Puppet Class: openssh::server

Defined in:
manifests/server.pp

Overview

Installs and manages the OpenSSH server.

Examples:

Declaring the class using the defaults for the OS

include ::openssh::server

Perform some basic securing

class { '::openssh::server':
  allow_groups                      => ['ssh-user'],
  challenge_response_authentication => false,
  ciphers                           => [
    'chacha20-poly1305@openssh.com',
    'aes256-gcm@openssh.com',
    'aes128-gcm@openssh.com',
    'aes256-ctr',
    'aes192-ctr',
    'aes128-ctr',
  ],
  host_key                          => [
    '/etc/ssh/ssh_host_ed25519_key',
    '/etc/ssh/ssh_host_rsa_key',
  ],
  kex_algorithms                    => [
    'curve25519-sha256@libssh.org',
    'diffie-hellman-group-exchange-sha256',
  ],
  macs                              => [
    'hmac-sha2-512-etm@openssh.com',
    'hmac-sha2-256-etm@openssh.com',
    'hmac-ripemd160-etm@openssh.com',
    'umac-128-etm@openssh.com',
    'hmac-sha2-512',
    'hmac-sha2-256',
    'hmac-ripemd160',
    'umac-128@openssh.com',
  ],
  password_authentication           => false,
  permit_root_login                 => false,
  pubkey_authentication             => true,
  protocol                          => [2],
}

Parameters:

  • conf_dir (Stdlib::Absolutepath)
  • conf_file (Stdlib::Absolutepath)
  • manage_package (Boolean)
  • package_name (Optional[String]) (defaults to: undef)
  • service_name (String)
  • matches (Hash[String, Hash[String, Any]])
  • subsystems (Hash[String, Hash[String, Any]])
  • accept_env (Optional[Array[String, 1]]) (defaults to: undef)
  • address_family (Optional[Enum['any', 'inet', 'inet6']]) (defaults to: undef)
  • allow_agent_forwarding (Optional[Boolean]) (defaults to: undef)
  • allow_groups (Optional[Array[String, 1]]) (defaults to: undef)
  • allow_stream_local_forwarding (Optional[Variant[Boolean, Enum['all', 'local', 'remote']]]) (defaults to: undef)
  • allow_tcp_forwarding (Optional[Variant[Boolean, Enum['all', 'local', 'remote']]]) (defaults to: undef)
  • allow_users (Optional[Array[String, 1]]) (defaults to: undef)
  • authentication_methods (Optional[Array[Array[String, 1], 1]]) (defaults to: undef)
  • authorized_keys_command (Optional[String]) (defaults to: undef)
  • authorized_keys_command_user (Optional[String]) (defaults to: undef)
  • authorized_keys_command_run_as (Optional[String]) (defaults to: undef)
  • authorized_keys_file (Optional[String]) (defaults to: undef)
  • authorized_principals_command (Optional[String]) (defaults to: undef)
  • authorized_principals_command_user (Optional[String]) (defaults to: undef)
  • authorized_principals_file (Optional[String]) (defaults to: undef)
  • banner (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • challenge_response_authentication (Optional[Boolean]) (defaults to: undef)
  • chroot_directory (Optional[String]) (defaults to: undef)
  • ciphers (Optional[Array[String, 1]]) (defaults to: undef)
  • client_alive_count_max (Optional[Integer[0]]) (defaults to: undef)
  • client_alive_interval (Optional[Integer[0]]) (defaults to: undef)
  • compression (Optional[Variant[Boolean, Enum['delayed']]]) (defaults to: undef)
  • deny_groups (Optional[Array[String, 1]]) (defaults to: undef)
  • deny_users (Optional[Array[String, 1]]) (defaults to: undef)
  • disable_forwarding (Optional[Boolean]) (defaults to: undef)
  • expose_authentication_methods (Optional[Enum['never', 'pam-only', 'pam-and-env']]) (defaults to: undef)
  • fingerprint_hash (Optional[Enum['md5', 'sha256']]) (defaults to: undef)
  • force_command (Optional[String]) (defaults to: undef)
  • gateway_ports (Optional[Variant[Boolean, Enum['clientspecified']]]) (defaults to: undef)
  • gssapi_authentication (Optional[Boolean]) (defaults to: undef)
  • gssapi_key_exchange (Optional[Boolean]) (defaults to: undef)
  • gssapi_cleanup_credentials (Optional[Boolean]) (defaults to: undef)
  • gssapi_enable_k5users (Optional[Boolean]) (defaults to: undef)
  • gssapi_strict_acceptor_check (Optional[Boolean]) (defaults to: undef)
  • gssapi_store_credentials_on_rekey (Optional[Boolean]) (defaults to: undef)
  • gssapi_kex_algorithms (Optional[Array[String, 1]]) (defaults to: undef)
  • hostbased_accepted_key_types (Optional[Array[String, 1]]) (defaults to: undef)
  • hostbased_authentication (Optional[Boolean]) (defaults to: undef)
  • hostbased_uses_name_from_packet_only (Optional[Boolean]) (defaults to: undef)
  • host_certificate (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • host_key (Optional[Array[Stdlib::Absolutepath, 1]]) (defaults to: undef)
  • host_key_agent (Optional[String]) (defaults to: undef)
  • host_key_algorithms (Optional[Array[String, 1]]) (defaults to: undef)
  • ignore_rhosts (Optional[Boolean]) (defaults to: undef)
  • ignore_user_known_hosts (Optional[Boolean]) (defaults to: undef)
  • ip_qos (Optional[Tuple[OpenSSH::QoS, 1, 2]]) (defaults to: undef)
  • kbd_interactive_authentication (Optional[Boolean]) (defaults to: undef)
  • kerberos_authentication (Optional[Boolean]) (defaults to: undef)
  • kerberos_get_afs_token (Optional[Boolean]) (defaults to: undef)
  • kerberos_or_local_passwd (Optional[Boolean]) (defaults to: undef)
  • kerberos_ticket_cleanup (Optional[Boolean]) (defaults to: undef)
  • kerberos_use_kuserok (Optional[Boolean]) (defaults to: undef)
  • kex_algorithms (Optional[Array[String, 1]]) (defaults to: undef)
  • key_regeneration_interval (Optional[Integer[0]]) (defaults to: undef)
  • listen_address (Optional[Array[Variant[Bodgitlib::Host, Tuple[Bodgitlib::Host, Bodgitlib::Port]], 1]]) (defaults to: undef)
  • login_grace_time (Optional[Integer[0]]) (defaults to: undef)
  • log_level (Optional[String]) (defaults to: undef)
  • macs (Optional[Array[String, 1]]) (defaults to: undef)
  • max_auth_tries (Optional[Integer[0]]) (defaults to: undef)
  • max_sessions (Optional[Integer[0]]) (defaults to: undef)
  • max_startups (Optional[Variant[Integer[0], Tuple[Integer[0], 3, 3]]]) (defaults to: undef)
  • password_authentication (Optional[Boolean]) (defaults to: undef)
  • permit_empty_passwords (Optional[Boolean]) (defaults to: undef)
  • permit_open (Optional[Variant[Enum['any', 'none'], Array[Tuple[Bodgitlib::Host, Bodgitlib::Port], 1]]]) (defaults to: undef)
  • permit_root_login (Optional[Variant[Boolean, Enum['without-password', 'forced-commands-only']]]) (defaults to: undef)
  • permit_tunnel (Optional[Variant[Boolean, Enum['point-to-point', 'ethernet']]]) (defaults to: undef)
  • permit_tty (Optional[Boolean]) (defaults to: undef)
  • permit_user_environment (Optional[Boolean]) (defaults to: undef)
  • permit_user_rc (Optional[Boolean]) (defaults to: undef)
  • pid_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • port (Optional[Array[Bodgitlib::Port, 1]]) (defaults to: undef)
  • print_last_log (Optional[Boolean]) (defaults to: undef)
  • print_motd (Optional[Boolean]) (defaults to: undef)
  • protocol (Optional[Array[Integer[1, 2], 1, 2]]) (defaults to: undef)
  • pubkey_authentication (Optional[Boolean]) (defaults to: undef)
  • rekey_limit (Optional[OpenSSH::RekeyLimit]) (defaults to: undef)
  • revoked_keys (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • rhosts_rsa_authentication (Optional[Boolean]) (defaults to: undef)
  • rsa_authentication (Optional[Boolean]) (defaults to: undef)
  • server_key_bits (Optional[Integer[0]]) (defaults to: undef)
  • show_patch_level (Optional[Boolean]) (defaults to: undef)
  • stream_local_bind_mask (Optional[Pattern[/(?x) ^ [0-7]{4} $/]]) (defaults to: undef)
  • stream_local_bind_unlink (Optional[Boolean]) (defaults to: undef)
  • strict_modes (Optional[Boolean]) (defaults to: undef)
  • syslog_facility (Optional[String]) (defaults to: undef)
  • tcp_keepalive (Optional[Boolean]) (defaults to: undef)
  • trusted_user_ca_keys (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • use_dns (Optional[Boolean]) (defaults to: undef)
  • use_login (Optional[Boolean]) (defaults to: undef)
  • use_pam (Optional[Boolean]) (defaults to: undef)
  • use_privilege_separation (Optional[Variant[Boolean, Enum['sandbox']]]) (defaults to: undef)
  • version_addendum (Optional[String]) (defaults to: undef)
  • x11_display_offset (Optional[Integer[0]]) (defaults to: undef)
  • x11_forwarding (Optional[Boolean]) (defaults to: undef)
  • x11_max_displays (Optional[Integer[0]]) (defaults to: undef)
  • x11_use_localhost (Optional[Boolean]) (defaults to: undef)
  • xauth_location (Optional[Stdlib::Absolutepath]) (defaults to: undef)

See Also:



150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
 
# File 'manifests/server.pp', line 150

class openssh::server (
  Stdlib::Absolutepath                                                                      $conf_dir,
  Stdlib::Absolutepath                                                                      $conf_file,
  Boolean                                                                                   $manage_package,
  String                                                                                    $service_name,
  Hash[String, Hash[String, Any]]                                                           $matches,
  Hash[String, Hash[String, Any]]                                                           $subsystems,
  Optional[String]                                                                          $package_name                          = undef,
  # sshd_config settings below
  Optional[Array[String, 1]]                                                                $accept_env                            = undef,
  Optional[Enum['any', 'inet', 'inet6']]                                                    $address_family                        = undef,
  Optional[Boolean]                                                                         $allow_agent_forwarding                = undef,
  Optional[Array[String, 1]]                                                                $allow_groups                          = undef,
  Optional[Variant[Boolean, Enum['all', 'local', 'remote']]]                                $allow_stream_local_forwarding         = undef,
  Optional[Variant[Boolean, Enum['all', 'local', 'remote']]]                                $allow_tcp_forwarding                  = undef,
  Optional[Array[String, 1]]                                                                $allow_users                           = undef,
  Optional[Array[Array[String, 1], 1]]                                                      $authentication_methods                = undef,
  Optional[String]                                                                          $authorized_keys_command               = undef,
  Optional[String]                                                                          $authorized_keys_command_user          = undef,
  Optional[String]                                                                          $authorized_keys_command_run_as        = undef,
  Optional[String]                                                                          $authorized_keys_file                  = undef,
  Optional[String]                                                                          $authorized_principals_command         = undef,
  Optional[String]                                                                          $authorized_principals_command_user    = undef,
  Optional[String]                                                                          $authorized_principals_file            = undef,
  Optional[Stdlib::Absolutepath]                                                            $banner                                = undef,
  Optional[Boolean]                                                                         $challenge_response_authentication     = undef,
  Optional[String]                                                                          $chroot_directory                      = undef,
  Optional[Array[String, 1]]                                                                $ciphers                               = undef,
  Optional[Integer[0]]                                                                      $client_alive_count_max                = undef,
  Optional[Integer[0]]                                                                      $client_alive_interval                 = undef,
  Optional[Variant[Boolean, Enum['delayed']]]                                               $compression                           = undef,
  Optional[Array[String, 1]]                                                                $deny_groups                           = undef,
  Optional[Array[String, 1]]                                                                $deny_users                            = undef,
  Optional[Boolean]                                                                         $disable_forwarding                    = undef,
  Optional[Enum['never', 'pam-only', 'pam-and-env']]                                        $expose_authentication_methods         = undef,
  Optional[Enum['md5', 'sha256']]                                                           $fingerprint_hash                      = undef,
  Optional[String]                                                                          $force_command                         = undef,
  Optional[Variant[Boolean, Enum['clientspecified']]]                                       $gateway_ports                         = undef,
  Optional[Boolean]                                                                         $gssapi_authentication                 = undef,
  Optional[Boolean]                                                                         $gssapi_cleanup_credentials            = undef,
  Optional[Boolean]                                                                         $gssapi_key_exchange                   = undef,
  Optional[Boolean]                                                                         $gssapi_enable_k5users                 = undef,
  Optional[Boolean]                                                                         $gssapi_strict_acceptor_check          = undef,
  Optional[Boolean]                                                                         $gssapi_store_credentials_on_rekey     = undef,
  Optional[Array[String, 1]]                                                                $gssapi_kex_algorithms                 = undef,
  Optional[Array[String, 1]]                                                                $hostbased_accepted_key_types          = undef,
  Optional[Boolean]                                                                         $hostbased_authentication              = undef,
  Optional[Boolean]                                                                         $hostbased_uses_name_from_packet_only  = undef,
  Optional[Stdlib::Absolutepath]                                                            $host_certificate                      = undef,
  Optional[Array[Stdlib::Absolutepath, 1]]                                                  $host_key                              = undef,
  Optional[String]                                                                          $host_key_agent                        = undef,
  Optional[Array[String, 1]]                                                                $host_key_algorithms                   = undef,
  Optional[Boolean]                                                                         $ignore_rhosts                         = undef,
  Optional[Boolean]                                                                         $ignore_user_known_hosts               = undef,
  Optional[Tuple[OpenSSH::QoS, 1, 2]]                                                       $ip_qos                                = undef,
  Optional[Boolean]                                                                         $kbd_interactive_authentication        = undef,
  Optional[Boolean]                                                                         $kerberos_authentication               = undef,
  Optional[Boolean]                                                                         $kerberos_get_afs_token                = undef,
  Optional[Boolean]                                                                         $kerberos_or_local_passwd              = undef,
  Optional[Boolean]                                                                         $kerberos_ticket_cleanup               = undef,
  Optional[Boolean]                                                                         $kerberos_use_kuserok                  = undef,
  Optional[Array[String, 1]]                                                                $kex_algorithms                        = undef,
  Optional[Integer[0]]                                                                      $key_regeneration_interval             = undef,
  Optional[Array[Variant[Bodgitlib::Host, Tuple[Bodgitlib::Host, Bodgitlib::Port]], 1]]     $listen_address                        = undef,
  Optional[Integer[0]]                                                                      $login_grace_time                      = undef,
  Optional[String]                                                                          $log_level                             = undef,
  Optional[Array[String, 1]]                                                                $macs                                  = undef,
  Optional[Integer[0]]                                                                      $max_auth_tries                        = undef,
  Optional[Integer[0]]                                                                      $max_sessions                          = undef,
  Optional[Variant[Integer[0], Tuple[Integer[0], 3, 3]]]                                    $max_startups                          = undef,
  Optional[Boolean]                                                                         $password_authentication               = undef,
  Optional[Boolean]                                                                         $permit_empty_passwords                = undef,
  Optional[Variant[Enum['any', 'none'], Array[Tuple[Bodgitlib::Host, Bodgitlib::Port], 1]]] $permit_open                           = undef,
  Optional[Variant[Boolean, Enum['without-password', 'forced-commands-only']]]              $permit_root_login                     = undef,
  Optional[Boolean]                                                                         $permit_tty                            = undef,
  Optional[Variant[Boolean, Enum['point-to-point', 'ethernet']]]                            $permit_tunnel                         = undef,
  Optional[Boolean]                                                                         $permit_user_environment               = undef,
  Optional[Boolean]                                                                         $permit_user_rc                        = undef,
  Optional[Stdlib::Absolutepath]                                                            $pid_file                              = undef,
  Optional[Array[Bodgitlib::Port, 1]]                                                       $port                                  = undef,
  Optional[Boolean]                                                                         $print_last_log                        = undef,
  Optional[Boolean]                                                                         $print_motd                            = undef,
  Optional[Array[Integer[1, 2], 1, 2]]                                                      $protocol                              = undef,
  Optional[Boolean]                                                                         $pubkey_authentication                 = undef,
  Optional[OpenSSH::RekeyLimit]                                                             $rekey_limit                           = undef,
  Optional[Stdlib::Absolutepath]                                                            $revoked_keys                          = undef,
  Optional[Boolean]                                                                         $rhosts_rsa_authentication             = undef,
  Optional[Boolean]                                                                         $rsa_authentication                    = undef,
  Optional[Integer[0]]                                                                      $server_key_bits                       = undef,
  Optional[Boolean]                                                                         $show_patch_level                      = undef,
  Optional[Pattern[/(?x) ^ [0-7]{4} $/]]                                                    $stream_local_bind_mask                = undef,
  Optional[Boolean]                                                                         $stream_local_bind_unlink              = undef,
  Optional[Boolean]                                                                         $strict_modes                          = undef,
  Optional[String]                                                                          $syslog_facility                       = undef,
  Optional[Boolean]                                                                         $tcp_keepalive                         = undef,
  Optional[Stdlib::Absolutepath]                                                            $trusted_user_ca_keys                  = undef,
  Optional[Boolean]                                                                         $use_dns                               = undef,
  Optional[Boolean]                                                                         $use_login                             = undef,
  Optional[Boolean]                                                                         $use_pam                               = undef,
  Optional[Variant[Boolean, Enum['sandbox']]]                                               $use_privilege_separation              = undef,
  Optional[String]                                                                          $version_addendum                      = undef,
  Optional[Integer[0]]                                                                      $x11_display_offset                    = undef,
  Optional[Boolean]                                                                         $x11_forwarding                        = undef,
  Optional[Integer[0]]                                                                      $x11_max_displays                      = undef,
  Optional[Boolean]                                                                         $x11_use_localhost                     = undef,
  Optional[Stdlib::Absolutepath]                                                            $xauth_location                        = undef,
) {

  contain ::openssh::server::install
  contain ::openssh::server::config
  contain ::openssh::server::service

  Class['::openssh::server::install'] ~> Class['::openssh::server::config']
    ~> Class['::openssh::server::service']
}