ssh: This class manages ssh client and serverssh::client: This class add ssh client managementssh::hostkeys: This class manages hostkeysssh::knownhosts: This class manages knownhosts if collection is enabled.ssh::server: This class managed ssh server
ssh::client::config: Manages ssh configurationssh::client::install: Install ssh client packagessh::server::config: Managed ssh server configurationssh::server::install: Install ssh server packagessh::server::service: This class managed ssh server service
ssh::client::config::user: This defined type manages a users ssh configssh::client::match_block: Add match_block to ssh client config (concat needed)ssh::server::config::setting: Internal define to managed ssh server paramssh::server::config_file: Resource type for managing a config file in the include dir.ssh::server::host_key: Manage a ssh host key
This module install a ssh host key in the server (basically, it is a file resource but it also notifies to the ssh service)
Important! This define does not modify any option in sshd_config, so you have to manually define the HostKey option in the server options if you haven't done yet.
ssh::server::instances: Configure separate ssh server instancesssh::server::match_block: Add match_block to ssh server configssh::server::options: This defined type manages ssh server options
sshclient_options_to_augeas_ssh_config: This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with ksshserver_options_to_augeas_sshd_config: This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with k
ssh::ipaddresses: Returns ip addresses of network interfaces (except lo) found by facter.
Ssh::ClientMatch: OpenSSH clientMatchcriteria. Seessh_config(5)
}
class { 'ssh':
storeconfigs_enabled => false,
server_options => {
'Match User www-data' => {
'ChrootDirectory' => '%h',
'ForceCommand' => 'internal-sftp',
'PasswordAuthentication' => 'yes',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
},
'Port' => [22, 2222, 2288],
},
client_options => {
'Host *.amazonaws.com' => {
'User' => 'ec2-user',
},
},
users_client_options => {
'bob' => {
options => {
'Host *.alice.fr' => {
'User' => 'alice',
},
},
},
},
'server_instances' => {
'sftp_server_init' => {
'ensure' => 'present',
'options' => {
'sshd_config' => {
'Port' => 8022,
'Protocol' => 2,
'AddressFamily' => 'any',
'HostKey' => '/etc/ssh/ssh_host_rsa_key',
'SyslogFacility' => 'AUTH',
'LogLevel' => 'INFO',
'PermitRootLogin' => 'no',
},
'sshd_service_options' => '',
'match_blocks' => {
'*,!ssh_exempt_ldap_authkey,!sshlokey' => {
'type' => 'group',
'options' => {
'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey',
'AuthorizedKeysCommandUser' => 'nobody',
'AuthorizedKeysFile' => '/dev/null',
},
},
},
},
},
},ssh::storeconfigs_enabled: true
ssh::server_options:
Protocol: '2'
ListenAddress:
- '127.0.0.0'
- '%{::hostname}'
PasswordAuthentication: 'yes'
SyslogFacility: 'AUTHPRIV'
UsePAM: 'yes'
X11Forwarding: 'yes'
ssh::server::match_block:
filetransfer:
type: group
options:
ChrootDirectory: /home/sftp
ForceCommand: internal-sftp
ssh::client_options:
'Host *':
SendEnv: 'LANG LC_*'
ForwardX11Trusted: 'yes'
ServerAliveInterval: '10'
ssh::users_client_options:
'bob':
'options':
'Host *.alice.fr':
'User': 'alice'
'PasswordAuthentication': 'no'
ssh::server::server_instances:
sftp_server_init:
ensure: present
options:
sshd_config:
Port: 8022
Protocol: 2
AddressFamily: 'any'
HostKey: '/etc/ssh/ssh_host_rsa_key'
SyslogFacility: 'AUTH'
LogLevel: INFO
PermitRootLogin: 'no'
sshd_service_options: ''
match_blocks:
'*,!ssh_exempt_ldap_authkey,!sshlokey':
type: group
options:
AuthorizedKeysCommand: '/usr/local/bin/getauthkey'
AuthorizedKeysCommandUser: 'nobody'
AuthorizedKeysFile: '/dev/null'The following parameters are available in the ssh class:
server_optionsserver_match_blockclient_optionsclient_match_blockusers_client_optionsversionstoreconfigs_enabledvalidate_sshd_fileuse_augeasserver_options_absentclient_options_absentuse_issue_netpurge_unmanaged_sshkeysserver_instances
Data type: Optional[Hash]
Add dynamic options for ssh server config
Default value: undef
Data type: Hash
Add match block for ssh server config
Default value: {}
Data type: Optional[Hash]
Add dynamic options for ssh client config
Default value: undef
Data type: Hash
Add match block for ssh client config
Default value: {}
Data type: Hash
Add users options for ssh client config
Default value: {}
Data type: String
Define package version (package ressource)
Default value: 'present'
Data type: Boolean
Default value for storeconfigs_enabled (client and server)
Default value: true
Data type: Boolean
Default value for validate_sshd_file (server)
Default value: false
Data type: Boolean
Default value to use augeas (client and server)
Default value: false
Data type: Array
List of options to remove for server config (augeas only)
Default value: []
Data type: Array
List of options to remove for client config (augeas only)
Default value: []
Data type: Boolean
Use issue_net header
Default value: false
Data type: Boolean
Purge unmanaged sshkeys
Default value: true
Data type: Hash[String[1],Hash[String[1],NotUndef]]
Configure SSH instances
Default value: {}
This class add ssh client management
class { 'ssh::client':
ensure => present,
storeconfigs_enabled => true,
use_augeas => false,
}The following parameters are available in the ssh::client class:
ssh_configclient_package_nameensurestoreconfigs_enabledoptionsuse_augeasoptions_absentdefault_optionsmatch_block
Data type: Stdlib::Absolutepath
Path to ssh client config file
Data type: Optional[String[1]]
Name of the client package
Default value: undef
Data type: String
Ensurable param to ssh client
Default value: present
Data type: Boolean
Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false
Default value: true
Data type: Hash
SSH client options, will be deep_merged with default_options. This parameter takes precedence over default_options
Default value: {}
Data type: Boolean
Use augeas to configure ssh client
Default value: false
Data type: Array
Remove options (with augeas style)
Default value: []
Data type: Hash
Default options to set, will be merged with options parameter
Data type: Hash
Add ssh match_block (with concat)
Default value: {}
This class manages hostkeys
The following parameters are available in the ssh::hostkeys class:
export_ipaddressesstoreconfigs_groupextra_aliasesexclude_interfacesexclude_interfaces_reexclude_ipaddressesuse_trusted_factstags
Data type: Boolean
Whether ip addresses should be added as aliases
Default value: true
Data type: Optional[String[1]]
Tag hostkeys with this group to allow segregation
Default value: undef
Data type: Array
Additional aliases to set for host keys
Default value: []
Data type: Array
List of interfaces to exclude
Default value: []
Data type: Array
List of regular expressions to exclude interfaces
Default value: []
Data type: Array
List of ip addresses to exclude
Default value: []
Data type: Boolean
Whether to use trusted or normal facts
Default value: false
Data type: Optional[Array[String[1]]]
Array of custom tags
Default value: undef
This class manages knownhosts if collection is enabled.
