-
Karl Kornel authoredKarl Kornel authored
ssh.pp 3.25 KiB
# Sets up an OpenSSH server with an appropriate configuration. We need to
# support a few configuration variations depending on the vintage of the
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
# If you are using AFS, then you can have pam_afs_session placed into the
# PAM authentication chain. You should disable this on systems that aren't
# using OpenAFS.
# Default: true
# If you want to require Duo on login, set pam_duo to true. This flag will
# load the appropriate Duo code (via base::duo) and change the sshd_config
# file so that Duo is required for non-root logins. If you want Duo for
# sudo, see the base::sudo class.
# Default: false
class base::ssh(
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false
){
# Install the openssh server package.
class {'base::ssh::package':
pam_duo => $pam_duo,
}
# If we are using Duo, then bring in our Duo config. We want GECOS off.
# This also brings in Duo packages.
if $pam_duo {
base::duo::config { '/etc/security/pam_duo_ssh.conf':
ensure => present,
use_gecos => false,
}
}
# If we are using SLURM, install the module.
if $pam_slurm {
package { 'libpam-slurm':
ensure => installed,
}
}
# Setup /etc/pam.d/sshd to require Duo on regular logins.
class { 'base::ssh::pam':
pam_afs => $pam_afs,
pam_duo => $pam_duo,
pam_slurm => $pam_slurm,
}
# Our default ssh rules allow connections from all of campus. This is
# mostly for legacy reasons, since it historically had always done this and
# we weren't sure what would break.
#
# Individual groups should provide their own local override class that
# restricts remctl to their bastion host and/or subnets from which their
# administrators do work and use that class on most of their systems.
base::iptables::rule { 'ssh':
protocol => 'tcp',
port => '22',
source => [ '10.32.0.0/15',
'10.34.0.0/15',
'10.36.0.0/15',
'10.39.0.0/16',
'10.48.0.0/17',
'171.64.0.0/14',
'172.16.0.0/12',
'192.168.0.0/16',
'204.63.224.0/21' ],
}
# Ensure the daemon is running.
service { 'ssh':
ensure => running,
name => $::osfamily ? {
Debian => 'ssh',
RedHat => 'sshd',
},
require => Package['openssh-server'],
}
# Install ssh (client) configuration file.
base::ssh::config::ssh { '/etc/ssh/ssh_config':
ensure => present,
notify => Service['ssh'],
}
# Install sshd (server) configuration file.
base::ssh::config::sshd { '/etc/ssh/sshd_config':
ensure => present,
pam_duo => $pam_duo,
notify => Service['ssh'],
}
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
file {
'/root/.ssh/authorized_keys': ensure => absent;
'/root/.ssh/authorized_keys2': ensure => absent;
}
# Ignore routine ssh messages.
file { '/etc/filter-syslog/ssh':
source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh',
}
}