Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Sets up an OpenSSH server with an appropriate configuration. We need to
# support a few configuration variations depending on the vintage of the
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
class base::ssh {
package { 'openssh-server': ensure => present }
base::iptables::rule { 'ssh':
protocol => 'tcp',
port => '22',
source => [ '10.32.0.0/15',
'10.34.0.0/15',
'10.36.0.0/15',
'10.39.0.0/16',
'10.48.0.0/17',
'171.64.0.0/14',
'172.16.0.0/12',
'192.168.0.0/16',
'204.63.224.0/21' ],
}
# Ensure the daemon is running.
service { 'ssh':
name => $::operatingsystem ? {
debian => 'ssh',
ubuntu => 'ssh',
redhat => 'sshd',
},
ensure => running,
require => Package['openssh-server'],
}
# Install our configuration files.
base::ssh::config::sshd { '/etc/ssh/sshd_config': ensure => present }
base::ssh::config::ssh { '/etc/ssh/ssh_config': ensure => present }
# Configure PAM for sshd on RHEL 6.
if ($::lsbdistcodename == 'santiago') {
file { '/etc/pam.d/sshd':
ensure => link,
target => '/etc/pam.d/system-auth',
}
}
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
file {
'/root/.ssh/authorized_keys': ensure => absent;
'/root/.ssh/authorized_keys2': ensure => absent;
}
# Ignore routine ssh messages.
file { '/etc/filter-syslog/ssh':
source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh',
}
}