The following parameters are available in the ssh::knownhosts class:
Data type: Boolean
Enable collection
Default value: $ssh::knownhosts::collect_enabled
Data type: Optional[String[1]]
Define the hostkeys group storage
Default value: undef
This class managed ssh server
class { 'ssh::server':
ensure => present,
storeconfigs_enabled => true,
use_issue_net => false,
}The following parameters are available in the ssh::server class:
service_namesshd_configsshd_dirsshd_binarysshd_config_modehost_priv_key_groupdefault_optionsensureinclude_dirinclude_dir_modeinclude_dir_purgeconfig_filesstoreconfigs_enabledoptionsvalidate_sshd_fileuse_augeasoptions_absentmatch_blockuse_issue_netsshd_environments_fileserver_package_name
Data type: String[1]
Name of the sshd service
Data type: Stdlib::Absolutepath
Path to the sshd_config file
Data type: Stdlib::Absolutepath
Path to the sshd dir (e.g. /etc/ssh)
Data type: Stdlib::Absolutepath
Path to the sshd binary
Data type: Stdlib::Filemode
Mode to set on the sshd config file
Data type: Integer
Name of the group for the private host key
Data type: Hash
Default options to set, will be merged with options parameter
Data type: Enum[present,absent,latest]
Ensurable param to ssh server
Default value: present
Data type: Optional[Stdlib::Absolutepath]
Path to sshd include directory.
Default value: undef
Data type: Stdlib::Filemode
Mode to set on the sshd include directory.
Default value: '0700'
Data type: Boolean
Purge the include directory if true.
Default value: true
Data type: Hash[String, Hash]
Hash of config files to add to the ssh include directory.
Default value: {}
Data type: Boolean
Host keys will be collected and distributed unless storeconfigs_enabled is false.
Default value: true
Data type: Hash
Dynamic hash for openssh server option
Default value: {}
Data type: Boolean
Add sshd file validate cmd
Default value: false
Data type: Boolean
Use augeas for configuration (default concat)
Default value: false
Data type: Array
Remove options (with augeas style)
Default value: []
Data type: Hash
Add sshd match_block (with concat)
Default value: {}
Data type: Boolean
Add issue_net banner
Default value: false
Data type: Optional[Stdlib::Absolutepath]
Path to a sshd environments file (e.g. /etc/defaults/ssh on Debian)
Default value: undef
Data type: Optional[String[1]]
Name of the server package to install
Default value: undef
Copyright (c) IN2P3 Computing Centre, IN2P3, CNRS Contributor: Remi Ferrand <remi{dot}ferrand_at_cc(dot)in2p3.fr> (2015) Contributor: Tim Meusel tim@bastelfreak.de (2017)
The following parameters are available in the ssh::client::config::user defined type:
ensuretargetuser_home_dirmanage_user_ssh_diroptionsuserssh_directory_default_modessh_config_default_mode
Data type: Enum['present', 'absent']
Specifies whether the config file should be present or absent
Default value: present
Data type: Optional[Stdlib::Absolutepath]
Sets the config file location, defaults to ~/.ssh/config if $target and $user_home_dir are not set
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Sets the location of users home dir, defaults to /home/$user
Default value: undef
Data type: Boolean
Whether the users ssh dir should be managed or not
Default value: true
Data type: Hash
Options which should be set
Default value: {}
Data type: String[1]
The name of the user the config should be managed for
Default value: $name
Data type: String[1]
Default mode for the users ssh dir
Default value: '0700'
Data type: String[1]
Default mode for the ssh config file
Default value: '0600'
Add match_block to ssh client config (concat needed)
The following parameters are available in the ssh::client::match_block defined type:
Data type: Hash
Options which should be set
Default value: {}
Data type: Ssh::ClientMatch
Type of match_block, e.g. user, group, host, ...
Default value: 'user'
Data type: Integer
Orders your settings within the config file
Default value: 50
Data type: Stdlib::Absolutepath
Sets the target file of the concat fragment
Default value: $ssh::client::ssh_config
Internal define to managed ssh server param
The following parameters are available in the ssh::server::config::setting defined type:
Data type: String[1]
Key of the value which should be set
Data type: Variant[Boolean, Array, Hash, String]
Value which should be set
Data type: Variant[String[1], Integer]
Orders your setting within the config file
Default value: '10'
Resource type for managing a config file in the include dir.
The following parameters are available in the ssh::server::config_file defined type:
Data type: Stdlib::Filemode
File mode for the config file.
