SSH

Table of Contents

• Module Description
• Setup
  • What ssh affects
  • Setup requirements
  • Beginning with SSH
• Usage
  • SSH client
    • Managing client settings
    • Managing client settings for specific hosts
    • Managing additional client settings using ssh_config
    • Including the client by itself
  • SSH server
    • Managing server settings
    • Managing additional server settings
      • Using Hiera
      • Using sshd_config
    • Including the server by itself
  • Managing SSH ciphers
    • Server ciphers
    • Client ciphers
  • Managing ssh_authorized_keys
• Limitations
• Development
• Acceptance tests
  • Environment variables specific to pupmod-simp-ssh

Module Description

Manages the SSH Client and Server

Setup

What ssh affects

SSH installs the SSH package, runs the sshd service and manages files primarily in /etc/ssh

Setup requirements

The only requirement is including the ssh module in your modulepath

Beginning with SSH

include 'ssh'

Usage

Including ssh will manage both the server and the client with reasonable settings:

include 'ssh'

The ssh class automatically includes both the ssh::client and ssh:server classes. To exclude one or both of these classes, set the appropriate parameter to false as shown:

class{ 'ssh':
  enable_client => false,
  enable_server => false,
}

SSH client

Managing client settings

Including ssh::client with no other options will automatically manage client settings to be used with all hosts (Host *).

If you want to customize any of these settings, you must disable the creation of the default entry with ssh::client::add_default_entry: false and manage Host * manually with the defined type ssh::client::host_config_entry:

class{ 'ssh::client': add_default_entry => false }

ssh::client::host_config_entry{ '*':
  gssapiauthentication      => true,
  gssapikeyexchange         => true,
  gssapidelegatecredentials => true,
}

Managing client settings for specific hosts

Different settings for particular hosts can be managed by using the defined type ssh::client::host_config_entry:

# `ancient.switch.fqdn` only understands old ciphers:
ssh::client::host_config_entry { 'ancient.switch.fqdn':
  ciphers => [ 'aes128-cbc', '3des-cbc' ],
}

Managing additional client settings using ssh_config

If you need to customize a setting in /etc/ssh/ssh_config that ssh::client::host_config_entry doesn't manage, use the ssh_config type, provided by augeasproviders_ssh:

# RequestTTY isn't handled by ssh::client::host_config_entry
# Note: RequestTTY is not a valid ssh_config setting on OpenSSH where version < 5.9
ssh_config { 'Global RequestTTY':
  ensure => present,
  key    => 'RequestTTY',
  value  => 'auto',
}

Including the client by itself

include `ssh::client`

You can prevent all inclusions of ssh from inadvertently managing the SSH server by specifying ssh::enable_server: false:

class{ 'ssh':
  enable_client => true,
  enable_server => false,
}

SSH server

Managing server settings

Including ssh::server with the default options will manage the server with reasonable settings for each host's environment.

include 'ssh::server'

# Alternative:
# if `ssh::enable_server: true`, this will also work
include 'ssh'

If you want to customize any ssh::server settings, you must edit the parameters of ssh::server::conf using Hiera or ENC (Automatic Parameter Lookup). These customizations cannot be made directly using a resource-style class declaration; they must be made via APL:

---
# Note: Hiera only!
ssh::server::conf::port: 2222
ssh::server::conf::ciphers:
- '[email protected]'
- 'aes256-ctr'
- '[email protected]'
ssh::server::conf::ssh_loglevel: "verbose"
ssh::server::conf::gssapiauthentication: true

include 'ssh::server'

# Alternative:
# if `ssh::enable_server: true`, this will also work
include 'ssh'

Managing additional server settings

Using Hiera

Users may specify any undefined global sshd settings using the ssh::server::conf::custom_entries parameter as follows:

---
ssh::server::conf::custom_entries:
  GSSAPIKeyExchange: "yes"
  GSSAPICleanupCredentials: "yes"

NOTE: This is parameter is not validated. Be careful to only specify options that are allowed for your particular SSH daemon. Invalid options may cause the ssh service to fail on restart. Duplicate settings will result in duplicate Puppet resources (i.e., manifest compilation failures).

Using sshd_config

Prior to version 6.7.0 of the simp-ssh module, undefined sshd settings were managed with sshd_config_ type, provided by augeasproviders_ssh. Although this functionality has been incorporated into ssh::server::conf::custom_entries, it is still available, and in some cases such as Match entries, necessary to call directly.

The following examples illustrate Match entries using sshd_config:

Puppet:

include 'ssh::server'

sshd_config { 
  "AllowAgentForwarding":
    ensure    => present,
    condition => "Host *.example.net",
    value     => "yes",
}

# Specify unique names to avoid duplicate declarations and compilation failures
sshd_config { 
  "X11Forwarding foo":
    ensure    => present,
    keys      => "X11Forwarding",
    condition => "Host foo User root",
    value     => "yes",
}

To delete a sshd_config entry, simply set ensure to absent as shown:

sshd_config {
  "X11Forwarding foo":
    ensure => absent,
}

Including the server by itself

You can focus ssh on managing the SSH server by itself by specifying ssh::enable_client: false:

class{ 'ssh':
  enable_client => false,
  enable_server => true,
}

Note: including ssh::client directly would still manage the SSH client

Managing SSH ciphers

Unless instructed otherwise, the ssh:: classes select ciphers based on the OS environment (the OS version, the version of the SSH server, whether FIPS mode is enabled, etc).

Server ciphers

At the time of 6.4.0, the default ciphers for ssh::server on EL7 when FIPS mode is disabled are:

• [email protected]
• [email protected]
• aes256-ctr
• aes192-ctr
• aes128-ctr

There are also 'fallback' ciphers, which are required in order to communicate with systems that are compliant with FIPS-140-2. These are always included by default unless the parameter ssh::server::conf::enable_fallback_ciphers is set to false:

• aes256-ctr
• aes192-ctr
• aes128-ctr

At the time of 6.4.0, the 'fallback' ciphers are the default ciphers for ssh::server on EL7 when FIPS mode is enabled and EL6 in either mode.

Client ciphers

By default, the system client ciphers in /etc/ssh/ssh_config are configured to strong ciphers that are recommended for use.

