a solid, hardened, and fully automated foundation for secure remote access across your Rocky 9 fleet.
Combined with confdroid_selinux and confdroid_fail2ban, it forms a strong security layer that keeps your servers accessible to you — but not to attackers.
Have you ever lost SSH access due to a misconfiguration or update? How do you currently manage SSH hardening across your servers? Share your experiences or questions in the comments — I’d love to hear them!
Did you find this post helpful? You can support me.
Related posts
- Confdroid Puppet Modules – Pilot
- Confdroid Puppet Modules – Puppet
- ConfDroid Puppet Modules – confdroid_resources
- ConfDroid Puppet Modules – Postgresql
- ConfDroid Puppet Modules – Gitea
- ConfDroid Puppet Modules – Apache
- ConfDroid Puppet Modules – Nagios
- ConfDroid Puppet Modules – NRPE
- ConfDroid Puppet Modules – Fail2ban
- ConfDroid Puppet Modules – Automatic
- ConfDroid Puppet Modules – Selinux