Default value: $ssh::server::sshd_config_mode
Data type: Optional[Stdlib::Absolutepath]
Absolute path to config file to include at the top of the config file. This is intended for including files not managed by this module (crypto policies).
Default value: undef
Data type: Hash
Dynamic hash for openssh server option
Default value: {}
Data type: Stdlib::Absolutepath
Default value: "${ssh::server::include_dir}/${name}.conf"
Manage a ssh host key
This module install a ssh host key in the server (basically, it is a file resource but it also notifies to the ssh service)
Important! This define does not modify any option in sshd_config, so you have to manually define the HostKey option in the server options if you haven't done yet.
The following parameters are available in the ssh::server::host_key defined type:
ensurepublic_key_sourcepublic_key_contentprivate_key_sourceprivate_key_contentcertificate_sourcecertificate_content
Data type: Enum[present, absent]
Set to 'absent' to remove host_key files
Default value: 'present'
Data type: Optional[String[1]]
Sets the content of the source parameter for the public key file Note public_key_source and public_key_content are mutually exclusive.
Default value: undef
Data type: Optional[String[1]]
Sets the content for the public key file. Note public_key_source and public_key_content are mutually exclusive.
Default value: undef
Data type: Optional[String[1]]
Sets the content of the source parameter for the private key file Note private_key_source and private_key_content are mutually exclusive.
Default value: undef
Data type: Optional[String[1]]
Sets the content for the private key file. Note private_key_source and private_key_content are mutually exclusive.
Default value: undef
Data type: Optional[String[1]]
Sets the content of the source parameter for the host key certificate. Note certificate_source and certificate_content are mutually exclusive.
Default value: undef
Data type: Optional[String[1]]
Sets the content for the host key certificate. Note certificate_source and certificate_content are mutually exclusive.
Default value: undef
Configure separate ssh server instances
The following parameters are available in the ssh::server::instances defined type:
ensureoptionsservice_ensureservice_enablevalidate_config_filesshd_instance_config_filesshd_binarysshd_environments_file
Data type: Enum[present, absent]
Specifies whether the instance should be added or removed
Default value: present
Data type: Hash
Set options for the instance
Default value: {}
Data type: Stdlib::Ensure::Service
Whether this instance service should be running or stopped, defaults to true when ensure is set to present, otherwise false
Default value: $ensure ? { 'present' => 'running', 'absent' => 'stopped'
Data type: Boolean
Whether this instance service should be started at boot. Will be added automatically if ensure is running/removed if ensure is stopped
Default value: ($service_ensure == 'running'
Data type: Boolean
Validate config file before applying
Default value: false
Data type: Stdlib::Absolutepath
Path of the instance sshd config
Default value: "${ssh::server::sshd_dir}/sshd_config.${title}"
Data type: Stdlib::Absolutepath
Path to sshd binary
Default value: $ssh::server::sshd_binary
Data type: Optional[Stdlib::Absolutepath]
Path to environments file, if any
Default value: $ssh::server::sshd_environments_file
Add match_block to ssh server config
The following parameters are available in the ssh::server::match_block defined type:
Data type: Hash
Options which should be set
Default value: {}
Data type: String[1]
Type of match_block, e.g. user, group, host, ...
Default value: 'user'
Data type: Integer
Orders your settings within the config file
Default value: 50
Data type: Stdlib::Absolutepath
Sets the target file of the concat fragment
Default value: $ssh::server::sshd_config
This defined type manages ssh server options
The following parameters are available in the ssh::server::options defined type:
Data type: Hash
Options which should be set
Default value: {}
Data type: Integer
Orders your settings within the config file
Default value: 50
Type: Ruby 3.x API
This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied.
Usage: sshclient_options_to_augeas_ssh_config($options_present, $options_absent, $other_parameters)
- $options_hash is mandatory and must be a hash.
- $options_absent is optional and can be either a single value or an array.
- $other_parameters is optional and must be a hash.
