-
Adam Lewenberg authored
This is the (old) master branch along with the fixes to the cron file permissions that Russ made.
Adam Lewenberg authoredThis is the (old) master branch along with the fixes to the cron file permissions that Russ made.
ssh.pp 1.79 KiB
# Sets up an OpenSSH server with an appropriate configuration. We need to
# support a few configuration variations depending on the vintage of the
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
class base::ssh {
package { 'openssh-server': ensure => present }
base::iptables::rule { 'ssh':
protocol => 'tcp',
port => '22',
source => [ '10.32.0.0/15',
'10.34.0.0/15',
'10.36.0.0/15',
'10.39.0.0/16',
'10.48.0.0/17',
'171.64.0.0/14',
'172.16.0.0/12',
'192.168.0.0/16',
'204.63.224.0/21' ],
}
# Ensure the daemon is running.
service { 'ssh':
name => $::operatingsystem ? {
debian => 'ssh',
ubuntu => 'ssh',
redhat => 'sshd',
},
ensure => running,
require => Package['openssh-server'],
}
# Install our configuration files.
base::ssh::config::sshd { '/etc/ssh/sshd_config': ensure => present }
base::ssh::config::ssh { '/etc/ssh/ssh_config': ensure => present }
# Configure PAM for sshd on RHEL 6.
if ($::lsbdistcodename == 'santiago') {
file { '/etc/pam.d/sshd':
ensure => link,
target => '/etc/pam.d/system-auth',
}
}
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
file {
'/root/.ssh/authorized_keys': ensure => absent;
'/root/.ssh/authorized_keys2': ensure => absent;
}
# Ignore routine ssh messages.
file { '/etc/filter-syslog/ssh':
source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh',
}
}