ghoneycutt / puppet-module-ssh Goto Github PK
View Code? Open in Web Editor NEWPuppet module to manage SSH
License: Other
Puppet module to manage SSH
License: Other
We need the ability to manage the HostCertificate
option for the SSH Daemon.
Suggestion:
sshd_host_certificate
parameter to set the HostCertificate
option. The value would be a String
, or in Puppet 4 Data Types, an Stdlib::Absolutepath
type.
sshd_user_trusted_ca
parameter to set the TrustedUserCAKeys
option. The value would be a String
or an Array
of String
s. In Puppet 4 Data Types, that would be a Stdlib::Absolutepath
or an Array
of Stdlib::Absolutepath
data types.
This would be an error with the data in hiera, so the module should protest to make that error clear.
Hi
Since I was around, just a little warning popping up on my test env
==> test.vagrant.local: Warning: The string '6' was automatically coerced to the numerical value 6 at /etc/puppetlabs/code/environments/production/modules/ssh/manifests/init.pp:283:3
Cheers,
I've been staring at this for a while and can't find why puppet-module-common is a requirement for this module. I'm sure I missed something.
Hi,
Would it be possible to add support for the file types validate_cmd to make use of opensshd -t -f command flags for testing the config file before restarting the service?
This way you make sure that you don't put a config file in place that breaks sshd.
Regards
Raskil
Okay, so I know a bit more about the problem on OpenSuSE: The Initscript, or the Systemd integration only generates keys, when no keys are generated.
This happens when no sshd is present prior to the Puppet run and the sshd_config of the module gets written before starting the service or running the key initialization.
if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config; then
Also see PR #102
It would be great if you could add in the ability to use a template file for the contents of the sshd banner file. Our banner is 10 lines long and it gets really ugly to edit it and get the newlines and spacing right. Using a template file would take care of that problem.
Hi,
The module says that it supports Solaris 11, but a few default options leave you with a partly broken sshd on Solaris 11.1. Namely these are:
sshd_config_xauth_location
should be: /usr/bin/xauth is: /usr/openwin/bin/xauth
Error caused: X-Forwarding does not work
sshd_config_group
should be: sys is: root
Error caused: SSHD not manageble with RBAC Policy in place
sshd_config_subsystem_sftp
should be: 'internal-sftp -u 0002' is: /usr/lib/ssh/sftp-server
Error caused: sftp not usable
I've overriden theese through hiera. Question is if it would be convenient to fix the defaults for Solaris 11.1.
The option for setting the username to run AuthorizedKeysCommand has changed between RHEL 7 and RHEL 6
AuthorizedKeysCommandUser < RHEL 7
(This Setting appears to be mandatory on RHEL7 if AuthorizedKeysCommand is used)
AuthorizedKeysCommandRunAs < RHEL 6
Hi,
I try to manage authorized_keys via Puppet. So I have a Debian.yaml for all Debian based hosts and the following config:
ssh::keys:
root_on_host:
ensure: present
user: root
type: rsa
key: AAAA...
A specific node gets additional config - here's the user "testuser", and he should get a key, too.
ssh::keys:
testuser_on_node:
ensure: present
user: testuser
type: rsa
key: AAAA...
Assuming root and testuser have no authorized_key file, my puppet run succeeds:
$ puppet agent --test
...
Notice: /Stage[main]/Ssh/Ssh_authorized_key[testuser_on_node]/ensure: created
Notice: /Stage[main]/Ssh/Ssh_authorized_key[root_on_host]/ensure: created
Notice: Applied catalog in 0.37 seconds
But the second run - or every run, when authorized_keys files already exist - fails with error:
...
Notice: /Stage[main]/Ssh/Ssh_authorized_key[testuser_on_node]/user: user changed 'root' to 'testuser'
Notice: /Stage[main]/Ssh/Ssh_authorized_key[testuser_on_node]/target: target changed '/root/.ssh/authorized_keys' to '/home/testuser/.ssh/authorized_keys'
Info: Computing checksum on file /home/testuser/.ssh/authorized_keys
Error: Puppet::Util::FileType::FileTypeFlat could not write /root/.ssh/authorized_keys: Permission denied @ rb_sysopen - /root/.ssh/authorized_keys
What is going wrong there? (Or: what I'm doing wrong? :) ) When I disable all keys in node config, puppet run succeeds again. I'm using ghoneycutt-ssh (v3.51.0).
Cheers,
Marianne
Ability to have the following. Default should be no (undef) both in ssh_config and sshd_config. Note that each should be a different parameter to keep with the current style.
SendEnv XMODIFIERS
Starting sshd: /etc/ssh/sshd_config: line 24: Bad configuration option: KexAlgorithms
RHEL 6 / CentOS 6 does not support AuthorizedKeysCommandUser, it uses AuthorizedKeysCommandRunAs instead.
I'm happy to write a pull request to fix this, I'm just not sure if you'd rather have this as a if and else if, inside the ERB or if you rather have something inside a pp file.
I would like to be able to add this to my Hiera data to configure the SSH daemon:
ssh::sshd_config_x11_display_offset: '30'
...which would then set this in the sshd_config:
X11DisplayOffset 30
The default is 10, but not high enough for our environment.
The changes look rather straightforward.
In init.pp:
Add parameter with default to the ssh class:
$sshd_config_x11_display_offset = '10',
Add handling for undef value:
case $sshd_config_x11_display_offset {
'unset', undef: { $sshd_config_x11_display_offset_real = undef }
default: { $sshd_config_x11_display_offset_real = $sshd_config_x11_display_offset_real }
}
Add validation:
if $sshd_config_x11_display_offset_real != undef {
validate_integer($sshd_config_x11_display_offset_real)
}
In sshd_config.erb add this after the current commented value of X11DisplayOffset:
<% if @sshd_config_x11_display_offset_real != nil -%>
X11DisplayOffset <%= @sshd_config_x11_display_offset_real %>
<% end -%>
Thanks for this excellent module!
I'm kind of a Puppet and GitHub n00b, but I'd be happy to do a branch and submit the changes for your consideration if that's acceptable. I've never done that before, so if you have preferences as to how that is done, please let me know.
GSSAPICleanupCredentials
UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
21.6.2013 updates
In the meantime, i have reworked the module to simply include 2 templates; one for solaris and the other generic one for linux and used conditional if to select the correct template for each platform. It may be easier that way than overriding many variables. i would update and send a pull request on Monday.
I have noticed that for Solaris package array does not work - only a single package worrks, but an array of packages returns an error: "could not convert array to string". It looks like the part for Solaris parser expects a single package. However for Linux, it works perfectly. Is this a bug within puppet code, or is there something that I am doing wrong?
Hello,
In our environment, we run sshd on multiple ports. The sshd config allows for this (from the manpage):
Port Specifies the port number that sshd(8) listens on.
The default is 22. Multiple options of this type are permitted.
See also ListenAddress.
How hard would it be to modify things so that sshd_config_port would accept an array? Such as (in hiera):
ssh::sshd_config_port:
I'm just getting started with hiera, so there may be another easier way to accomplish what I need, but at present it looks to me like this module will not accept multiple values for this configuration option.
Thank you for providing some great modules!
The Macs you specify as an option through the module only end up in the ssh_config and not the sshd_config if I read correctly
There seems to be a little overlap between managing users within module-common alongside their ssh key, which is also handle by this module.
Within puppet-module-common we were discussing removing users keys a common::users can't remove user accounts (issue 20)
Within puppet-module-common the users ssh key cannot be removed.
Any suggestions on where to apply these, as was tempted to submit a patch for puppet-module-common
Line 263 of init.pp references unknown variable ::ssh_version
Need to add support for ProxyCommand in ssh_config - I believe this is an independent parameter that doesn't rely on other parameters settings.
currently it fails because of
"Error: /Stage[main]/Ssh/Service[sshd_service]: Could not evaluate: Execution of '/sbin/status ssh' returned 1: status: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused"
Maybe I'm getting something wrong, but default settings of module get every host's name plus common pulic key and puts on every node in /etc/ssh/ssh_known_hosts
So when one new node is added to puppet, his name will get to known hosts on every other puppet nodes in /etc/ssh/ssh_known_hosts
Why is that hapenning?)
The AcceptEnv currently is a boolean switch. I need to pass a custom set of variables that should be preserved. I don't think the module currently allow for that.
Willing to come up with a PR, but wanted to discuss this issue first.
This module should use something like params.pp
or Hiera to avoid a hard dependency on $osfamily
.
For example, if I want to use an unsupported OS like Arch Linux, I would normally be able to supply any OS-specific parameters myself even if this module does not support it natively. However, by hard-coding the osfamily check in init.pp
, that is not possible.
If openssh server is not installed, this module fails a puppet run hard:
Error: Evaluation Error: Unknown variable: '::sshrsakey'. at /srv/maverick/software/maverick/manifests/puppet-modules/ssh/manifests/init.pp:742:14 on node maverick-ubuntuvm.local
It shouldn't fail the entire puppet run if the server is not installed.
