We need the ability to manage the HostCertificate option for the SSH Daemon.

Suggestion:

sshd_host_certificate parameter to set the HostCertificate option. The value would be a String, or in Puppet 4 Data Types, an Stdlib::Absolutepath type.

sshd_user_trusted_ca parameter to set the TrustedUserCAKeys option. The value would be a String or an Array of Strings. In Puppet 4 Data Types, that would be a Stdlib::Absolutepath or an Array of Stdlib::Absolutepath data types.

This would be an error with the data in hiera, so the module should protest to make that error clear.

Hi

Since I was around, just a little warning popping up on my test env

==> test.vagrant.local: Warning: The string '6' was automatically coerced to the numerical value 6 at /etc/puppetlabs/code/environments/production/modules/ssh/manifests/init.pp:283:3

Cheers,

I've been staring at this for a while and can't find why puppet-module-common is a requirement for this module. I'm sure I missed something.

Hi,

Would it be possible to add support for the file types validate_cmd to make use of opensshd -t -f command flags for testing the config file before restarting the service?

This way you make sure that you don't put a config file in place that breaks sshd.

Regards

Raskil

Okay, so I know a bit more about the problem on OpenSuSE: The Initscript, or the Systemd integration only generates keys, when no keys are generated.

This happens when no sshd is present prior to the Puppet run and the sshd_config of the module gets written before starting the service or running the key initialization.

if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config; then

Also see PR #102

It would be great if you could add in the ability to use a template file for the contents of the sshd banner file. Our banner is 10 lines long and it gets really ugly to edit it and get the newlines and spacing right. Using a template file would take care of that problem.

Hi,

The module says that it supports Solaris 11, but a few default options leave you with a partly broken sshd on Solaris 11.1. Namely these are:

sshd_config_xauth_location
should be: /usr/bin/xauth is: /usr/openwin/bin/xauth
Error caused: X-Forwarding does not work

sshd_config_group
should be: sys is: root
Error caused: SSHD not manageble with RBAC Policy in place

sshd_config_subsystem_sftp
should be: 'internal-sftp -u 0002' is: /usr/lib/ssh/sftp-server
Error caused: sftp not usable

I've overriden theese through hiera. Question is if it would be convenient to fix the defaults for Solaris 11.1.

The option for setting the username to run AuthorizedKeysCommand has changed between RHEL 7 and RHEL 6

AuthorizedKeysCommandUser < RHEL 7
(This Setting appears to be mandatory on RHEL7 if AuthorizedKeysCommand is used)

AuthorizedKeysCommandRunAs < RHEL 6

Hi,

I try to manage authorized_keys via Puppet. So I have a Debian.yaml for all Debian based hosts and the following config:

ssh::keys:
  root_on_host:
    ensure: present
    user: root
    type: rsa
    key: AAAA...

A specific node gets additional config - here's the user "testuser", and he should get a key, too.

ssh::keys:
  testuser_on_node:
    ensure: present
    user: testuser
    type: rsa
    key: AAAA...

Assuming root and testuser have no authorized_key file, my puppet run succeeds:

$ puppet agent --test
...
Notice: /Stage[main]/Ssh/Ssh_authorized_key[testuser_on_node]/ensure: created
Notice: /Stage[main]/Ssh/Ssh_authorized_key[root_on_host]/ensure: created
Notice: Applied catalog in 0.37 seconds

But the second run - or every run, when authorized_keys files already exist - fails with error:

...
Notice: /Stage[main]/Ssh/Ssh_authorized_key[testuser_on_node]/user: user changed 'root' to 'testuser'
Notice: /Stage[main]/Ssh/Ssh_authorized_key[testuser_on_node]/target: target changed '/root/.ssh/authorized_keys' to '/home/testuser/.ssh/authorized_keys'
Info: Computing checksum on file /home/testuser/.ssh/authorized_keys
Error: Puppet::Util::FileType::FileTypeFlat could not write /root/.ssh/authorized_keys: Permission denied @ rb_sysopen - /root/.ssh/authorized_keys

What is going wrong there? (Or: what I'm doing wrong? :) ) When I disable all keys in node config, puppet run succeeds again. I'm using ghoneycutt-ssh (v3.51.0).

