Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
B
base
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Lonlone Lee
base
Commits
00d4613e
Verified
Commit
00d4613e
authored
Jun 16, 2017
by
Adam Lewenberg
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add parameters to allow ssh key-pair logins
parent
85f4b319
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
39 additions
and
10 deletions
+39
-10
NEWS
NEWS
+5
-0
manifests/ssh.pp
manifests/ssh.pp
+25
-10
manifests/ssh/config/sshd.pp
manifests/ssh/config/sshd.pp
+9
-0
No files found.
NEWS
View file @
00d4613e
...
...
@@ -20,6 +20,11 @@ release/005.007 (unreleased)
[
ssh
]
Ignore
a
couple
more
innocuous
sshd
log
lines
.
[
adamhl
]
[
ssh
]
Add
the
parameter
$
pubkey
to
the
ssh
class
to
allow
ssh
key
-
pair
logins
(
this
way
you
do
not
have
to
do
class
inheritance
).
Also
add
a
parameter
to
allow
root
users
to
login
using
ssh
key
-
pairs
.
Both
of
these
parameters
are
set
to
false
by
default
.
[
adamhl
]
release
/
005.006
(
2017
-
02
-
16
)
[
kerberos
]
Add
support
for
the
new
kerberos
environment
'qa'
.
[
adamhl
]
...
...
manifests/ssh.pp
View file @
00d4613e
...
...
@@ -18,11 +18,23 @@
# of sunetids.
# Default: the empty array (so don't filter any such messages)
# $pubkey: set to true if you want to allow ssh key-pair logins to this
# server.
# Default: false
# $allow_pubkey_for_root: set to true if you want to allow root logins
# using ssh key-pairs. This is especially useful for Kerberos KDCs that
# are not clients of the production KDC. Use with caution.
# If you set this to true you should also set $pubkey to true.
# Default: false
class
base::ssh
(
$pam_afs
=
true
,
$pam_duo
=
false
,
$pam_slurm
=
false
,
$filter_sunetids
=
[],
$pam_afs
=
true
,
$pam_duo
=
false
,
$pam_slurm
=
false
,
$pubkey
=
false
,
$allow_pubkey_for_root
=
false
,
$filter_sunetids
=
[],
){
# Install the openssh server package.
...
...
@@ -94,15 +106,18 @@ class base::ssh(
base::ssh::config::sshd
{
'/etc/ssh/sshd_config'
:
ensure
=>
present
,
pam_duo
=>
$pam_duo
,
pubkey
=>
$pubkey
,
notify
=>
Service
[
'ssh'
],
}
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
file
{
'/root/.ssh/authorized_keys'
:
ensure
=>
absent
;
'/root/.ssh/authorized_keys2'
:
ensure
=>
absent
;
if
(
!
$allow_pubkey_for_root
)
{
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
file
{
'/root/.ssh/authorized_keys'
:
ensure
=>
absent
;
'/root/.ssh/authorized_keys2'
:
ensure
=>
absent
;
}
}
# Ignore routine ssh messages.
...
...
manifests/ssh/config/sshd.pp
View file @
00d4613e
...
...
@@ -57,4 +57,13 @@ define base::ssh::config::sshd(
content
=>
$template
,
notify
=>
Service
[
'ssh'
],
}
# If we are allowing ssh key-par logins, ignore the public key
# authentications when filtering syslog.
if
(
$pubkey
)
{
file
{
'/etc/filter-syslog/ssh-pubkey'
:
source
=>
'puppet:///modules/base/ssh/etc/filter-syslog/ssh-pubkey'
,
}
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment