add parameters to allow ssh key-pair logins

00d4613e · Adam Lewenberg · 85f4b319 · 00d4613e · 00d4613e · 00d4613e
Verified Commit 00d4613e authored Jun 16, 2017 by Adam Lewenberg
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 10 deletions

NEWS NEWS +5 -0

manifests/ssh.pp manifests/ssh.pp +25 -10

manifests/ssh/config/sshd.pp manifests/ssh/config/sshd.pp +9 -0

No files found.
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,11 @@ release/005.007 (unreleased)

    [ssh] Ignore a couple more innocuous sshd log lines. [adamhl]

+    [ssh] Add the parameter $pubkey to the ssh class to allow ssh key-pair
+    logins (this way you do not have to do class inheritance). Also add a
+    parameter to allow root users to login using ssh key-pairs. Both of
+    these parameters are set to false by default. [adamhl]
+
 release/005.006 (2017-02-16)

    [kerberos] Add support for the new kerberos environment 'qa'. [adamhl]

--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -18,11 +18,23 @@
 # of sunetids.
 # Default: the empty array (so don't filter any such messages)

+# $pubkey: set to true if you want to allow ssh key-pair logins to this
+# server.
+# Default: false
+
+# $allow_pubkey_for_root: set to true if you want to allow root logins
+# using ssh key-pairs. This is especially useful for Kerberos KDCs that
+# are not clients of the production KDC. Use with caution.
+# If you set this to true you should also set $pubkey to true.
+# Default: false
+
 class base::ssh(
-  $pam_afs         = true,
-  $pam_duo         = false,
-  $pam_slurm       = false,
-  $filter_sunetids = [],
+  $pam_afs               = true,
+  $pam_duo               = false,
+  $pam_slurm             = false,
+  $pubkey                = false,
+  $allow_pubkey_for_root = false,
+  $filter_sunetids       = [],
 ){

  # Install the openssh server package.
@@ -94,15 +106,18 @@ class base::ssh(
  base::ssh::config::sshd { '/etc/ssh/sshd_config':
    ensure  => present,
    pam_duo => $pam_duo,
+    pubkey  => $pubkey,
    notify  => Service['ssh'],
  }

-  # Make sure public key authentication to root does not work and clean up
-  # after the authorized_keys file generated during the build process.  Some
-  # clients (HPC) will need to override this (for GPFS, for example).
-  file {
-    '/root/.ssh/authorized_keys':  ensure => absent;
-    '/root/.ssh/authorized_keys2': ensure => absent;
+  if (! $allow_pubkey_for_root) {
+    # Make sure public key authentication to root does not work and clean up
+    # after the authorized_keys file generated during the build process.  Some
+    # clients (HPC) will need to override this (for GPFS, for example).
+    file {
+      '/root/.ssh/authorized_keys':  ensure => absent;
+      '/root/.ssh/authorized_keys2': ensure => absent;
+    }
  }

  # Ignore routine ssh messages.

--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -57,4 +57,13 @@ define base::ssh::config::sshd(
    content => $template,
    notify  => Service['ssh'],
  }
+
+  # If we are allowing ssh key-par logins, ignore the public key
+  # authentications when filtering syslog.
+  if ($pubkey) {
+    file { '/etc/filter-syslog/ssh-pubkey':
+      source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh-pubkey',
+    }
+  }
+
 }