If you need to connect to a system that does not support these ciphers but uses older or weaker ciphers, you should either:

• Manage an entry for that specific host using an additional ssh::client::host_config_entry, or:
• Connect to the client with custom ciphers specified by the command line option, ssh -c
  • You can see a list of ciphers that your ssh client supports with ssh -Q cipher.
  • See the ssh man pages for further information.

Either of the choices above are preferable to weakening the system-wide client settings unecessarily.

Managing ssh_authorized_keys

You can manage users authorized_keys file using the ssh::authorized_keys class and the ssh::authorized_keys::keys hiera value.

---
ssh::authorized_keys::keys:
  kelly: ssh-rsa skjfhslkdjfs...
  nick:
  - ssh-rsa sajhgfsaihd...
  - ssh-rsa jrklsahsgfs...
  mike:
    key: dlfkjsahh...
    type: ssh-rsa
    user: mlast
    target: /home/gitlab-runner/.ssh/authorized_keys

Limitations

SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.

Development

Please read our Contribution Guide.

If you find any issues, they can be submitted to our JIRA.

To see a list of development tasks available for this module, run

  bundle exec rake -T

Acceptance tests

To run the system tests, you need Vagrant installed.

You can then run the following to execute the acceptance tests:

   bundle exec rake beaker:suites

Some environment variables may be useful:

   BEAKER_debug=true
   BEAKER_destroy=onpass
   BEAKER_provision=no
   BEAKER_fips=yes

• BEAKER_debug: show the commands being run on the SUT and their output.
• BEAKER_destroy=onpass prevent the machine destruction if the tests fail.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_fips=yes: Provision the SUTs in FIPS mode.

Environment variables specific to pupmod-simp-ssh

   SIMP_SSH_report_dir=/PATH/TO/DIRECTORY

• SIMP_SSH_report_dir: If set to a valid directory, will record the Ciphers / MACs / kexalgorithms for each SSH server during the test. This can be used to validate and update the information in the Server ciphers section.

Reference

Table of Contents

Classes

• ssh: Sets up files for ssh.
• ssh::authorized_keys: Add ssh_authorized_keys via hiera in a loop
• ssh::client: Sets up a ssh client and creates /etc/ssh/ssh_config.
• ssh::client::params: Default parameters for the SSH client
• ssh::server: Sets up a ssh server and starts sshd.
• ssh::server::conf: Sets up sshd_config and adds an iptables rule if iptables is being used.
• ssh::server::params: Default parameters for the SSH Server

Defined types

• ssh::client::host_config_entry: Creates a host entry to ssh_config

Resource types

• sshkey_prune: The file that you wish to prune

Functions

• ssh::add_sshd_config: Add a sshd_config entry if it is not in the remove list
• ssh::autokey: Generates a random RSA SSH private and public key pair for a passed
• ssh::config_bool_translate: Translates true|false or 'true'|'false' to 'yes'|'no', respectively
• ssh::format_host_entry_for_sorting: A method to sensibly format sort SSH 'host' entries which contain
• ssh::global_known_hosts: Update the ssh_known_hosts files for all hosts, purging old files,
• ssh::parse_ssh_pubkey: Take an ssh pubkey that looks like: ssh-rsa jdlkfgjsdfo;i... [email protected] and turn it into a hash, usable in the ssh_authorized_key type

Data types

• Ssh::Authentications: Valid SSH Authentication Settings
• Ssh::Loglevel: Valid SSH Loglevels
• Ssh::PermitRootLogin: Valid Settings for PermitRootLogin
• Ssh::Syslogfacility: Valid SSH Syslog Facility Settings

Classes

ssh

Sets up files for ssh.

Parameters

The following parameters are available in the ssh class:

• enable_client
• enable_server

enable_client

Data type: Boolean

If true, set up the SSH client configuration files.

Default value: true

enable_server

Data type: Boolean

If true, set up an SSH server on the system.

Default value: true

ssh::authorized_keys

This class was designed so you can just paste the output of the ssh pubkey into hiera and it will work. See the example below for details.

WARNING

This creates a user for every key and every user in the Hash. If this is large, please consider moving to a central source for these keys, such as LDAP, so that you do not over-burden your Puppet server.

WARNING

• See also
  • https://puppet.com/docs/puppet/5.5/types/ssh_authorized_key.html

Examples

Adding user keys via Hiera

---
ssh::authorized_keys::keys:
  kelly: ssh-rsa skjfhslkdjfs...
  nick:
  - ssh-rsa sajhgfsaihd...
  - ssh-rsa jrklsahsgfs...
  mike:
    key: dlfkjsahh...
    type: ssh-rsa
    user: mlast
    target: /home/gitlab-runner/.ssh/authorized_keys

Parameters

The following parameters are available in the ssh::authorized_keys class:

• keys

keys

Data type: Hash

The hash to generate key resouces from

Default value: {}

ssh::client

Sets up a ssh client and creates /etc/ssh/ssh_config.

Parameters

The following parameters are available in the ssh::client class:

• add_default_entry
• fips
• haveged
• package_ensure

add_default_entry

Data type: Boolean

Set this if you wish to automatically have the '*' Host entry set up with some sane defaults.

Default value: true

fips

Data type: Boolean

If set or FIPS is already enabled, adjust for FIPS mode.

Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })

haveged

Data type: Boolean

If true, include the haveged module to assist with entropy generation.

Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })

package_ensure

Data type: String

The ensure status the openssh-clients package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ssh::client::params

Default parameters for the SSH client

ssh::server

Sets up a ssh server and starts sshd.

Parameters

The following parameters are available in the ssh::server class:

• server_ensure
• ldap_ensure

server_ensure

Data type: String

The ensure status of the openssh-server package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ldap_ensure

Data type: String

The ensure status of the openssh-ldap package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ssh::server::conf

sshd configuration variables can be set using Augeas outside of this class with no adverse effects.

SSH Parameters ####

Custom Parameters ####

SIMP Parameters ####

Parameters

The following parameters are available in the ssh::server::conf class:

• acceptenv
• allowgroups
• allowusers
• manage_authorizedkeysfile
• authorizedkeysfile
• authorizedkeyscommand
• authorizedkeyscommanduser
• banner
• challengeresponseauthentication
• ciphers
• clientalivecountmax
• clientaliveinterval
• compression
• denygroups
• denyusers
• gssapiauthentication
• hostbasedauthentication
• ignorerhosts
• ignoreuserknownhosts
• kerberosauthentication
• kex_algorithms
• listenaddress
• logingracetime
• ssh_loglevel
• macs
• maxauthtries
• passwordauthentication
• permitemptypasswords
• permitrootlogin
• permituserenvironment
• port
• printlastlog
• protocol
• rhostsrsaauthentication
• strictmodes
• subsystem
• syslogfacility
• tcpwrappers
• usepam
• manage_pam_sshd
• oath
• oath_window
• useprivilegeseparation
• x11forwarding
• custom_entries
• remove_entries
• remove_subsystems
• app_pki_external_source
• app_pki_key
• enable_fallback_ciphers
• fallback_ciphers
• fips
• firewall
• haveged
• ldap
• pki
• sssd
• ensure_sssd_packages
• trusted_nets

acceptenv

Data type: Array[String]

Specifies what environment variables sent by the client will be copied into the sessions environment.

Default value: $ssh::server::params::acceptenv

allowgroups

Data type: Optional[Array[String]]

A list of group name patterns. If specified, login is allowed only for users whose primary or supplementary group list matches one of the patterns.

Default value: undef

allowusers

Data type: Optional[Array[String]]

A list of user name patterns. If specified, login is allowed only for users whose name matches one of the patterns.

Default value: undef

manage_authorizedkeysfile

Data type: Boolean

This will allow users to opt out of puppet managing their ssh authorized keys file. If set to false, authorizedkeysfile will be ignored.

Default value: true

authorizedkeysfile

Data type: String

This is set to a non-standard location to provide for increased control over who can log in as a given user.

Default value: '/etc/ssh/local_keys/%u'

authorizedkeyscommand

Data type: Optional[Stdlib::Absolutepath]

Specifies a program to be used for lookup of the user's public keys.

Default value: undef

authorizedkeyscommanduser

Data type: String

Specifies the user under whose account the AuthorizedKeysCommand is run.

Default value: 'nobody'

banner

Data type: Stdlib::Absolutepath

The contents of the specified file are sent to the remote user before authentication is allowed.

Default value: '/etc/issue.net'

challengeresponseauthentication

Data type: Boolean

Specifies whether challenge-response authentication is allowed.

Default value: false

ciphers

Data type: Optional[Array[String]]

Specifies the ciphers allowed for protocol version 2. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

clientalivecountmax

Data type: Integer

@see man page for sshd_config

Default value: 0

clientaliveinterval

Data type: Integer

@see man page for sshd_config

Default value: 600

compression

Data type: Variant[Boolean,Enum['delayed']]

Specifies whether compression is allowed, or delayed until the user has authenticated successfully.

Default value: 'delayed'

denygroups

Data type: Optional[Array[String]]

A list of group name patterns. If specified, login is disallowed for users whose primary or supplementary group list matches one of the patterns.

Default value: undef

denyusers

Data type: Optional[Array[String]]

A list of user name patterns. If specified, login is disallowed for users whose name matches one of the patterns.

Default value: undef

gssapiauthentication

Data type: Boolean

Specifies whether user authentication based on GSSAPI is allowed. If the system is connected to an IPA domain, this will be default to true, based on the existance of the ipa fact.

Default value: $ssh::server::params::gssapiauthentication

hostbasedauthentication

Data type: Boolean

@see man page for sshd_config

Default value: false

ignorerhosts

Data type: Boolean

@see man page for sshd_config

Default value: true

ignoreuserknownhosts

Data type: Boolean

@see man page for sshd_config

Default value: true

kerberosauthentication

Data type: Boolean

@see man page for sshd_config

Default value: false

kex_algorithms

Data type: Optional[Array[String]]

Specifies the key exchange algorithms accepted. When unset, an appropriate set of algorithms is automatically selected by this class, taking into account whether the server is in FIPS mode and whether the version of openssh installed supports this feature.

Default value: undef

listenaddress

Data type: Optional[Variant[Simplib::Host, Array[Simplib::Host]]]

Specifies the local addresses sshd should listen on.

Default value: undef

logingracetime

Data type: Integer[0]

The max number of seconds the server will wait for a successful login before disconnecting. If the value is 0, there is no limit.

Default value: 120

ssh_loglevel

Data type: Optional[Ssh::Loglevel]

Specifies the verbosity level that is used when logging messages from sshd.

Default value: undef

macs

Data type: Optional[Array[String]]

Specifies the available MAC algorithms. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

maxauthtries

Data type: Integer[1]

Specifies the maximum number of authentication attempts permitted per connection.

Default value: 6

passwordauthentication

Data type: Boolean

Specifies whether password authentication is allowed on the sshd server.

• This setting must be managed by default so that switching to and from OATH does not lock you out of your system.

Default value: true

permitemptypasswords

Data type: Boolean

When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.

Default value: false

permitrootlogin

Data type: Ssh::PermitRootLogin

Specifies whether root can log in using SSH.

Default value: false

permituserenvironment

Data type: Boolean

@see man page for sshd_config

Default value: false

port

Data type: Variant[Array[Simplib::Port],Simplib::Port]

Specifies the port number SSHD listens on.

Default value: 22

printlastlog

Data type: Boolean

Specifies whether SSHD should print the date and time of the last user login when a user logs in interactively.

Default value: false

protocol

Data type: Array[Integer[1,2]]

@see man page for sshd_config

Default value: [2]

rhostsrsaauthentication

Data type: Optional[Boolean]

This sshd option has been completely removed in openssh 7.4 and will cause an error message to be logged, when present. On systems using openssh 7.4 or later, only set this value if you need RhostsRSAAuthentication to be in the sshd configuration file to satisfy an outdated, STIG check.

Default value: $ssh::server::params::rhostsrsaauthentication

strictmodes

Data type: Boolean

@see man page for sshd_config

Default value: true

subsystem

Data type: String

Configures an external subsystem for file transfers.

Default value: 'sftp /usr/libexec/openssh/sftp-server'

syslogfacility

Data type: Ssh::Syslogfacility

Gives the facility code that is used when logging messages.

Default value: 'AUTHPRIV'

tcpwrappers

Data type: Boolean

If true, enable sshd tcpwrappers.

Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })

usepam

Data type: Boolean

Enables the Pluggable Authentication Module interface.

Default value: simplib::lookup('simp_options::pam', { 'default_value' => true })

manage_pam_sshd

Data type: Boolean

Flag indicating whether or not to manage the pam stack for sshd. This is required for the oath option to work properly.

Default value: $oath

oath

Data type: Boolean

EXPERIMENTAL FEATURE Configures ssh to use pam_oath TOTP in the sshd pam stack. Also configures sshd_config to use required settings. Inherits from simp_options::oath, defaults to false if not found.

Default value: simplib::lookup('simp_options::oath', { 'default_value' => false })

oath_window

Data type: Integer[0]

Sets the TOTP window (Defined in RFC 6238 section 5.2)

Default value: 1

useprivilegeseparation

Data type: Variant[Boolean,Enum['sandbox']]

Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic.

This option has no effect on OpenSSH >= 7.5.0 due to being deprecated.

Default value: 'sandbox'

x11forwarding

Data type: Boolean

Specifies whether X11 forwarding is permitted.

Default value: false

custom_entries

Data type: Optional[Hash[String[1],NotUndef]]

A Hash of key/value pairs that will be added as sshd_config resources without any validation.

• NOTE: Due to complexity, Match entries are not supported and will need to be added using sshd_config_match resources as described in augeasproviders_ssh

@example Set AuthorizedPrincipalsCommand

---

ssh::server::conf::custom_entries: AuthorizedPrincipalsCommand: '/usr/local/bin/my_auth_command'

Default value: undef

remove_entries

Data type: Optional[Array[String[1]]]

List of configuration parameters that will be removed.

• NOTE: Due to complexity, Match entries are not supported and will need to be removed using sshd_config_match resources as described in augeasproviders_ssh

Default value: undef

remove_subsystems

Data type: Optional[Array[String[1]]]

List of subsystems that will be removed.

Default value: undef

app_pki_external_source

Data type: String

• If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

• If pki = false, this variable has no effect.

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

app_pki_key

Data type: Stdlib::Absolutepath

Path and name of the private SSL key file. This key file is used to generate the system SSH certificates for consistency.

Default value: "/etc/pki/simp_apps/sshd/x509/private/${facts['networking']['fqdn']}.pem"

enable_fallback_ciphers

Data type: Boolean

If true, add the fallback ciphers from ssh::server::params to the cipher list. This is intended to provide compatibility with non-SIMP systems in a way that properly supports FIPS 140-2.

Default value: true

fallback_ciphers

Data type: Array[String]

The set of ciphers that should be used should no other cipher be declared. This is used when $ssh::server::conf::enable_fallback_ciphers is enabled.

Default value: $ssh::server::params::fallback_ciphers

fips

Data type: Boolean

If set or FIPS is already enabled, adjust for FIPS mode.

Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })

firewall

Data type: Boolean

If true, use the SIMP iptables class.

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })

haveged

Data type: Boolean

If true, include the haveged module to assist with entropy generation.

Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })

ldap

Data type: Boolean

If true, enable LDAP support on the system. If authorizedkeyscommand is empty, this will set the authorizedkeyscommand to ssh-ldap-wrapper so that SSH public keys can be stored directly in LDAP.

Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })

pki

Data type: Variant[Enum['simp'],Boolean]

• If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/sshd/x509
• If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/sshd/x509
• If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
  • app_pki_dir
  • app_pki_key
  • app_pki_cert
  • app_pki_ca
  • app_pki_ca_dir

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

sssd

Data type: Boolean

If true, use sssd

Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })

ensure_sssd_packages

Data type: Variant[Boolean,Array[String[1]]]

A list of SSSD-related packages to ensure are installed on the system.

• Set to false to prevent package management.

Default value: ['sssd-common']

trusted_nets

Data type: Simplib::Netlist

The networks to allow to connect to SSH.

Default value: ['ALL']

ssh::server::params

• Curve exchange was not fully supported until openssh 6.5
• RhostsRSAAuthentication was removed in openssh 7.4

Defined types

ssh::client::host_config_entry

GSSAPI may be used.

the client's GSSAPI credentials will force the rekeying of the ssh connection.

trusted to securely canonicalize the name of the host being connected to.

Examples

Adding default entry

ssh::client::host_config_entry { '*':
  gssapiauthentication => true,
  forwardx11trusted    => true'
}

Parameters

The following parameters are available in the ssh::client::host_config_entry defined type:

• target
• address_family
• batchmode
• bindaddress
• challengeresponseauthentication
• checkhostip
• cipher
• ciphers
• clearallforwardings
• compression
• compressionlevel
• connectionattempts
• connecttimeout
• controlmaster
• controlpath
• dynamicforward
• enablesshkeysign
• escapechar
• exitonforwardfailure
• forwardagent
• forwardx11
• forwardx11trusted
• gatewayports
• globalknownhostsfile
• gssapiauthentication
• gssapidelegatecredentials
• gssapikeyexchange
• gssapirenewalforcesrekey
• gssapitrustdns
• hashknownhosts
• hostbasedauthentication
• hostkeyalgorithms
• hostkeyalias
• hostname
• identitiesonly
• identityfile
• kbdinteractiveauthentication
• kbdinteractivedevices
• localcommand
• localforward
• ssh_loglevel
• macs
• nohostauthenticationforlocalhost
• numberofpasswordprompts
• passwordauthentication
• permitlocalcommand
• port
• preferredauthentications
• protocol
• proxycommand
• pubkeyauthentication
• rekeylimit
• remoteforward
• rhostsrsaauthentication
• rsaauthentication
• sendenv
• serveralivecountmax
• serveraliveinterval
• smartcarddevice
• stricthostkeychecking
• tcpkeepalive
• tunnel
• tunneldevice
• useprivilegedport
• user
• userknownhostsfile
• verifyhostkeydns
• visualhostkey
• xauthlocation

target

Data type: Stdlib::Absolutepath

Absolute path to the ssh_config file to manage.

Default value: '/etc/ssh/ssh_config'

address_family

Data type: Enum['any', 'inet', 'inet6']

The IP Address family to use when connecting. Valid options: 'any', 'inet', 'inet6'.

Default value: 'any'

batchmode

Data type: Boolean

If set to true, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password.

Default value: false

bindaddress

Data type: Optional[Simplib::Host]

Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address. Note that this option does not work if UsePrivilegedPort is set to false.

Default value: undef

challengeresponseauthentication

Data type: Boolean

Specifies whether to use challenge-response authentication.

Default value: true

checkhostip

Data type: Boolean

If this flag is set to true, ssh will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing and will add addresses of destination hosts to ~/.ssh/known_hosts in the process, regardless of the setting of StrictHostKeyChecking.

Default value: true

cipher

Data type: Enum['blowfish', '3des', 'des']

Specifies the cipher to use for encrypting the session in protocol version 1. Valid Options: 'blowfish', '3des', 'des'.

Default value: '3des'

ciphers

Data type: Optional[Array[String]]

Specifies the ciphers allowed for protocol version 2 in order of preference. When unset, a strong set of ciphers is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

clearallforwardings

Data type: Boolean

Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared.

Default value: false

compression

Data type: Boolean

Specifies whether to use compression.

Default value: true

compressionlevel

Data type: Integer[1,9]

Specifies the compression level to use if compression is enabled.

Default value: 6

connectionattempts

Data type: Integer[1]

Specifies the number of tries (one per second) to make before exiting.

Default value: 1

connecttimeout

Data type: Integer[0]

Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout.

Default value: 0

controlmaster

Data type: Enum['yes','no','ask']

Enables the sharing of multiple sessions over a single network connection.

Default value: 'no'

controlpath

Data type: Optional[Variant[Stdlib::Absolutepath, Enum['none']]]

Specify the path to the control socket used for connection sharing as set by controlmaster.

Default value: undef

dynamicforward

Data type: Optional[Variant[Simplib::Port, Simplib::Host::Port]]

Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.

Default value: undef

enablesshkeysign

Data type: Boolean

Setting this option to true enables the use of the helper program ssh-keysign during HostbasedAuthentication.

Default value: false

escapechar

Data type: Pattern[/^[[:graph:]]$/, /^\^[[:alpha:]]$/, /^none$/]

Sets the default escape character. Must be a single character.

Default value: '~'

exitonforwardfailure

Data type: Boolean

Specifies whether ssh should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings.

Default value: false

forwardagent

Data type: Boolean

Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine.

Default value: false

forwardx11

Data type: Boolean

Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set.

Default value: false

forwardx11trusted

Data type: Boolean

If set to true, remote X11 clients will have full access to the original X11 display.

Default value: false

gatewayports

Data type: Boolean

Specifies whether remote hosts are allowed to connect to local forwarded ports.

Default value: false

globalknownhostsfile

Data type: Optional[Array[Stdlib::Absolutepath]]

Specifies one or more files to use for the global host key database.

Default value: undef

gssapiauthentication

Data type: Boolean

Specifies whether user authentication based on GSSAPI is allowed. If the system is connected to an IPA domain, this will be set to true, regardless of this parameter. It uses the ipa fact to determine domain membership.

Default value: false

gssapidelegatecredentials

Data type: Boolean

Forward credentials to the server.

Default value: false

gssapikeyexchange

Data type: Boolean

Specifies whether key exchange based on

Default value: false

gssapirenewalforcesrekey

Data type: Boolean

If set to true then renewal of

Default value: false

gssapitrustdns

Data type: Boolean

Set to true to indicate that the DNS is

Default value: false

hashknownhosts

Data type: Boolean

Indicates that SSH should hash host names and addresses when they are added to known hosts.

Default value: true

hostbasedauthentication

Data type: Boolean

Specifies whether to try rhosts based authentication with public key authentication.

Default value: false

hostkeyalgorithms

Data type: Optional[Array[String]]

Specifies the host key algorithms that the client wants to use in order of preference.

Default value: undef

hostkeyalias

Data type: Optional[String]

Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files.

Default value: undef

hostname

Data type: Optional[Simplib::Host]

Specifies the real hostname to log into.

Default value: undef

identitiesonly

Data type: Boolean

Specifies that ssh should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh command-line, even if ssh-agent or a PKCS11Provider offers more identities.

Default value: false

identityfile

Data type: Optional[String]

Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication identity is read.

Default value: undef

kbdinteractiveauthentication

Data type: Boolean

Specifies whether to use keyboard-interactive authentication.

Default value: true

kbdinteractivedevices

Data type: Optional[Array[String]]

Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated.

Default value: undef

localcommand

Data type: Optional[String]

Specifies a command to execute on the local machine after successfully connecting to the server.

Default value: undef

localforward

Data type: Optional[String]

Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport.

Default value: undef

ssh_loglevel

Data type: Ssh::Loglevel

Gives the verbosity level that is used when logging messages. Valid options: 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', and 'DEBUG3'.

Default value: 'INFO'

macs

Data type: Optional[Array[String]]

Specifies the MAC (message authentication code) algorithms in order of preference. When unset, a strong set of algorithms is automatically selected by this class, taking into account whether the server is in FIPS mode.

Default value: undef

nohostauthenticationforlocalhost

Data type: Boolean

This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys. However, this option disables host authentication for localhost.

Default value: false

numberofpasswordprompts

Data type: Integer[1]

Specifies the number of password prompts before giving up.

Default value: 3

passwordauthentication

Data type: Boolean

Specifies whether to use password authentication.

Default value: true

permitlocalcommand

Data type: Boolean

Allow local command execution via the LocalCommand option or using the !command escape sequence.

Default value: false

port

Data type: Simplib::Port

Specifies the port number to connect on the remote host.

Default value: 22

preferredauthentications

Data type: Array[Ssh::Authentications]

Specifies the order in which the client should try authentication methods. The order will be determined from the start of the array to the end of the array. Default: ['publickey','hostbased','keyboard-interactive','password']

Default value:

[ 'publickey',
                                                                                              'hostbased',
                                                                                              'keyboard-interactive',
                                                                                              'password' ]

protocol

Data type: Variant[Integer[1,2], Enum['2,1']]

Specifies the protocol versions SSH should support.

Default value: 2

proxycommand

Data type: Optional[String]

Specifies the command to use to connect to the server.

Default value: undef

pubkeyauthentication

Data type: Boolean

Specifies whether to try public key authentication.

Default value: true

rekeylimit

Data type: Optional[String]

Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated.

Default value: undef

remoteforward

Data type: Optional[String]

Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine.

Default value: undef

rhostsrsaauthentication

Data type: Boolean

Specifies whether to try rhosts based authentication with RSA host authentication.

Default value: false

rsaauthentication

Data type: Boolean

Specifies whether to try RSA Authentication.

Default value: true

sendenv

Data type: Array[String]

Specifies what variables from the local environ should be sent to the server.

Default value:

[ 'LANG',
                                                                                              'LC_CTYPE',
                                                                                              'LC_NUMERIC',
                                                                                              'LC_TIME',
                                                                                              'LC_COLLATE',
                                                                                              'LC_MONETARY',
                                                                                              'LC_MESSAGES',
                                                                                              'LC_PAPER',
                                                                                              'LC_NAME',
                                                                                              'LC_ADDRESS',
                                                                                              'LC_TELEPHONE',
                                                                                              'LC_MEASUREMENT',
                                                                                              'LC_IDENTIFICATION',
                                                                                              'LC_ALL' ]

serveralivecountmax

Data type: Integer[1]

Sets the number of server alive messages (see below) which may be sent without ssh receiving any messages back from the server.

Default value: 3

serveraliveinterval

Data type: Integer[0]

Sets a timeout interval in seconds after which if no data has been received from the server. The default is 0, indicating that these messages will not be sent to the server.

Default value: 0

smartcarddevice

Data type: Optional[String]

Specifies which smartcard device to use.

Default value: undef

stricthostkeychecking

Data type: Enum['yes','no','ask']

If set to yes, ssh will never automatically add host keys to the known_hosts file, and refuses to connect to hosts whose keys have changed. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. Valid Options: 'yes', 'no', 'ask'

Default value: 'ask'

tcpkeepalive

Data type: Boolean

Specifies whether the system should send TCP keepalive messages to the other side.

Default value: true

tunnel

Data type: Enum['yes','no','point-to-point','ethernet']

If 'yes', request device forwarding between the client and server.

Default value: 'no'

tunneldevice

Data type: Optional[String]

Specifies the devices to open on the client and the server.

Default value: undef

useprivilegedport

Data type: Boolean

Specifies whether to use a privileged port for outgoing connections.

Default value: false

user

Data type: Optional[String]

Specifies the user to log in as.

Default value: undef

userknownhostsfile

Data type: Optional[Array[Stdlib::Absolutepath]]

Specifies one or more files to use for the user host key database, separated by whitespace.

Default value: undef

verifyhostkeydns

Data type: Enum['yes','no','ask']

Specifies whether to verify the remote key using DNS and SSHFP resource records.

Default value: 'no'

visualhostkey

Data type: Boolean

If this flag is set to true, an ASCII art representation of the remote host key fingerprint is printed in addition to the fingerprint string at login and for unknown host keys.

Default value: false

xauthlocation

Data type: Stdlib::Absolutepath

Specifies the full pathname of the xauth program.

Default value: '/usr/bin/xauth'

Resource types

sshkey_prune

The file that you wish to prune

Properties

The following properties are available in the sshkey_prune type.

prune

Valid values: true, false

Whether or not to prune the file in $name

Default value: true

Parameters

The following parameters are available in the sshkey_prune type.

• name
• provider

name

namevar

The file that you wish to prune

provider

The specific backend to use for this sshkey_prune resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

Functions

ssh::add_sshd_config

Type: Puppet Language

Add a sshd_config entry if it is not in the remove list

ssh::add_sshd_config(String[1] $key, Any $value, Variant[Array[String[1]],Undef] $remove_keys, Array[Type[Catalogentry]] $resources_to_notify = [ Service['sshd'] ])

Add a sshd_config entry if it is not in the remove list

Returns: Nil

key

Data type: String[1]

The name of the sshd configuration parameter

value

Data type: Any

The value of the sshd configuration parameter

remove_keys

Data type: Variant[Array[String[1]],Undef]

List of sshd configuration parameters to be removed

resources_to_notify

Data type: Array[Type[Catalogentry]]

Catalog resources to notify when the sshd configuration has changed

ssh::autokey

Type: Ruby 4.x API

user.

Keys are stored in "Puppet[:vardir]/simp/environments//simp_autofiles/ssh_autokeys"

Note: This function if marked as an InternalFunction because it changes the state of the system by writing key files.

ssh::autokey(String $username, Optional[Hash] $options)

The following options are supported:

• 'key_strength': key length, Integer, defaults to 2048
• 'return_private': whether to return the private key, Boolean, defaults to false NOTE: A minimum key strength of 1024 is enforced!

Returns: String The public key of the user

username

Data type: String

username for which SSH key pairs will be generated

options

Data type: Optional[Hash]

Options hash

ssh::autokey(String $username, Optional[Integer] $key_strength, Optional[Boolean] $return_private)

NOTE: A minimum key strength of 1024 is enforced!

Returns: String The public key of the user or the private key if return_private is specified.

username

Data type: String

username for which SSH key pairs will be generated

key_strength

Data type: Optional[Integer]

key length, defaults to 2048

return_private

Data type: Optional[Boolean]

whether to return the private key, defaults to false

ssh::config_bool_translate

Type: Ruby 4.x API

All other values are passed-through unchanged

ssh::config_bool_translate(String $config_item)

The ssh::config_bool_translate function.

Returns: Any transformed config_item

config_item

Data type: String

Configuration item to be translated

ssh::config_bool_translate(Boolean $config_item)

The ssh::config_bool_translate function.

Returns: Any transformed config_item

config_item

Data type: Boolean

Configuration item to be translated

ssh::format_host_entry_for_sorting

Type: Ruby 4.x API

wildcards and question marks.

The output is intended for use with the simpcat_fragment type and is not meant for use as a host entry itself.

The general idea is that it places all items at the bottom of the list using zzzz, then sorts by question marks first per section then wildcards per section.

Example: Input: '*' Output: 'zzzz98_st__'

Input: '*.foo.bar' Output: 'zzzz96_st__.foo.bar'

Input: 'foo.?.bar' Output: 'foo.zzzz95_qu__.bar'

Input: 'foo?.*.bar' Output: 'foozzzz96_qu.zzzz95_st.bar'

ssh::format_host_entry_for_sorting(String $host_entry)

wildcards and question marks.

The output is intended for use with the simpcat_fragment type and is not meant for use as a host entry itself.

The general idea is that it places all items at the bottom of the list using zzzz, then sorts by question marks first per section then wildcards per section.

