From 5c8f7e29608d0cd42f05994743bd3839a2b78d6b Mon Sep 17 00:00:00 2001
From: Adam Lewenberg <adamhl@stanford.edu>
Date: Tue, 13 Aug 2013 14:25:10 -0700
Subject: [PATCH] ssh: add parameter to specify ListenAddress directives in
 sshd config

If no ListenAddress directives are specified, then sshd will list for
incoming connections at all addresses. You can alter this by specifying
the listen_addresses parameter. For example:
listen_addresses => '192.168.1.1,192.168.2.1'
---
 manifests/ssh/config/sshd.pp  | 28 ++++++++++++++++++++++------
 templates/ssh/sshd_config.erb | 11 +++++++++++
 2 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index dc72443..e6724be 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -1,12 +1,28 @@
 # Create the sshd configuration.
 
+# listen_addresses: If you want to restrict the ssh service to listen only at
+# certain addresses, specify with this parameter. Enter them as a
+# comma-delimited list.
+#
+# Examples:
+# listen_addresses => '192.168.1.1,192.168.2.1'
+# listen_addresses => '192.168.1.1:22,192.168.2.1'
+#
+# See the sshd_config man page for what constitutes valid entries.
+#
+# If list_addresses is omitted, then the ListenAddress directive will be
+# omitted from the sshd configuration file (which is equivalent to having
+# sshd listen at _all_ addresses).
+
+
 define base::ssh::config::sshd(
-  $ensure    = 'present',
-  $gitolite  = false,
-  $hostbased = false,
-  $pubkey    = false,
-  $source    = undef,
-  $max_tries = 5,
+  $ensure           = 'present',
+  $gitolite         = false,
+  $hostbased        = false,
+  $pubkey           = false,
+  $source           = undef,
+  $max_tries        = 5,
+  $listen_addresses = 'all',
 ) {
   if $source {
     $template = undef
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 27cce33..a1cdde1 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -79,3 +79,14 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
     ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<%
+  if (listen_addresses != 'all')
+    # Split the addresses at the commas.
+    addresses = listen_addresses.split(',')
+    addresses.each |address| do
+-%>
+ListenAddress <%= address %>
+<%
+    end
+  end
+-%>
-- 
GitLab