Cheers,
Marianne

Ability to have the following. Default should be no (undef) both in ssh_config and sshd_config. Note that each should be a different parameter to keep with the current style.

SendEnv XMODIFIERS

Starting sshd: /etc/ssh/sshd_config: line 24: Bad configuration option: KexAlgorithms

RHEL 6 / CentOS 6 does not support AuthorizedKeysCommandUser, it uses AuthorizedKeysCommandRunAs instead.

I'm happy to write a pull request to fix this, I'm just not sure if you'd rather have this as a if and else if, inside the ERB or if you rather have something inside a pp file.

I would like to be able to add this to my Hiera data to configure the SSH daemon:

ssh::sshd_config_x11_display_offset: '30'

...which would then set this in the sshd_config:

X11DisplayOffset 30

The default is 10, but not high enough for our environment.

The changes look rather straightforward.

In init.pp:

Add parameter with default to the ssh class:

$sshd_config_x11_display_offset = '10',

Add handling for undef value:

case $sshd_config_x11_display_offset {
'unset', undef: { $sshd_config_x11_display_offset_real = undef }
default: { $sshd_config_x11_display_offset_real = $sshd_config_x11_display_offset_real }
}

Add validation:

if $sshd_config_x11_display_offset_real != undef {
validate_integer($sshd_config_x11_display_offset_real)
}

In sshd_config.erb add this after the current commented value of X11DisplayOffset:

<% if @sshd_config_x11_display_offset_real != nil -%>
X11DisplayOffset <%= @sshd_config_x11_display_offset_real %>
<% end -%>

Thanks for this excellent module!

I'm kind of a Puppet and GitHub n00b, but I'd be happy to do a branch and submit the changes for your consideration if that's acceptable. I've never done that before, so if you have preferences as to how that is done, please let me know.

1. Include native Solaris SSH (or system) packages in the packages array:
   SUNWsshcu - common
   SUNWsshdr - daemon root
   SUNWsshdu - daemon user
   SUNWsshr - client root
   SUNWsshu - client user
2. QSFTossh / option for VAS sshd - was included in eis_sshd module, to discuss further and decide whether Quest vas sshd is necessary or not.
3. SSH package may require installation PATH - to be specified, may be in puppet hiera.
   Permission of sshd_conf - may be set to 644 - via a variable from hiera
   A way to override the default "No root login" via the hiera
4. The following options specified in the template files do not work with the Solaris sshd: Please provide a way to override them through the hiera

GSSAPICleanupCredentials
UsePAM no

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

21.6.2013 updates
In the meantime, i have reworked the module to simply include 2 templates; one for solaris and the other generic one for linux and used conditional if to select the correct template for each platform. It may be easier that way than overriding many variables. i would update and send a pull request on Monday.

I have noticed that for Solaris package array does not work - only a single package worrks, but an array of packages returns an error: "could not convert array to string". It looks like the part for Solaris parser expects a single package. However for Linux, it works perfectly. Is this a bug within puppet code, or is there something that I am doing wrong?

Hello,

In our environment, we run sshd on multiple ports. The sshd config allows for this (from the manpage):

  Port    Specifies the port number that sshd(8) listens on.  
  The default is 22.  Multiple options of this type are permitted.  
  See also ListenAddress.

How hard would it be to modify things so that sshd_config_port would accept an array? Such as (in hiera):

ssh::sshd_config_port:

• '22'
• '1111'

I'm just getting started with hiera, so there may be another easier way to accomplish what I need, but at present it looks to me like this module will not accept multiple values for this configuration option.

Thank you for providing some great modules!

The Macs you specify as an option through the module only end up in the ssh_config and not the sshd_config if I read correctly

There seems to be a little overlap between managing users within module-common alongside their ssh key, which is also handle by this module.