Example: $options = { 'Host *.example.com' => { 'ForwardAgent' => 'yes', 'BatchMode' => 'yes', }, 'ForwardAgent' => 'no', 'BatchMode' => 'no', 'StrictHostKeyChecking' => 'no', } $options_absent = ['StrictHostKeyChecking','NoneField'] $other_parameters = { 'target' => '/etc/ssh/ssh_config' }
$options_final_augeas = sshclient_options_to_augeas_ssh_config($options, $options_absent, $other_parameters)
In this case, the value of $options_final_augeas would be:
'ForwardAgent .example.com' => { 'ensure' => 'present', 'host' => '.example.com', 'key' => 'ForwardAgent', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'BatchMode .example.com' => { 'ensure' => 'present', 'host' => '.example.com', 'key' => 'BatchMode', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'ForwardAgent' => { 'ensure' => 'present', 'key' => 'ForwardAgent', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'BatchMode' => { 'ensure' => 'present', 'key' => 'BatchMode', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'StrictHostKeyChecking' => { 'ensure' => 'absent', 'key' => 'StrictHostKeyChecking', 'target' => '/etc/ssh/ssh_config', } 'NoneField' => { 'ensure' => 'absent', 'key' => 'NoneField', 'target' => '/etc/ssh/ssh_config', }
Note how the word "Host" is stripped a
This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied.
Usage: sshclient_options_to_augeas_ssh_config($options_present, $options_absent, $other_parameters)
- $options_hash is mandatory and must be a hash.
- $options_absent is optional and can be either a single value or an array.
- $other_parameters is optional and must be a hash.
Example: $options = { 'Host *.example.com' => { 'ForwardAgent' => 'yes', 'BatchMode' => 'yes', }, 'ForwardAgent' => 'no', 'BatchMode' => 'no', 'StrictHostKeyChecking' => 'no', } $options_absent = ['StrictHostKeyChecking','NoneField'] $other_parameters = { 'target' => '/etc/ssh/ssh_config' }
$options_final_augeas = sshclient_options_to_augeas_ssh_config($options, $options_absent, $other_parameters)
In this case, the value of $options_final_augeas would be:
'ForwardAgent .example.com' => { 'ensure' => 'present', 'host' => '.example.com', 'key' => 'ForwardAgent', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'BatchMode .example.com' => { 'ensure' => 'present', 'host' => '.example.com', 'key' => 'BatchMode', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'ForwardAgent' => { 'ensure' => 'present', 'key' => 'ForwardAgent', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'BatchMode' => { 'ensure' => 'present', 'key' => 'BatchMode', 'value' => 'yes', 'target' => '/etc/ssh/ssh_config', } 'StrictHostKeyChecking' => { 'ensure' => 'absent', 'key' => 'StrictHostKeyChecking', 'target' => '/etc/ssh/ssh_config', } 'NoneField' => { 'ensure' => 'absent', 'key' => 'NoneField', 'target' => '/etc/ssh/ssh_config', }
Note how the word "Host" is stripped a
Returns: Any
Type: Ruby 3.x API
This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied.
Usage: sshserver_options_to_augeas_sshd_config($options_present, $options_absent, $other_parameters)
- $options_hash is mandatory and must be a hash.
- $options_absent is optional and can be either a single value or an array.
- $other_parameters is optional and must be a hash.
