summaryrefslogtreecommitdiffstats
path: root/manifests/init.pp
blob: 3e253d13e2cafbcd6980dd52617b1e61f148635e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# manage an sshd installation
class sshd(
  $manage_nagios = false,
  $nagios_check_ssh_hostname = 'absent',
  $ports = [ 22 ],
  $shared_ip = 'no',
  $ensure_version = 'installed',
  $listen_address = [ '0.0.0.0', '::' ],
  $allowed_users = '',
  $allowed_groups = '',
  $use_pam = 'no',
  $use_dns = 'no',
  $permit_root_login = 'without-password',
  $password_authentication = 'no',
  $kerberos_authentication = 'no',
  $kerberos_orlocalpasswd = 'yes',
  $kerberos_ticketcleanup = 'yes',
  $gssapi_authentication = 'no',
  $gssapi_cleanupcredentials = 'yes',
  $tcp_forwarding = 'no',
  $x11_forwarding = 'no',
  $agent_forwarding = 'no',
  $challenge_response_authentication = 'no',
  $pubkey_authentication = 'yes',
  $rsa_authentication = 'no',
  $strict_modes = 'yes',
  $ignore_rhosts = 'yes',
  $rhosts_rsa_authentication = 'no',
  $hostbased_authentication = 'no',
  $permit_empty_passwords = 'no',
  $authorized_keys_file = $::osfamily ? {
    'Debian' => $::operatingsystemmajrelease ? {
      '6'     => '%h/.ssh/authorized_keys',
      default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
    },
    'RedHat' => $::operatingsystemmajrelease ? {
      '5'     => '%h/.ssh/authorized_keys',
      '6'     => '%h/.ssh/authorized_keys',
      default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
    },
    'OpenBSD' => '%h/.ssh/authorized_keys',
    default   => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
  },
  $hardened = false,
  $hardened_client = false,
  $harden_moduli = false,
  $use_host_ecdsa_key = false,
  $sftp_subsystem = '',
  $head_additional_options = '',
  $tail_additional_options = '',
  $print_motd = 'yes',
  $manage_shorewall = false,
  $shorewall_source = 'net',
  $sshkey_ipaddress = pick($default_ipaddress,$::ipaddress),
  $manage_client = true,
  $purge_sshkeys = true,
) {

  validate_bool($manage_shorewall)
  validate_bool($manage_client)
  validate_bool($harden_moduli)
  validate_bool($use_host_ecdsa_key)
  validate_bool($hardened_client)
  validate_array($listen_address)
  validate_array($ports)

  if $manage_client {
    class{'::sshd::client':
      shared_ip        => $shared_ip,
      ensure_version   => $ensure_version,
      manage_shorewall => $manage_shorewall,
      hardened         => $hardened_client,
    }
  }

  case $::operatingsystem {
    'Gentoo': { include ::sshd::gentoo }
    'RedHat','CentOS': { include ::sshd::redhat }
    'OpenBSD': { include ::sshd::openbsd }
    'Debian','Ubuntu': { include ::sshd::debian }
    default: { include ::sshd::base }
  }

  if $manage_nagios {
    sshd::nagios{$ports:
      check_hostname => $nagios_check_ssh_hostname
    }
  }

  if $manage_shorewall {
    class{'::shorewall::rules::ssh':
      ports  => $ports,
      source => $shorewall_source
    }
  }
}