Within puppet-module-common we were discussing removing users keys a common::users can't remove user accounts (issue 20)

Within puppet-module-common the users ssh key cannot be removed.

Any suggestions on where to apply these, as was tempted to submit a patch for puppet-module-common

Line 263 of init.pp references unknown variable ::ssh_version

Need to add support for ProxyCommand in ssh_config - I believe this is an independent parameter that doesn't rely on other parameters settings.

currently it fails because of

"Error: /Stage[main]/Ssh/Service[sshd_service]: Could not evaluate: Execution of '/sbin/status ssh' returned 1: status: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused"

Maybe I'm getting something wrong, but default settings of module get every host's name plus common pulic key and puts on every node in /etc/ssh/ssh_known_hosts

So when one new node is added to puppet, his name will get to known hosts on every other puppet nodes in /etc/ssh/ssh_known_hosts

Why is that hapenning?)

The AcceptEnv currently is a boolean switch. I need to pass a custom set of variables that should be preserved. I don't think the module currently allow for that.

Willing to come up with a PR, but wanted to discuss this issue first.

This module should use something like params.pp or Hiera to avoid a hard dependency on $osfamily.

For example, if I want to use an unsupported OS like Arch Linux, I would normally be able to supply any OS-specific parameters myself even if this module does not support it natively. However, by hard-coding the osfamily check in init.pp, that is not possible.

If openssh server is not installed, this module fails a puppet run hard:

Error: Evaluation Error: Unknown variable: '::sshrsakey'. at /srv/maverick/software/maverick/manifests/puppet-modules/ssh/manifests/init.pp:742:14 on node maverick-ubuntuvm.local

It shouldn't fail the entire puppet run if the server is not installed.

I got this diff while running this module:

 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key

It would appear that default_sshd_config_hostkey does not have a "case" to handle EL6 vs EL7. EL7 should default correctly to have the newer ecdsa and ed25519 keys. Of course there is an easy workaround of specifying sshd_config_hostkey in hiera like so:

ssh::sshd_config_hostkey:
  - /etc/ssh/ssh_host_rsa_key
  - /etc/ssh/ssh_host_ecdsa_key
  - /etc/ssh/ssh_host_ed25519_key

~tommy

Example:

UseRoaming=no is in /etc/ssh/ssh_config:

[root@demo64 ~]$ sudo /bin/bash
[root@demo64 ~]# ssh example.com
/etc/ssh/ssh_config: line 57: Bad configuration option: UseRoaming
/etc/ssh/ssh_config: terminating, 1 bad configuration options

Delete UseRoaming line:

[root@demo64 ~]# sed -i '/UseRoam/d' /etc/ssh/ssh_config
[root@demo64 ~]# ssh example.com

Failed on Solaris 10, the options TCPKeepAlive and PermitTunnel doesn't exist..

-bash-3.2# cat /etc/release
Oracle Solaris 10 1/13 s10x_u11wos_24a X86
Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
Assembled 17 January 2013

/opt/puppetlabs/bin/puppet --version
4.3.2

[ Jan 20 10:47:40 Executing start method ("/lib/svc/method/sshd start") ]
/etc/ssh/sshd_config: line 105: Bad configuration option: TCPKeepAlive
/etc/ssh/sshd_config: line 119: Bad configuration option: PermitTunnel
/etc/ssh/sshd_config: terminating, 2 bad configuration options

This is somewhat cosmetic but clientAliveInterval (possibly others) should be validated as a string (perhaps with a regex) instead of an integer. I can work up a pull request but I wanted to see what your thoughts were. For example, the following is perfectly valid:

ClientAliveInterval 10m

which is functionally equivalent to:

ClientAliveInterval 600

Hello,
there is no array for KexAlgorithms configuration.

https://wiki.mozilla.org/Security/Guidelines/OpenSSH

kr Felix

unquote boolean and use pattern that allows for string or boolean

https://github.com/ghoneycutt/puppet-module-common/blob/master/manifests/init.pp#L42

I'm thinking that the following should be tied to $sshd_config_port:

if $manage_firewall == true {
firewall { '22 open port 22 for SSH':
action => 'accept',
dport => 22,
proto => 'tcp',
}
}

If you change the listening port of the ssh daemon, you'd want the firewall (if enabled) to update to the correct port.

