Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
- Puppet >= 6.1.0 < 8.0.0
- , , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'ploperations-ssh', '1.1.0'Learn more about managing modules with a PuppetfileDocumentation
ssh
Description
Install and configure an OpenSSH server, and can manage ssh_authorized_keys.
Usage
OpenSSH server can be setup with include ssh::server.
Windows may be configured to use either cygwin OpenSSH or Win32 OpenSSH via chocolatey.
Reference
This module is documented via pdk bundle exec puppet strings generate --format markdown. Please see REFERENCE.md for more info.
Changelog
CHANGELOG.md is generated prior to each release via pdk bundle exec rake changelog. This proecss relies on labels that are applied to each pull request.
Limitations
This module does not yet support the OpenSSH Windows Capability included with Windows 2016 and later.
Development
PRs are welcome!
Reference
Table of Contents
Classes
ssh: Installs and manages an SSH client Requires Chocolatey or Cygwin on Windows.ssh::chroot: Class: ssh::chroot Prepares the chroot environment for SSHssh::params: Class: ssh::params Sets varables for the SSH classssh::server: This class installs and manages an SSH serverssh::server::chocolatey: Windows native OpenSSH serverssh::server::cygwin: Cygwin OpenSSH serverssh::server::linux: Linux specific server configurationssh::server::solaris: Solaris specific server configuration
Defined types
ssh::allowgroup: Class: ssh::allowgroup Allows a group the ability to shell into a give node.ssh::authorized_key: Platform independent way to specify an SSH authorized keyssh::authorized_key::file: Manage the authorized_keys filessh::chrootgroup: Sets up a chroot for a given groupssh::key: Generate an ssh key pair and publish the public key as a fact The fact will be named "sshpublic_key${name}_rsa". If you specify $target_qssh::key::collector: Collect SSH public keys exported by ssh::key and add them to authorized_keys This is not secure. It grants remote access to a host pulled frssh::key::marker: Marks a host in PuppetDB that produces the sshpublic_key${name}_rsa fact. Nodes are marked by using the ssh::key defined type. They are qussh::key::remote: Collect an SSH public key exported by ssh::key and add it to authorized_keys This is secure. You must specify the accessing node explicitly
Functions
ssh::fix_eol: Ensure line endings are correct for the current platform.ssh::yesno: Pass through strings and convert booleans into 'yes' or 'no'
Data types
Ssh::Key::Option: Eitheroptionoroption="value"Ssh::Key::String: This represents the key itself.Ssh::Key::Type: I believe there are more key types than this, but I don't know what they are.Ssh::PermitRootLogin: For ssh::server::permit_root_login.
Classes
ssh
Installs and manages an SSH client
Requires Chocolatey or Cygwin on Windows.
ssh::chroot
Class: ssh::chroot
Prepares the chroot environment for SSH
ssh::params
Class: ssh::params
Sets varables for the SSH class
Parameters
The following parameters are available in the ssh::params class:
cygwin
Data type: Boolean
Whether to use cygwin as the OpenSSH provider.
Default value: lookup('cygwin::enable', Boolean, undef, false)
ssh::server
This class installs and manages an SSH server
Parameters
The following parameters are available in the ssh::server class:
print_motdpermit_x11_forwardingaccept_envkex_algorithmpermit_root_logincyg_server_passwordconfig_mode
print_motd
Data type: Boolean
Whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively.
Default value: $ssh::params::print_motd
permit_x11_forwarding
Data type: Boolean
Whether X11 forwarding should be enabled or not.
Default value: false
accept_env
Data type: Array[String[1]]
An array of environment variables to be accepted that will be copied into the session's environment.
Default value: []
kex_algorithm
Data type: Optional[String[1]]
The available KEX (Key Exchange) algorithms to accept.
Default value: undef
permit_root_login
Data type: Ssh::PermitRootLogin
Whether root can log in using ssh.
Default value: $ssh::params::permit_root_login
cyg_server_password
Data type: Optional[Sensitive[String[1]]]
Only required on Cygwin. It's the password for the ssh daemon user.
Default value: undef
config_mode
Data type: Optional[String[3]]
The file mode to set for the ssh config file.
Default value: $ssh::params::config_mode
ssh::server::chocolatey
Windows native OpenSSH server
Parameters
The following parameters are available in the ssh::server::chocolatey class:
default_shell_ensure
Data type: Enum[present, absent]
The ensure option for a default shell.
Default value: present
default_shell
Data type: Stdlib::Absolutepath
The default shell to use.
Default value: $ssh::params::default_shell
default_shell_command_option
Data type: String
Options to pass to the default shell.
Default value: '/c'
ssh::server::cygwin
Cygwin OpenSSH server
ssh::server::linux
Linux specific server configuration
ssh::server::solaris
Solaris specific server configuration
Defined types
ssh::allowgroup
Class: ssh::allowgroup
Allows a group the ability to shell into a give node.
Parameters
The following parameters are available in the ssh::allowgroup defined type:
group
Data type: String[1]
A list of group name patterns, separated by spaces, to only allow members of those group(s) to login.
Default value: $title
ssh::authorized_key
Platform independent way to specify an SSH authorized key
Parameters
The following parameters are available in the ssh::authorized_key defined type:
user
Data type: String[1]
The user account in which the SSH key should be installed.
Default value: $title
ensure
Data type: Enum[present, absent]
The ensure value for the ssh authorized key resource.
Default value: 'present'
key
Data type: Optional[Ssh::Key::String]
The public key itself.
Default value: undef
type
Data type: Ssh::Key::Type
The encryption type used.