Example: Input: '*' Output: 'zzzz98_st__'

Input: '*.foo.bar' Output: 'zzzz96_st__.foo.bar'

Input: 'foo.?.bar' Output: 'foo.zzzz95_qu__.bar'

Input: 'foo?.*.bar' Output: 'foozzzz96_qu.zzzz95_st.bar'

Returns: Any transformed host_entry

host_entry

Data type: String

SSH host entry, which may contain wildcards

ssh::global_known_hosts

Type: Ruby 4.x API

removing duplicates, and creating catalog resources that are found

Note: This function if marked as an InternalFunction because it changes the state of the system by adding/removing files and adding catalog resources.

ssh::global_known_hosts(Optional[Integer] $expire_days)

removing duplicates, and creating catalog resources that are found

Note: This function if marked as an InternalFunction because it changes the state of the system by adding/removing files and adding catalog resources.

Returns: None

expire_days

Data type: Optional[Integer]

expire time in days; defaults to 7; value of 0 means never purge

ssh::parse_ssh_pubkey

Type: Puppet Language

Take an ssh pubkey that looks like: ssh-rsa jdlkfgjsdfo;i... [email protected] and turn it into a hash, usable in the ssh_authorized_key type

ssh::parse_ssh_pubkey(String $key)

Take an ssh pubkey that looks like: ssh-rsa jdlkfgjsdfo;i... [email protected] and turn it into a hash, usable in the ssh_authorized_key type

Returns: Hash

key

Data type: String

The ssh key, can be pasted from ~/.ssh/id_rsa.pub or similar

Data types

Ssh::Authentications

Valid SSH Authentication Settings

Alias of Enum['publickey', 'hostbased', 'keyboard-interactive', 'password', 'gssapi-with-mic']

Ssh::Loglevel

Valid SSH Loglevels

Alias of Enum['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3']

Ssh::PermitRootLogin

Valid Settings for PermitRootLogin

Alias of Variant[Boolean, Enum['prohibit-password', 'without-password', 'forced-commands-only']]

Ssh::Syslogfacility

Valid SSH Syslog Facility Settings

Alias of Enum['DAEMON', 'USER', 'AUTH', 'AUTHPRIV', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7']

• Tue Oct 01 2024 Steven Pritchard [email protected] - 6.20.0

• Update metadata upper bounds for puppet-augeasproviders_ssh and puppet-selinux

• Fri Sep 13 2024 Steven Pritchard [email protected] - 6.19.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Wed Jul 10 2024 Steven Pritchard [email protected] - 6.18.2

• Fix calls to FileUtils.mkdir_p to work on Ruby 3

• Tue Jun 18 2024 Rick Gardner [email protected] - 6.18.1

• Fixed custom fact on windows bug

• Wed Feb 07 2024 Mike Riddle [email protected] - 6.18.0

• [puppetsync] Update metadata upper bounds for puppet-nsswitch, puppet-gitlab, puppet-snmp, simp-pam, and simp-useradd

• Wed Dec 06 2023 Mike Riddle [email protected] - 6.17.1

• The module will now correctly handle a situation where /etc/localtime doesn't exist

• Mon Oct 23 2023 Steven Pritchard [email protected] - 6.17.0

• [puppetsync] Add EL9 support

• Wed Oct 18 2023 Steven Pritchard [email protected] - 6.16.1

• Replace calls to File.exists? with File.exist? for compatibility with Ruby 3

• Wed Oct 11 2023 Steven Pritchard [email protected] - 6.16.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Thu Sep 07 2023 Steven Pritchard [email protected] - 6.15.0

• Add AlmaLinux 8 support

• Mon Jun 12 2023 Chris Tessmer [email protected] - 6.14.0

• Add RockyLinux 8 support

• Sat Oct 15 2022 Trevor Vaughan [email protected] - 6.13.1

• Remove unnecessary augeasproviders_core module dependency

• Mon Nov 29 2021 Mike Riddle [email protected] - 6.13.0

• Added an option to turn off managing the AuthorizedKeysFile parameter in /etc/ssh/sshd_config

• Thu Jun 17 2021 Chris Tessmer [email protected] - 6.12.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Tue Apr 20 2021 Liz Nemsick [email protected] - 6.12.0

• Update to augeasproviders_ssh < 5.0.0

• Tue Apr 20 2021 Liz Nemsick [email protected] - 6.11.2

• Fixed a bug where some changes to sshd configuration did not cause the sshd service to restart.
  • sshd_config resources created by ssh::add_sshd_config() did not notify Service[sshd].
• Fixed a bug that caused a compilation error when ssh::conf::ensure_sshd_packages was set to true.
• Removed sshd configuration logic pertaining to OpenSSH versions used in EL6.

• Tue Mar 02 2021 Jeanne Greulich [email protected] - 6.11.2

• Updated server::conf to include the voxpupuli selinux module when calling selinux_port. This will ensure the packages that selinux_port needs are installed.
• Added memory to the testing nodesets for EL8 because running selinux_port was giving an out of memory error.

• Fri Feb 19 2021 Jeanne Greulich [email protected] - 6.11.2

• Openssh dropped support for SSH protocol 1 in version 8.0. EL8 installs openssh v8 by default. This fix checks the version of openssh when creating ssh_config host entries and removes those values that are no longer used.

• Wed Jan 13 2021 Chris Tessmer [email protected] - 6.11.2

• Removed EL6 from supported OSes

• Wed Nov 25 2020 Trevor Vaughan [email protected] - 6.11.2

• No longer set HostKeyAlgorithms on the client configuration by default

• Thu Nov 19 2020 Trevor Vaughan [email protected] - 6.11.1-0

• Migrate to the updated version of simp/selinux that allows for isolated package installation in support of the SELinux native types.
• Allow users to use the 'puppet/selinux' module instead of SIMP components.

• Tue Jul 07 2020 Trevor Vaughan [email protected] - 6.11.0-0

• Fix EL8 support when setting server::conf::manage_pam_sshd to true
• Remove dependency on the simp/sssd module
• Ensure that the sssd-common package is installed if required and allow the user to disable this if necessary
• Remove the Puppet 3 functions that were marked as deprecated in 2017

• Wed Feb 19 2020 Trevor Vaughan [email protected] - 6.10.0-0

• Added EL8 support
• Ensure that UsePrivilegeSeparation is removed from sshd_config on platforms that do not support it

• Thu Oct 24 2019 Liz Nemsick [email protected] - 6.9.0-0

• Added two ssh::server::conf parameters to allow users to ensure specific sshd configuration is removed from sshd_config:
  • ssh::server::conf::remove_entries
  • ssh::server::conf::remove_subsystems
• Allow use of simp-simplib 4.X.