Hi,

Just started to use this module on Ubuntu 16.04 and it seems to regenerate the SSH server keys?

Is this normal behaviour?

Can't see anything in the module to request that this isn't done?

I had to pass the following in hiera:

ssh::sshd_config_use_dns: "no"

Should it be something like this?

ssh::sshd_config_use_dns: false

Then the code puts the appropriate "yes" or "no" in the config file. I can see the point of expecting the user to pass exactly what should go into the config file but for the case of use_dns, there are only two options.

In some cases, the user may need to bind the sshd service to specific IPs on the host in order to prevent sshd from listening on ALL interfaces. Because of this, a "sshd_config_listenaddress" parameter should be considered.

According to this issue : https://projects.puppetlabs.com/issues/22557
Regression on arrays and puppet resources using the name attribute will not be possible any more.

this results with the error:
Error: Failed to apply catalog: Parameter name failed on Package[ssh_packages]: Name must be a String not Array at /etc/puppet/environments/X/modules/ssh/manifests/init.pp:XXX
Wrapped exception:
Name must be a String not Array

Can this be suppressed?

Warning: You cannot collect without storeconfigs being set on line 753 in file /srv/puppet/manifests/environments/dev/puppet-modules/ssh/manifests/init.pp
Warning: You cannot collect exported resources without storeconfigs being set; the collection will be ignored on line 767 in file /srv/puppet/manifests/environments/dev/puppet-modules/ssh/manifests/init.pp

Using puppet apply with no -v or -d.

Calling with:

    class { "::ssh": 
        ssh_key_import  => false,
    }

Hi,

first: thank you for this nice module!
we're using it on many nodes.

is it planed to support multiple ssh daemons in future?
I would like to configure >=2 ssh daemons on one node for ssh fileexchange (including chrooted directories)

cheers,
Kevin

The Puppetlabs-stdlib validate-* methods have been deprecated and could be removed at any moment. These methods have been replaced with Puppet 4 Data Types.

Using Puppet 4 Data types would significantly clean up the module code, but would require a full drop of Puppet 3 support. That said Puppet, Inc ended support for Puppet 3.x on Jan 1st, 2017

https://docs.puppet.com/puppet/4.10/lang_data_type.html

Replace?

Default /etc/skel in CentOS 7 doesn't include ~/.ssh, therefore, this has to be done manually prior to adding keys for the specific user.

Recommending that the module confirms that ~/.ssh directory exists and is 600 and ~/.ssh/authorized_key exists and is 600.

Versions used:

• CentOS 7.0 (3.10.0-123.20.1.el7.x86_64)
• Puppet 4.2.1
• r10k 2.0.3
• Git 1.8.3.1
• module ghoneycutt/ssh 3.30.0

The following configuration (via Hiera) doesn't work:

ssh::sshd_config_match:
  'Host mymachine.mydomain.com':
    'PermitRootLogin yes'

Other configuration parameters I use via hiera work, e.g.:

ssh::sshd_config_syslog_facility: 'AUTHPRIV'
ssh::sshd_config_challenge_resp_auth: 'no'
ssh::permit_root_login: 'no'

Error output when sshd_config_match is included:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Failed to parse template ssh/sshd_config.erb:
  Filepath: /etc/puppetlabs/code/environments/public/modules_external/ssh/templates/sshd_config.erb
  Line: 222
  Detail: undefined method `sort' for "PermitRootLogin yes":String
 at /etc/puppetlabs/code/environments/public/modules_external/ssh/manifests/init.pp:661:16 on node puppet-test.mydomain.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Am I missing something?
Thanks in advance.