Example: $options = { 'Match User www-data' => { 'PasswordAuthentication' => 'yes', 'X11Forwarding' => 'no', }, 'Match Group bamboo' => { 'ForcedCommand' => '/bin/echo hello world', }, 'X11Forwarding' => 'yes', 'DebianBanner' => '/etc/banner.net', 'AllowGroups' => ["sshgroups", "admins"], } $options_absent = ['DebianBanner','NoneField'] $other_parameters = { 'target' => '/etc/ssh/sshd_config' }
$options_final_augeas = sshserver_options_to_augeas_sshd_config($options, $options_absent, $other_parameters)
In this case, the value of $options_final_augeas would be:
'PasswordAuthentication User www-data' => { 'ensure' => 'present', 'condition' => 'User www-data', 'key' => 'PasswordAuthentication', 'value' => 'yes', 'target' => '/etc/ssh/sshd_config', } 'X11Forwarding User www-data' => { 'ensure' => 'present', 'condition' => 'User www-data', 'key' => 'X11Forwarding', 'value' => 'no', 'target' => '/etc/ssh/sshd_config', } 'ForcedCommand Group bamboo' => { 'ensure' => 'present', 'condition' => 'Group bamboo', 'key' => 'ForcedCommand', 'value' => '/bin/echo hello world', 'target' => '/etc/ssh/sshd_config', } 'X11Forwarding' => { 'ensure' => 'present', 'key' => 'X11Forwarding', 'value' => 'yes', 'target' => '/etc/ssh/sshd_config', } 'DebianBanner' => { 'ensure' => 'absent', 'key' => 'DebianBanner', 'target' => '/etc/ssh/sshd_config', } 'AllowGroups' => { 'ensure' => 'present', 'key' => 'AllowGroups', 'value' => ['sshgroups','admins'], 'target' => '/etc/ssh/sshd_config', } 'NoneField' => { 'ensure' => 'absent', 'key' => 'NoneField', 'target' => '/etc/ssh/sshd_config', }
Note how the word "Match" is stripped a
This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied.
Usage: sshserver_options_to_augeas_sshd_config($options_present, $options_absent, $other_parameters)
- $options_hash is mandatory and must be a hash.
- $options_absent is optional and can be either a single value or an array.
- $other_parameters is optional and must be a hash.
Example: $options = { 'Match User www-data' => { 'PasswordAuthentication' => 'yes', 'X11Forwarding' => 'no', }, 'Match Group bamboo' => { 'ForcedCommand' => '/bin/echo hello world', }, 'X11Forwarding' => 'yes', 'DebianBanner' => '/etc/banner.net', 'AllowGroups' => ["sshgroups", "admins"], } $options_absent = ['DebianBanner','NoneField'] $other_parameters = { 'target' => '/etc/ssh/sshd_config' }
$options_final_augeas = sshserver_options_to_augeas_sshd_config($options, $options_absent, $other_parameters)
In this case, the value of $options_final_augeas would be:
'PasswordAuthentication User www-data' => { 'ensure' => 'present', 'condition' => 'User www-data', 'key' => 'PasswordAuthentication', 'value' => 'yes', 'target' => '/etc/ssh/sshd_config', } 'X11Forwarding User www-data' => { 'ensure' => 'present', 'condition' => 'User www-data', 'key' => 'X11Forwarding', 'value' => 'no', 'target' => '/etc/ssh/sshd_config', } 'ForcedCommand Group bamboo' => { 'ensure' => 'present', 'condition' => 'Group bamboo', 'key' => 'ForcedCommand', 'value' => '/bin/echo hello world', 'target' => '/etc/ssh/sshd_config', } 'X11Forwarding' => { 'ensure' => 'present', 'key' => 'X11Forwarding', 'value' => 'yes', 'target' => '/etc/ssh/sshd_config', } 'DebianBanner' => { 'ensure' => 'absent', 'key' => 'DebianBanner', 'target' => '/etc/ssh/sshd_config', } 'AllowGroups' => { 'ensure' => 'present', 'key' => 'AllowGroups', 'value' => ['sshgroups','admins'], 'target' => '/etc/ssh/sshd_config', } 'NoneField' => { 'ensure' => 'absent', 'key' => 'NoneField', 'target' => '/etc/ssh/sshd_config', }
Note how the word "Match" is stripped a
Returns: Any
OpenSSH client Match criteria. See ssh_config(5)
Alias of Enum['!all', 'all', '!canonical', 'canonical', '!exec', 'exec', '!final', 'final', '!host', 'host', '!localuser', 'localuser', '!originalhost', 'originalhost', '!user', 'user']