From f83dfce70aae5aa53b776bdfb3d1cce0ce59febd Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Thu, 22 Jun 2017 19:38:29 -0700
Subject: [PATCH] Add @max_sessions option
---
NEWS | 4 ++++
manifests/ssh/config/sshd.pp | 6 ++++++
templates/ssh/sshd_config.erb | 9 +++++++++
3 files changed, 19 insertions(+)
diff --git a/NEWS b/NEWS
index 03823f8..c868bb2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+release/005.008 (unreleased)
+
+ [ssh] Add $max_sessions options. [adamhl]
+
release/005.007 (2017-06-22)
[kerberos] Add option to completely override /etc/krb5.conf using
diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index 2c408d0..3c0cbf1 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -26,6 +26,11 @@
#
# If $rootloginwithpswd is set to 'no' then we allow root logins using
# GSSAPI only.
+#
+# $max_sessions: if you want to allow more than the default of 10
+# connections per network connection, set it here. This is particularly
+# useful for bastion hosts.
+# Default: undef
define base::ssh::config::sshd(
$ensure = 'present',
@@ -41,6 +46,7 @@ define base::ssh::config::sshd(
$listen_ports = '22',
$rootloginwithpswd = 'no',
$pam_duo = false,
+ $max_sessions = 'NOT DEFINED',
) {
if ($source) {
$template = undef
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 7d862da..7084e3c 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -121,6 +121,15 @@ Subsystem sftp /usr/lib/openssh/sftp-server
Match User gitolite
ForceCommand /usr/share/gitolite/gitolite-wrapper
<% end -%>
+<%- if (@max_sessions != 'NOT DEFINED') then -%>
+
+<%- if (@max_sessions <= 10) then -%>
+# Allow fewer sessions
+<%- else -%>
+# Allow more sessions
+<%- end -%>
+MaxSessions <%= @max_sessions %>
+<%- end -%>
<% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
# Because we are enabling Duo but root logins cannot use Duo (yet),
--
GitLab