Merge pull request redhat-openstack#19 from saz/devel

Mergel current development branch
xbezdick · Feb 25, 2014 · 121e5c4 · 121e5c4
2 parents 10426ab + a249e85
commit 121e5c4
Show file tree

Hide file tree

Showing 11 changed files with 247 additions and 117 deletions.
diff --git a/Modulefile b/Modulefile
@@ -1,5 +1,5 @@
 name    'saz-ssh'
-version '1.4.0'
+version '2.0.0'
 source 'git://github.com/saz/puppet-ssh.git'
 author 'saz'
 license 'Apache License, Version 2.0'

diff --git a/README.markdown b/README.markdown
@@ -2,27 +2,156 @@
 
 Manage SSH client and server via Puppet
 
-## Client only
+### Gittip
+[![Support via Gittip](https://rawgithub.com/twolfson/gittip-badge/0.2.0/dist/gittip.png)](https://www.gittip.com/saz/)
+
+## Requirements
+* Exported resources for host keys management
+* puppetlabs/stdlib
+
+## Usage
+
+Since version 2.0.0 only non-default values are written to both,
+client and server, configuration files.
+
+Multiple occurances of one config key (e.g. sshd should be listening on
+port 22 and 2222) should be passed as an array.
+
+```
+    options => {
+      Port => [22, 2222],
+    }
+```
+
+This is working for both, client and server
+
+### Both client and server
+Host keys will be collected and distributed
+
+```
+    include ssh
+```
+
+or
+
+```
+    class { 'ssh':
+      server_options => {
+        'Match User www-data' => {
+          'ChrootDirectory' => '%h',
+          'ForceCommand' => 'internal-sftp',
+          'PasswordAuthentication' => 'yes',
+          'AllowTcpForwarding' => 'no',
+          'X11Forwarding' => 'no',
+        },
+        Port => [22, 2222, 2288],
+      },
+      client_options => {
+        'Host *.amazonaws.com' => {
+          'User' => 'ec2-user',
+        },
+      },
+    }
+```
+
+### Client only
 Collected host keys from servers will be written to known_hosts
 
 ```
     include ssh::client
 ```
 
-## Server only
+or
+
+```
+    class { 'ssh::client':
+      options => {
+        'Host short' => {
+          'User' => 'my-user',
+          'HostName' => 'extreme.long.and.complicated.hostname.domain.tld',
+        },
+        'Host *' => {
+          'User' => 'andromeda',
+          'UserKnownHostsFile' => '/dev/null',
+        },
+      },
+    }
+```
+
+### Server only
 Host keys will be collected for client distribution
 
 ```
     include ssh::server
 ```
 
-## Both client and server
-Host keys will be collected and distributed
+or
 
 ```
-    include ssh
+    class { 'ssh::server':
+      options => {
+        'Match User www-data' => {
+          'ChrootDirectory' => '%h',
+          'ForceCommand' => 'internal-sftp',
+          'PasswordAuthentication' => 'yes',
+          'AllowTcpForwarding' => 'no',
+          'X11Forwarding' => 'no',
+        },
+        'PasswordAuthentication' => 'no',
+        'PermitRootLogin'        => 'no',
+        'Port'                   => [22, 2222],
+      },
+    }
 ```
 
-# Requirements
-Requires Exported resources and augeas in order to work
+## Default options
+
+### Client
 
+```
+    'Host *'                 => {
+      'SendEnv'              => 'LANG LC_*',
+      'HashKnownHosts'       => 'yes',
+      'GSSAPIAuthentication' => 'yes',
+    }
+```
+
+### Server
+
+```
+    'ChallengeResponseAuthentication' => 'no',
+    'X11Forwarding'                   => 'yes',
+    'PrintMotd'                       => 'no',
+    'AcceptEnv'                       => 'LANG LC_*',
+    'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
+    'UsePAM'                          => 'yes',
+```
+
+## Overwriting default options
+Default options will be merged with options passed in.
+If an option is set both as default and via options parameter, the latter will
+will win.
+
+The following example will disable X11Forwarding, which is enabled by default:
+
+```
+    class { 'ssh::server':
+      options           => {
+        'X11Forwarding' => 'no',
+      },
+    }
+```
+
+Which will lead to the following sshd_config file:
+
+```
+# File is managed by Puppet
+
+ChallengeResponseAuthentication no
+X11Forwarding no
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+PasswordAuthentication no
+```
diff --git a/manifests/client.pp b/manifests/client.pp
@@ -1,6 +1,18 @@
-class ssh::client {
-  include ssh::params
+class ssh::client(
+  $options = {}
+) inherits ssh::params {
+  $merged_options = merge($ssh::params::ssh_default_options, $options)
+
   include ssh::client::install
   include ssh::client::config
   include ssh::knownhosts
+
+  anchor { 'ssh::client::start': }
+  anchor { 'ssh::client::end': }
+
+  Anchor['ssh::client::start'] ->
+  Class['ssh::client::install'] ->
+  Class['ssh::client::config'] ->
+  Class['ssh::knownhosts'] ->
+  Anchor['ssh::client::end']
 }
diff --git a/manifests/client/config.pp b/manifests/client/config.pp
@@ -1,8 +1,8 @@
-class ssh::client::config inherits ssh { 
+class ssh::client::config { 
   file { $ssh::params::ssh_config:
     ensure  => present,
-    owner   => 'root',
-    group   => 'root',
+    owner   => 0,
+    group   => 0,
     content => template("${module_name}/ssh_config.erb"),
     require => Class['ssh::client::install'],
   }

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -1,6 +1,12 @@
 class ssh (
-  $disable_user_known_hosts = true
-) {
-  include ssh::server
-  include ssh::client
+  $server_options = {},
+  $client_options = {}
+) inherits ssh::params {
+  class { 'ssh::server':
+    options => $server_options,
+  }
+
+  class { 'ssh::client':
+    options => $client_options,
+  }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -32,4 +32,21 @@
       }
     }
   }
+
+  $sshd_default_options = {
+    'ChallengeResponseAuthentication' => 'no',
+    'X11Forwarding'                   => 'yes',
+    'PrintMotd'                       => 'no',
+    'AcceptEnv'                       => 'LANG LC_*',
+    'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
+    'UsePAM'                          => 'yes',
+  }
+
+  $ssh_default_options = {
+    'Host *'                 => {
+      'SendEnv'              => 'LANG LC_*',
+      'HashKnownHosts'       => 'yes',
+      'GSSAPIAuthentication' => 'yes',
+    },
+  }
 }
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -1,8 +1,22 @@
-class ssh::server {
-  include ssh::params
+class ssh::server(
+  $options         = {}
+) inherits ssh::params {
+  $merged_options = merge($ssh::params::sshd_default_options, $options)
+
   include ssh::server::install
   include ssh::server::config
   include ssh::server::service
   include ssh::hostkeys
   include ssh::knownhosts
+
+  anchor { 'ssh::server::start': }
+  anchor { 'ssh::server::end': }
+
+  Anchor['ssh::server::start'] ->
+  Class['ssh::server::install'] ->
+  Class['ssh::server::config'] ~>
+  Class['ssh::server::service'] ->
+  Class['ssh::hostkeys'] ->
+  Class['ssh::knownhosts'] ->
+  Anchor['ssh::server::end']
 }
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
@@ -1,11 +1,10 @@
 class ssh::server::config {
   file { $ssh::params::sshd_config:
     ensure  => present,
-    owner   => 'root',
-    group   => 'root',
+    owner   => 0,
+    group   => 0,
     mode    => '0600',
-    replace => false,
-    source  => "puppet:///modules/${module_name}/sshd_config",
+    content => template("${module_name}/sshd_config.erb"),
     require => Class['ssh::server::install'],
     notify  => Class['ssh::server::service'],
   }

diff --git a/manifests/server/configline.pp b/manifests/server/configline.pp