If using this module on a system without exported resources (which is reasonably common, and the only option for masterless setups), then you get two warnings:

Warning: You cannot collect exported resources without storeconfigs being set; the export is ignored at /srv/maverick/software/maverick/manifests/puppet-modules/ssh/manifests/init.pp:935:3
Warning: You cannot collect exported resources without storeconfigs being set; the collection will be ignored at /srv/maverick/software/maverick/manifests/puppet-modules/ssh/manifests/init.pp:953:5

The second can be suppressed by setting:
ssh_key_import => false

The export however is unconditional. It should be wrapped by an option so it can be turned off, and the warning suppressed.

firewall uses hard-coded value of 22, when it should accept $sshd_config_port

Even though the default value is ChallengeResponseAuthentication=yes in sshd_config, Red Hat has changed their default value to "no" for security reasons.

Should puppet-module-ssh reflect that via USE_DEFAULTS?

Quoting: https://access.redhat.com/solutions/336773

Issue

The default value for the "ChallengeResponseAuthentication" option should be "yes" as per "man 5 sshd_config".
However in "/etc/ssh/sshd_config" file shipped in RHEL the value of "ChallengeResponseAuthentication" is "no".

Resonse:

"ChallengeResponseAuthentication" is set to "no" by default in Red Hat shipped 'sshd_config' file due to security reasons.

"ChallengeResponseAuthentication" option controls support for the "keyboard-interactive" authentication scheme defined in RFC-4256. The "keyboard-interactive" authentication scheme could ask a user any number of multi-facited questions. In practice it often asks only for the user's password.

So, to use a particular form of challenge-response authentication (such as S/Key), one need to configure the server to use some backend (for example, PAM) sending the challenges and checking the responses. As it is not configured by default, "ChallengeResponseAuthentication" is set to "no" so ssh is not using an unconfigured backend.

And another warning (I'm running latest stdlib)

==> test.vagrant.local: Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib::Compat::Absolute_Path. There is further documentation for validate_legacy function in the README. at ["/etc/puppetlabs/code/environments/production/modules/ssh/manifests/init.pp", 333]:["/etc/puppetlabs/code/environments/production/site/profiles/manifests/ssh.pp", 9]

==> test.vagrant.local: (at /etc/puppetlabs/code/environments/production/modules/stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')

Hi I'm installing it on Debian 8 and get this warning.

Version & Manifest
ghoneycutt-ssh --version 3.51.1

class { 'ssh':
  sshd_config_port                  => '22',
  permit_root_login                 => 'no',
  sshd_config_strictmodes           => 'yes',
  sshd_config_permitemptypasswords  => 'no',
  sshd_password_authentication      => 'no',
  sshd_config_tcp_keepalive         => 'yes',
  sshd_config_allowusers => [
    'website',
    'another_user'
  ],
  sshd_config_match => {
    'Group ftpusers' => [
      'ChrootDirectory /%h',
      'ForceCommand internal-sftp',
      'AllowTcpForwarding no',
      'GatewayPorts no',
      'X11Forwarding no',
    ]
  }
}

Warning: You cannot collect without storeconfigs being set on line 927 in file /etc/puppet/modules/ssh/manifests/init.pp  
Warning: You cannot collect exported resources without storeconfigs being set; the collection will be ignored on line 942 in file /etc/puppet/modules/ssh/manifests/init.pp  
Warning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults  
Warning: Not collecting exported resources without storeconfigs  

Document parameters and update README

Hi

I am trying to make puppet-module-ssh to distribute user's public key to the servers so that a user can authenticate using keys instead of a password.

There is a parameter called Keys which is described as

keys
Hash of keys for user's ~/.ssh/authorized_keys
Default: undefined

Then at the bottom of the doc page is says:
Manage user's ssh_authorized_keys
This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key.
Then comes the usage example.

So what I have done is set keys parameter of puppet-module-ssh to this exact value

ssh::keys:
marry123:
ensure: present
user: marry123
type: rsa
key: ''AAAAREAL_KEY_REMOVED=='

But this does not seem to work. There is no key created in users home directory under .ssh.

I am using the parameter correctly?