add ip_ranges parameter

parent 32accad0
......@@ -25,6 +25,9 @@ release/005.007 (unreleased)
parameter to allow root users to login using ssh key-pairs. Both of
these parameters are set to have no effect by default. [adamhl]
[ssh] Add the parameter $ip_ranges. This is an array of iptable
addresses that are allowed to access port 22 on this server. [adamhl]
release/005.006 (2017-02-16)
[kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
......
......@@ -14,6 +14,22 @@
# sudo, see the base::sudo class.
# Default: false
# $ip_ranges: An array of iptables-compatible IP addresses that are
# allowed to access port 22 on this server.
# Default:
# [
# '10.32.0.0/15',
# '10.34.0.0/15',
# '10.36.0.0/15',
# '10.39.0.0/16',
# '10.48.0.0/17',
# '171.64.0.0/14',
# '172.16.0.0/12',
# '192.168.0.0/16',
# '204.63.224.0/21'
# ]
# (This is historical.)
# $filter_sunetids: ignore "authentication failure" messages for this list
# of sunetids.
# Default: the empty array (so don't filter any such messages)
......@@ -37,6 +53,18 @@ class base::ssh(
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false,
$ip_ranges =
[
'10.32.0.0/15',
'10.34.0.0/15',
'10.36.0.0/15',
'10.39.0.0/16',
'10.48.0.0/17',
'171.64.0.0/14',
'172.16.0.0/12',
'192.168.0.0/16',
'204.63.224.0/21'
],
$pubkey = false,
$root_authorized_keys = undef,
$filter_sunetids = [],
......@@ -80,15 +108,7 @@ class base::ssh(
base::iptables::rule { 'ssh':
protocol => 'tcp',
port => '22',
source => [ '10.32.0.0/15',
'10.34.0.0/15',
'10.36.0.0/15',
'10.39.0.0/16',
'10.48.0.0/17',
'171.64.0.0/14',
'172.16.0.0/12',
'192.168.0.0/16',
'204.63.224.0/21' ],
source => $ip_ranges,
}
# Ensure the daemon is running.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment