ssh: add parameter to specify ListenAddress directives in sshd config

If no ListenAddress directives are specified, then sshd will list for incoming connections at all addresses. You can alter this by specifying the listen_addresses parameter. For example: listen_addresses => '192.168.1.1,192.168.2.1'

ssh: add parameter to specify ListenAddress directives in sshd config
5c8f7e29 · Adam Lewenberg · 714cd735 · 5c8f7e29 · 5c8f7e29
Commit 5c8f7e29 authored 11 years ago by Adam Lewenberg
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
 # Create the sshd configuration.

+# listen_addresses: If you want to restrict the ssh service to listen only at
+# certain addresses, specify with this parameter. Enter them as a
+# comma-delimited list.
+#
+# Examples:
+# listen_addresses => '192.168.1.1,192.168.2.1'
+# listen_addresses => '192.168.1.1:22,192.168.2.1'
+#
+# See the sshd_config man page for what constitutes valid entries.
+#
+# If list_addresses is omitted, then the ListenAddress directive will be
+# omitted from the sshd configuration file (which is equivalent to having
+# sshd listen at _all_ addresses).
+
+
 define base::ssh::config::sshd(
-  $ensure    = 'present',
-  $gitolite  = false,
-  $hostbased = false,
-  $pubkey    = false,
-  $source    = undef,
-  $max_tries = 5,
+  $ensure           = 'present',
+  $gitolite         = false,
+  $hostbased        = false,
+  $pubkey           = false,
+  $source           = undef,
+  $max_tries        = 5,
+  $listen_addresses = 'all',
 ) {
  if $source {
    $template = undef

--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -79,3 +79,14 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
    ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<%
+  if (listen_addresses != 'all')
+    # Split the addresses at the commas.
+    addresses = listen_addresses.split(',')
+    addresses.each |address| do
+-%>
+ListenAddress <%= address %>
+<%
+    end
+  end
+-%>