Solaris 11.1 default sshd options don't work about puppet-module-ssh HOT 17 CLOSED

@Raskil would you mind sending a PR for this?

from puppet-module-ssh.

Are you getting your values from a stock install of Solaris 11.1 ?

from puppet-module-ssh.

I will look into it and send a PR. The values are from a preinstalled Solaris 11.1 from Oracle.

from puppet-module-ssh.

Question ist how to imnplement it. I see that you are using $::kernelrelease to dertermine Solaris Version. Should I implement a substructure in 5.11 or should we switch to another fact that is more suitable for minor version comparison?
Unfortuantly I do not have Solaris 9 and 10 boxes at hand, to compare suitable facts.

from puppet-module-ssh.

@Raskil
I can test any required changes on Solaris 9 and 10. Please let me know what to test?

from puppet-module-ssh.

@Raskil

Solaris 11 defaults: See the following sections from the man pages.

XAuthLocation

     Specifies the location  of  the  xauth(1)  program.  The
     default  is /usr/X11/bin/xauth and sshd attempts to open
     it when X11 forwarding is enabled.

Subsystem
......
#sftp subsystem
Subsystem sftp internal-sftp -u 002

     By default,  no  subsystems  are  defined.  This  option
     applies to protocol version 2 only. 

However, the initial installed sshd_config file only has =
Subsystem sftp internal-sftp

from puppet-module-ssh.

kernelrelease should work if this applies to all of Solaris 11. Are these changes specific to 11.1 or are they the same on 11.0 ?

from puppet-module-ssh.

@ghoneycutt
I don't know, I don't have Solaris 11.0 boxes.

from puppet-module-ssh.

@nalyanyam Do you have Solaris 11.0 Systems? Could you check if there is any difference between standard sshd_config on Solaris 11.0 and Solaris 11.1?

from puppet-module-ssh.

@Raskil
Checked and sshd_config is basically the same between Solaris 11.0 and Solaris 11.1. I have no access to Solaris 11.2 at the moment, but it is likely that the main configurations would still be the same. Solaris/Oracle tries to maintain backward compatibility as much as possible. So i think in this case kernelrelease should work.

from puppet-module-ssh.

For SunOS nyo1d2z1 5.11 11.3 sun4v sparc sun4v, I had to remove all of the dependencies from init.pp except network/ssh. The other services did not exist on my box.

Solaris 10 worked out of the box.

Only 'network/ssh', and Solaris 11.3 works, otherwise I get an error:

Error: /Stage[main]/Ssh/Package[network/ssh/ssh-key]/ensure: change from absent to present failed: Unable to update

[root@nyprhcm1 manifests]# diff init.pp /var/tmp/init.pp 
210c210,212
<           $default_packages                      = ['network/ssh']
---
>           $default_packages                      = ['network/ssh',
>                                                     'network/ssh/ssh-key',
>                                                     'service/network/ssh']

from puppet-module-ssh.

@quadgrande
On Solaris 11.1 the 3 packages are needed for server, client and key management utilities:

pkg info network/ssh
Name: network/ssh
Summary: Secure Shell (SSH) protocol client and associated utilities

Name: service/network/ssh
Summary: Secure Shell protocol server

pkg info network/ssh/ssh-key
Name: network/ssh/ssh-key
Summary: Secure Shell protocol key management utilities

I do not have access to Solaris 11.2 and 11.3 at the moment.
Could you please check what packages are associated with the ssh client, or the key management utilities? If all packages are now combined into one, then we need to make a new PR to fix this and differentiate based on kernelversion.

from puppet-module-ssh.

@Raskil Can we try to fix this default for sshd_config_xauth_location ?

The default (according to man pages) is actually /usr/X11/bin/xauth , but it's a symbolic link to /usr/bin/xauth

The current value in the module = /usr/openwin/bin/xauth is also a symbolic link to /usr/bin/xauth

So we could just update to match what is written in the man pages.

from puppet-module-ssh.

I will create a PR to update sshd_config_xauth_location and sshd_config_subsystem_sftp defaults

from puppet-module-ssh.

11.3 is fairly new (we patched in April), but it appears to have a different package set for supporting SSH.

OS and kernel version

11.2 - 0.175.2.2.0.4.2

# pkg list | grep ssh
network/ssh                                       0.5.11-0.175.2.2.0.2.2     i--
network/ssh/ssh-key                               0.5.11-0.175.2.2.0.2.2     i--
service/network/ssh                               0.5.11-0.175.2.2.0.2.2     i--

SunOS 5.11 11.2 sun4v sparc sun4v

11.3 - 0.175.3.1.0.3.0.2160.5

-# pkg list | grep ssh
network/ssh                                       0.5.11-0.175.3.1.0.3.0     i--
network/ssh/ssh-utilities                         0.5.11-0.175.3.0.0.30.0    i--
service/network/ssh-common                        0.5.11-0.175.3.0.0.30.0    i--
SunOS 5.11 11.3 sun4v sparc sun4v

from puppet-module-ssh.

@nalyanyam We fixed the Solaris default values using hiera. Sorais changes atot of stuff in minor relases so its hard to keep track of it,

from puppet-module-ssh.

Cleaning out old issues. If you are still interested in this, please send a pull request.

from puppet-module-ssh.