diff --git a/NEWS b/NEWS
index d54ac212c0a7180d8980c55f3714788e61bb8c46..bdbdd8bf013228a19f9bb5f6e561cbd4e38789ae 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,9 @@ release/005.007 (unreleased)
parameter to allow root users to login using ssh key-pairs. Both of
these parameters are set to have no effect by default. [adamhl]
+ [ssh] Add the parameter $ip_ranges. This is an array of iptable
+ addresses that are allowed to access port 22 on this server. [adamhl]
+
release/005.006 (2017-02-16)
[kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index 18bfddbf1fa02e0baa92a6778727ed9f3ddb2210..f7da0e1e46736d0c9a69e935b93a2c9a7206b64a 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -14,6 +14,22 @@
# sudo, see the base::sudo class.
# Default: false
+# $ip_ranges: An array of iptables-compatible IP addresses that are
+# allowed to access port 22 on this server.
+# Default:
+# [
+# '10.32.0.0/15',
+# '10.34.0.0/15',
+# '10.36.0.0/15',
+# '10.39.0.0/16',
+# '10.48.0.0/17',
+# '171.64.0.0/14',
+# '172.16.0.0/12',
+# '192.168.0.0/16',
+# '204.63.224.0/21'
+# ]
+# (This is historical.)
+
# $filter_sunetids: ignore "authentication failure" messages for this list
# of sunetids.
# Default: the empty array (so don't filter any such messages)
@@ -37,6 +53,18 @@ class base::ssh(
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false,
+ $ip_ranges =
+ [
+ '10.32.0.0/15',
+ '10.34.0.0/15',
+ '10.36.0.0/15',
+ '10.39.0.0/16',
+ '10.48.0.0/17',
+ '171.64.0.0/14',
+ '172.16.0.0/12',
+ '192.168.0.0/16',
+ '204.63.224.0/21'
+ ],
$pubkey = false,
$root_authorized_keys = undef,
$filter_sunetids = [],
@@ -80,15 +108,7 @@ class base::ssh(
base::iptables::rule { 'ssh':
protocol => 'tcp',
port => '22',
- source => [ '10.32.0.0/15',
- '10.34.0.0/15',
- '10.36.0.0/15',
- '10.39.0.0/16',
- '10.48.0.0/17',
- '171.64.0.0/14',
- '172.16.0.0/12',
- '192.168.0.0/16',
- '204.63.224.0/21' ],
+ source => $ip_ranges,
}
# Ensure the daemon is running.