Verified Commit 00d4613e authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

add parameters to allow ssh key-pair logins

parent 85f4b319
......@@ -20,6 +20,11 @@ release/005.007 (unreleased)
[ssh] Ignore a couple more innocuous sshd log lines. [adamhl]
[ssh] Add the parameter $pubkey to the ssh class to allow ssh key-pair
logins (this way you do not have to do class inheritance). Also add a
parameter to allow root users to login using ssh key-pairs. Both of
these parameters are set to false by default. [adamhl]
release/005.006 (2017-02-16)
[kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
......
......@@ -18,11 +18,23 @@
# of sunetids.
# Default: the empty array (so don't filter any such messages)
# $pubkey: set to true if you want to allow ssh key-pair logins to this
# server.
# Default: false
# $allow_pubkey_for_root: set to true if you want to allow root logins
# using ssh key-pairs. This is especially useful for Kerberos KDCs that
# are not clients of the production KDC. Use with caution.
# If you set this to true you should also set $pubkey to true.
# Default: false
class base::ssh(
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false,
$filter_sunetids = [],
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false,
$pubkey = false,
$allow_pubkey_for_root = false,
$filter_sunetids = [],
){
# Install the openssh server package.
......@@ -94,15 +106,18 @@ class base::ssh(
base::ssh::config::sshd { '/etc/ssh/sshd_config':
ensure => present,
pam_duo => $pam_duo,
pubkey => $pubkey,
notify => Service['ssh'],
}
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
file {
'/root/.ssh/authorized_keys': ensure => absent;
'/root/.ssh/authorized_keys2': ensure => absent;
if (! $allow_pubkey_for_root) {
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
file {
'/root/.ssh/authorized_keys': ensure => absent;
'/root/.ssh/authorized_keys2': ensure => absent;
}
}
# Ignore routine ssh messages.
......
......@@ -57,4 +57,13 @@ define base::ssh::config::sshd(
content => $template,
notify => Service['ssh'],
}
# If we are allowing ssh key-par logins, ignore the public key
# authentications when filtering syslog.
if ($pubkey) {
file { '/etc/filter-syslog/ssh-pubkey':
source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh-pubkey',
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment