openssh

Tested with Travis CI

Table of Contents

  1. Description

  2. Setup - The basics of getting started with openssh

  3. Usage - Configuration options and additional functionality

  4. Reference - An under-the-hood peek at what the module is doing and how

  5. Limitations - OS compatibility, etc.

  6. Development - Guide for contributing to the module

Description

This module manages OpenSSH.

CentOS, RHEL, Scientific, Oracle Enterprise Linux and OpenBSD is supported using Puppet 4.9.0 or later.

Setup

Beginning with openssh

The module defaults match those of the target OS so in the very simplest case, you can just include the following:

include ::openssh::client
include ::openssh::server

Usage

If you want to tune the security settings of the server:

class { '::openssh::server':
  allow_groups                      => ['ssh-user'],
  challenge_response_authentication => false,
  ciphers                           => [
    'chacha20-poly1305@openssh.com',
    'aes256-gcm@openssh.com',
    'aes128-gcm@openssh.com',
    'aes256-ctr',
    'aes192-ctr',
    'aes128-ctr',
  ],
  host_key                          => [
    '/etc/ssh/ssh_host_ed25519_key',
    '/etc/ssh/ssh_host_rsa_key',
  ],
  kex_algorithms                    => [
    'curve25519-sha256@libssh.org',
    'diffie-hellman-group-exchange-sha256',
  ],
  macs                              => [
    'hmac-sha2-512-etm@openssh.com',
    'hmac-sha2-256-etm@openssh.com',
    'hmac-ripemd160-etm@openssh.com',
    'umac-128-etm@openssh.com',
    'hmac-sha2-512',
    'hmac-sha2-256',
    'hmac-ripemd160',
    'umac-128@openssh.com',
  ],
  password_authentication           => false,
  permit_root_login                 => false,
  pubkey_authentication             => true,
  protocol                          => [2],
}

Enabling SSH public key lookups from LDAP:

class { '::openssh::server':
  authorized_keys_command      => '/usr/libexec/openssh/ssh-ldap-helper',
  authorized_keys_command_user => 'nobody',
}

class { '::openssh::server::ldap':
  base_dn => 'ou=people,dc=example,dc=com',
  group   => 'nobody',
  uri     => [
    'ldap://ldap.example.com',
  ],
}

To add Match ... blocks to the server configuration:

include ::openssh::server

::openssh::server::match { 'sftponly':
  group                => [
    'sftponly',
  ],
  chroot_directory     => '%h',
  force_command        => 'internal-sftp',
  allow_tcp_forwarding => false,
  x11_forwarding       => false,
}

To create a client configuration file and manage Host ... and Match ... blocks within it:

include ::openssh::client

::openssh::client::configuration { '/home/user/.ssh/config':
  owner => 'user',
  group => 'user',
  mode  => '0640',
}

::openssh::client::host { 'default':
  host          => '*',
  target        => '/home/user/.ssh/config',
  order         => 99,
  proxy_command => '/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
}

::openssh::client::match { 'catch-all':
  target        => '/home/user/.ssh/config',
  proxy_command => '/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
}

Reference

The reference documentation is generated with puppet-strings and the latest version of the documentation is hosted at bodgit.github.io/puppet-openssh/.

Limitations

This module has been built on and tested against Puppet 4.9.0 and higher.

The module has been tested on:

  • Red Hat/CentOS Enterprise Linux 6/7

  • OpenBSD 6.2/6.3

Development

The module has both rspec-puppet and beaker-rspec tests. Run them with:

$ bundle exec rake test
$ PUPPET_INSTALL_TYPE=agent PUPPET_INSTALL_VERSION=x.y.z bundle exec rake beaker:<nodeset>

Please log issues or pull requests at github.