I got this diff while running this module:
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
It would appear that default_sshd_config_hostkey
does not have a "case" to handle EL6 vs EL7. EL7 should default correctly to have the newer ecdsa and ed25519 keys. Of course there is an easy workaround of specifying sshd_config_hostkey
in hiera like so:
ssh::sshd_config_hostkey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
~tommy
Example:
UseRoaming=no is in /etc/ssh/ssh_config:
[root@demo64 ~]$ sudo /bin/bash
[root@demo64 ~]# ssh example.com
/etc/ssh/ssh_config: line 57: Bad configuration option: UseRoaming
/etc/ssh/ssh_config: terminating, 1 bad configuration options
[root@demo64 ~]# sed -i '/UseRoam/d' /etc/ssh/ssh_config
[root@demo64 ~]# ssh example.com
Failed on Solaris 10, the options TCPKeepAlive and PermitTunnel doesn't exist..
-bash-3.2# cat /etc/release
Oracle Solaris 10 1/13 s10x_u11wos_24a X86
Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
Assembled 17 January 2013
/opt/puppetlabs/bin/puppet --version
4.3.2
[ Jan 20 10:47:40 Executing start method ("/lib/svc/method/sshd start") ]
/etc/ssh/sshd_config: line 105: Bad configuration option: TCPKeepAlive
/etc/ssh/sshd_config: line 119: Bad configuration option: PermitTunnel
/etc/ssh/sshd_config: terminating, 2 bad configuration options
This is somewhat cosmetic but clientAliveInterval (possibly others) should be validated as a string (perhaps with a regex) instead of an integer. I can work up a pull request but I wanted to see what your thoughts were. For example, the following is perfectly valid:
ClientAliveInterval 10m
which is functionally equivalent to:
ClientAliveInterval 600
Hello,
there is no array for KexAlgorithms configuration.
https://wiki.mozilla.org/Security/Guidelines/OpenSSH
kr Felix
unquote boolean and use pattern that allows for string or boolean
https://github.com/ghoneycutt/puppet-module-common/blob/master/manifests/init.pp#L42
I'm thinking that the following should be tied to $sshd_config_port:
if $manage_firewall == true {
firewall { '22 open port 22 for SSH':
action => 'accept',
dport => 22,
proto => 'tcp',
}
}
If you change the listening port of the ssh daemon, you'd want the firewall (if enabled) to update to the correct port.
Hi,
Just started to use this module on Ubuntu 16.04 and it seems to regenerate the SSH server keys?
Is this normal behaviour?
Can't see anything in the module to request that this isn't done?
I had to pass the following in hiera:
ssh::sshd_config_use_dns: "no"
Should it be something like this?
ssh::sshd_config_use_dns: false
Then the code puts the appropriate "yes" or "no" in the config file. I can see the point of expecting the user to pass exactly what should go into the config file but for the case of use_dns, there are only two options.
In some cases, the user may need to bind the sshd service to specific IPs on the host in order to prevent sshd from listening on ALL interfaces. Because of this, a "sshd_config_listenaddress" parameter should be considered.
According to this issue : https://projects.puppetlabs.com/issues/22557
Regression on arrays and puppet resources using the name attribute will not be possible any more.
this results with the error:
Error: Failed to apply catalog: Parameter name failed on Package[ssh_packages]: Name must be a String not Array at /etc/puppet/environments/X/modules/ssh/manifests/init.pp:XXX
Wrapped exception:
Name must be a String not Array
Can this be suppressed?
Warning: You cannot collect without storeconfigs being set on line 753 in file /srv/puppet/manifests/environments/dev/puppet-modules/ssh/manifests/init.pp
Warning: You cannot collect exported resources without storeconfigs being set; the collection will be ignored on line 767 in file /srv/puppet/manifests/environments/dev/puppet-modules/ssh/manifests/init.pp
Using puppet apply with no -v or -d.
Calling with:
class { "::ssh":
ssh_key_import => false,
}
Hi,
first: thank you for this nice module!
we're using it on many nodes.
is it planed to support multiple ssh daemons in future?
I would like to configure >=2 ssh daemons on one node for ssh fileexchange (including chrooted directories)
cheers,
Kevin
The Puppetlabs-stdlib validate-*
methods have been deprecated and could be removed at any moment. These methods have been replaced with Puppet 4 Data Types.
Using Puppet 4 Data types would significantly clean up the module code, but would require a full drop of Puppet 3 support. That said Puppet, Inc ended support for Puppet 3.x on Jan 1st, 2017
Replace?
Default /etc/skel in CentOS 7 doesn't include ~/.ssh, therefore, this has to be done manually prior to adding keys for the specific user.
Recommending that the module confirms that ~/.ssh directory exists and is 600 and ~/.ssh/authorized_key exists and is 600.
