# Sets up an OpenSSH server with an appropriate configuration.  We need to
# support a few configuration variations depending on the vintage of the
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.

class base::ssh {
  package { 'openssh-server': ensure => present }
  base::iptables::rule { 'ssh':
    protocol => 'tcp',
    port     => '22',
    source   => [ '10.32.0.0/15',
                  '10.34.0.0/15',
                  '10.36.0.0/15',
                  '10.39.0.0/16',
                  '10.48.0.0/17',
                  '171.64.0.0/14',
                  '172.16.0.0/12',
                  '192.168.0.0/16',
                  '204.63.224.0/21' ],
  }

  # Ensure the daemon is running.
  service { 'ssh':
    name    => $::operatingsystem ? {
      debian => 'ssh',
      ubuntu => 'ssh',
      redhat => 'sshd',
    },
    ensure  => running,
    require => Package['openssh-server'],
  }

  # Install our configuration files.
  base::ssh::config::sshd { '/etc/ssh/sshd_config': ensure => present }
  base::ssh::config::ssh  { '/etc/ssh/ssh_config':  ensure => present }

  # Configure PAM for sshd on RHEL 6.
  if ($::lsbdistcodename == 'santiago') {
    file { '/etc/pam.d/sshd':
      ensure => link,
      target => '/etc/pam.d/system-auth',
    }
  }

  # Make sure public key authentication to root does not work and clean up
  # after the authorized_keys file generated during the build process.  Some
  # clients (HPC) will need to override this (for GPFS, for example).
  file {
    '/root/.ssh/authorized_keys':  ensure => absent;
    '/root/.ssh/authorized_keys2': ensure => absent;
  }

  # Ignore routine ssh messages.
  file { '/etc/filter-syslog/ssh':
    source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh',
  }
}