Default value: 'ssh-rsa'
options
Data type: Array[Ssh::Key::Option]
Key options; see sshd(8) for possible values.
Default value: []
ssh::authorized_key::file
This is only used on systems where ssh_authorized_key doesn't work.
Parameters
The following parameters are available in the ssh::authorized_key::file defined type:
ensure
Data type: Enum[present, absent]
The ensure value for the ssh authorized key file.
Default value: 'present'
user
Data type: String[1]
The target user's authorized key file to manage and file owner permission to set.
Default value: $title
group
Data type: String[1]
The group permissions of the authorized key file.
Default value: 'NT AUTHORITY\SYSTEM'
ssh::chrootgroup
Sets up a chroot for a given group
Parameters
The following parameters are available in the ssh::chrootgroup defined type:
group
Data type: String[1]
The group used to setup a chroot environment.
Default value: $title
tcp_forwarding
Data type: Boolean
Whether TCP forwarding is permitted.
Default value: false
ssh::key
Generate an ssh key pair and publish the public key as a fact
The fact will be named "sshpublic_key${name}_rsa".
If you specify $target_query, you will be able to add the corresponding public key on hosts matching $target_query with ::ssh::key::collector.
Parameters
The following parameters are available in the ssh::key defined type:
user
Data type: String[1]
The account to generate an ssh key pair for.
Default value: $name
key_path
Data type: Pattern[/^\//]
The location of the ssh private key.
Default value: "/home/${user}/.ssh/id_rsa"
target_query
Data type: Optional[String[1]]
The query used to gather targets used for ssh::key::marker and known_hosts, if applicable.
Default value: undef
manage_known_hosts
Data type: Boolean
Whether to manage the known_hosts file.
Default value: true
ssh::key::collector
Collect SSH public keys exported by ssh::key and add them to authorized_keys
This is not secure. It grants remote access to a host pulled from PuppetDB, so if you can run custom puppet code on a host, you can cause this to collect the public key from the malicious host.
See ssh::key::remote for a more secure option.
Parameters
The following parameters are available in the ssh::key::collector defined type:
key_name
Data type: String[1]
The name of the ssh::key resource. Defaults to $name.
Default value: $name
users
Data type: Array[String[1], 1]
Users to add the key to. Defaults to [$name].
Default value: [$name]
options
Data type: Optional[Array[String[1], 1]]
Options to pass to ssh_authorized_key.
Default value: undef
ssh::key::marker
Marks a host in PuppetDB that produces the sshpublic_key${name}_rsa fact.
Nodes are marked by using the ssh::key defined type. They are queried for this marker in the ssh::key::collector defined type.
ssh::key::remote
Collect an SSH public key exported by ssh::key and add it to authorized_keys
This is secure. You must specify the accessing node explicitly by certname, so a malicious host cannot spoof its way to access.
$title - $user@$certname
Parameters
The following parameters are available in the ssh::key::remote defined type:
user
Data type: String[1]
The user to add the key to. Defaults to the first part of $title.
Default value: ('@')[0]
certname
Data type: Pattern[/\A[a-z0-9_.-]+\Z/]
The certname of the remote host. Defaults to second part of $title.
Default value: ('@')[1]
key_name
Data type: String[1]
The name of the ssh::key resource. Defaults to $user.
Default value: $user
options
Data type: Optional[Array[String[1], 1]]
Options to pass to ssh_authorized_key.
Default value: undef
Functions
ssh::fix_eol
Type: Puppet Language
Ensure line endings are correct for the current platform.
ssh::fix_eol(String $value)
Ensure line endings are correct for the current platform.
Returns: String Returns a string with the desired line ending.
value
Data type: String
The string to perform a line ending conversion on.
ssh::yesno
Type: Puppet Language
Pass through strings and convert booleans into 'yes' or 'no'
ssh::yesno(Variant[Boolean, String[1]] $value)
Pass through strings and convert booleans into 'yes' or 'no'
Returns: String[1] Returns a string content of either 'yes' or 'no'.
value
Data type: Variant[Boolean, String[1]]
The boolean value to convert to a string.
Data types
Ssh::Key::Option
Either option or option="value"
Alias of
Pattern[/\A\w+(=".*")?\z/]
Ssh::Key::String
This represents the key itself.
Alias of
Stdlib::Base64
Ssh::Key::Type
I believe there are more key types than this, but I don't know what they are.
Alias of
Enum['ssh-dsa', 'ssh-dss', 'rsa', 'ssh-rsa', 'ssh-ecdsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521']
Ssh::PermitRootLogin
For ssh::server::permit_root_login.
Alias of
Variant[Boolean, Enum['without-password', 'forced-commands-only']]
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
1.1.0 (2023-04-19)
Added
1.0.1 (2023-04-01)
Fixed
1.0.0 (2021-09-18)
Added
0.10.0 (2021-07-06)
Added
Fixed
- Fixed authorized key permissions #22 (yachub)
- Fix duplicate acl properties and file permissions #21 (yachub)
- (INFC-18852) update solaris pkg name #14 (suckatrash)
- (maint) update to use native pdb query #12 (heathseals)
0.9.0 (2019-01-25)
Added
- (INFC-17763) Support Windows #10 (danielparks)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- binford2k/node_encrypt (>= 0.4.0 < 2.0.0)
- mdelaney/cygwin (>= 0.1.0 < 2.0.0)
- puppetlabs/acl (>= 3.2.1 < 5.0.0)
- puppetlabs/chocolatey (>= 5.2.1 < 7.0.0)
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/registry (>= 3.2.0 < 5.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- puppet/windows_env (>= 3.2.0 < 4.0.0)