Versions used:
The following configuration (via Hiera) doesn't work:
ssh::sshd_config_match:
'Host mymachine.mydomain.com':
'PermitRootLogin yes'
Other configuration parameters I use via hiera work, e.g.:
ssh::sshd_config_syslog_facility: 'AUTHPRIV'
ssh::sshd_config_challenge_resp_auth: 'no'
ssh::permit_root_login: 'no'
Error output when sshd_config_match is included:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Failed to parse template ssh/sshd_config.erb:
Filepath: /etc/puppetlabs/code/environments/public/modules_external/ssh/templates/sshd_config.erb
Line: 222
Detail: undefined method `sort' for "PermitRootLogin yes":String
at /etc/puppetlabs/code/environments/public/modules_external/ssh/manifests/init.pp:661:16 on node puppet-test.mydomain.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Am I missing something?
Thanks in advance.
If using this module on a system without exported resources (which is reasonably common, and the only option for masterless setups), then you get two warnings:
Warning: You cannot collect exported resources without storeconfigs being set; the export is ignored at /srv/maverick/software/maverick/manifests/puppet-modules/ssh/manifests/init.pp:935:3
Warning: You cannot collect exported resources without storeconfigs being set; the collection will be ignored at /srv/maverick/software/maverick/manifests/puppet-modules/ssh/manifests/init.pp:953:5
The second can be suppressed by setting:
ssh_key_import => false
The export however is unconditional. It should be wrapped by an option so it can be turned off, and the warning suppressed.
firewall uses hard-coded value of 22, when it should accept $sshd_config_port
Even though the default value is ChallengeResponseAuthentication=yes in sshd_config, Red Hat has changed their default value to "no" for security reasons.
Should puppet-module-ssh reflect that via USE_DEFAULTS?
Quoting: https://access.redhat.com/solutions/336773
Issue
The default value for the "ChallengeResponseAuthentication" option should be "yes" as per "man 5 sshd_config".
However in "/etc/ssh/sshd_config" file shipped in RHEL the value of "ChallengeResponseAuthentication" is "no".
Resonse:
"ChallengeResponseAuthentication" is set to "no" by default in Red Hat shipped 'sshd_config' file due to security reasons.
"ChallengeResponseAuthentication" option controls support for the "keyboard-interactive" authentication scheme defined in RFC-4256. The "keyboard-interactive" authentication scheme could ask a user any number of multi-facited questions. In practice it often asks only for the user's password.
So, to use a particular form of challenge-response authentication (such as S/Key), one need to configure the server to use some backend (for example, PAM) sending the challenges and checking the responses. As it is not configured by default, "ChallengeResponseAuthentication" is set to "no" so ssh is not using an unconfigured backend.
And another warning (I'm running latest stdlib)
==> test.vagrant.local: Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib::Compat::Absolute_Path. There is further documentation for validate_legacy function in the README. at ["/etc/puppetlabs/code/environments/production/modules/ssh/manifests/init.pp", 333]:["/etc/puppetlabs/code/environments/production/site/profiles/manifests/ssh.pp", 9]
==> test.vagrant.local: (at /etc/puppetlabs/code/environments/production/modules/stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')
Hi I'm installing it on Debian 8 and get this warning.
Version & Manifest
ghoneycutt-ssh --version 3.51.1
class { 'ssh':
sshd_config_port => '22',
permit_root_login => 'no',
sshd_config_strictmodes => 'yes',
sshd_config_permitemptypasswords => 'no',
sshd_password_authentication => 'no',
sshd_config_tcp_keepalive => 'yes',
sshd_config_allowusers => [
'website',
'another_user'
],
sshd_config_match => {
'Group ftpusers' => [
'ChrootDirectory /%h',
'ForceCommand internal-sftp',
'AllowTcpForwarding no',
'GatewayPorts no',
'X11Forwarding no',
]
}
}
Warning: You cannot collect without storeconfigs being set on line 927 in file /etc/puppet/modules/ssh/manifests/init.pp
Warning: You cannot collect exported resources without storeconfigs being set; the collection will be ignored on line 942 in file /etc/puppet/modules/ssh/manifests/init.pp
Warning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults
Warning: Not collecting exported resources without storeconfigs
Document parameters and update README
Hi
I am trying to make puppet-module-ssh to distribute user's public key to the servers so that a user can authenticate using keys instead of a password.
There is a parameter called Keys which is described as
keys
Hash of keys for user's ~/.ssh/authorized_keys
Default: undefined
Then at the bottom of the doc page is says:
Manage user's ssh_authorized_keys
This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key.
Then comes the usage example.
So what I have done is set keys parameter of puppet-module-ssh to this exact value
ssh::keys:
marry123:
ensure: present
user: marry123
type: rsa
key: ''AAAAREAL_KEY_REMOVED=='
But this does not seem to work. There is no key created in users home directory under .ssh.
I am using the parameter correctly?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.