• Fri Oct 18 2019 Kendall Moore [email protected] - 6.9.0-0

• Updated the default Tunnel setting to 'no' in ssh_config to match the man page

• Tue Aug 06 2019 Michael Morrone michael.morrone@@onyxpoint.com - 6.8.1-0

• Removed ensure from policycoreutils-python in server config for multiple port support to elimate duplicate declaration

• Tue Jul 30 2019 Trevor Vaughan [email protected] - 6.8.0-0

• Add multiple port support
  • The ssh::server::conf::port entry can now take an Array of ports
  • selinux_port resources are created for each non-standard entry
• Update the required version of simp-beaker-helpers to work around Highline issues in the compliance acceptance tests.

• Mon Jun 03 2019 Steven Pritchard [email protected] - 6.8.0-0

• Add v2 compliance_markup data
• Add support for puppetlabs-stdlib 6

• Wed May 29 2019 Trevor Vaughan [email protected] - 6.7.1-0

• Replace calls to 'system' with Puppet::Execution.execute in the ssh_autokey and ssh::autokeys functions.

• Mon Apr 29 2019 Trevor Vaughan [email protected] - 6.7.0-0

• Switched to selinux_port type for alternate SSH ports
• Added the ability for users to set custom sshd config entries via a Hash in Hiera.
• Made ListenAddress optional and documented EL6 bug

• Tue Apr 16 2019 Zach [email protected] - 6.7.0-0

• Add OATH support

• Thu Apr 11 2019 Bob Vincent [email protected] - 6.7.0-0

• Added support for the following SSH server configuration parameters:
  • AllowGroups
  • AllowUsers
  • DenyGroups
  • DenyUsers
  • LoginGraceTime
  • LogLevel
  • MaxAuthTries

• Tue Apr 09 2019 Joseph Sharkey [email protected] - 6.7.0-0

• Remove Elasticsearch and Grafana
• Updated tests in support of puppet6, and removed puppet4 support

• Tue Mar 19 2019 Liz Nemsick [email protected] - 6.6.1-0

• Use Puppet String in lieu of simplib's deprecated Puppet 3 to_string
• Use simplib::nets2ddq in lieu of deprecated Puppet 3 nets2ddq

• Mon Mar 04 2019 Liz Nemsick [email protected] - 6.6.0-0

• Expanded the upper limit of the stdlib Puppet module version
• Updated URLs in the README.md

• Tue Dec 04 2018 Jeanne Greulich [email protected] - 6.6.0-0

• Fix bug in which the sshd 'Subsystem' configuration specified by ssh::server::conf::subsystem was erroneously stripped of whitespace

• Thu Nov 15 2018 Nick Miller [email protected] - 6.6.0-0

• Added a new class, ssh::authorized_keys, that consumes a hash of ssh pubkeys
  • Users are meant to be able to paste the output of their pubkey into hiera
  • Arrays and hashes work too, though the hash option is not as smart as the others
  • Update README with a section on it
• Add REFERENCE.md

• Fri Oct 26 2018 Adam Yohrling [email protected] - 6.5.1-0

• Add ssh_host_keys fact to gather configured hostkey values from sshd
• Loop through all hostkeys and manage permissions for security and compliance

• Fri Oct 12 2018 Nick Miller [email protected] - 6.5.0-0

• Added the following package ensure parameters
  • $ssh::client::package_ensure
  • $ssh::server::server_ensure
  • $ssh::server::ldap_ensure
• Changed the defaults for all package ensures from 'latest' to the following:
  • simp_options::package_ensure when that parameter is present
  • 'installed' otherwise

• Thu Oct 11 2018 Zach [email protected] - 6.5.0-0

• Altered 00_default_spec.rb to stop deleting all ssh keys in test
• Replaced puppet_environment with puppet_collection in nodesets

• Tue Sep 11 2018 Nicholas Markowski [email protected] - 6.5.0-0

• Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.

• Wed Aug 29 2018 Trevor Vaughan [email protected] - 6.4.4-0

• Added a Ssh::PermitRootLogin data type
• Updated tests
• Added a check to fail on EL6 if 'prohibit-password' is set since it is not allowed on that platform.

• Thu Aug 23 2018 Adam Yohrling [email protected] - 6.4.4-0

• Added support for Oracle Linux
• Added support for Puppet 5

• Mon Aug 20 2018 Bryan Howard [email protected] - 6.4.4-0

• PermitRootLogin accepts more values than 'yes' and 'no'. Add support for 'without-password', 'prohibit-password', and 'forced-commands-only'.
• It was not possible to set PasswordAuthentication to 'no' because the conditional treated false the same as undef, which are intended to be different.

• Thu Aug 16 2018 Liz Nemsick [email protected] - 6.4.3-0

• By default, do not specify the obsolete RhostsRSAAuthentication configuration parameter in sshd_config on systems running openssh 7.4 or later. Beginning with openshh 7.4, sshd emits an error message when this parameter is present in sshd_config.

• Thu May 03 2018 Jeanne Greulich [email protected] - 6.4.2-0

• Added some variables for sshd_config to meet STIG requirements. Most are just confirmation of defaults with the exception of ClientAliveInterval and ClientAliveMaxCount which have been set to activate Client Alive checks.
• Added compliance tests to install setting from compliance markup module and then run inspec tests to check for compliance.
• Update version range of auditd dependency in metadata.json

• Wed Mar 14 2018 Chris Tessmer [email protected] - 6.4.1-0

• Removed unused Augeas lens sshd.aug

• Mon Mar 05 2018 Chris Tessmer [email protected] - 6.4.0-0

• Re-implemented ssh::client::host_config_entry using ssh_config:
  • Users can now customize additional SSH client options
  • Customizing ssh_config is consistent with sshd_config
  • Tweaked Augeas lens ssh.aug to handle HostKeyAlgorithms correctly
  • No change to the module's API
  • Removed concat .erb templates from old implementation
• Fixed idempotency bug with /var/empty/sshd/etc/localtime
  • Removed vestigial SIMP-1143 workaround from acceptance tests
• Fixed errors in README.md
  • Ciphers and Usage sections rewritten and verified, with tests
  • Added new environment variable SIMP_SSH_report_dir to acceptance tests to validate ciphers in README
  • Documented solution to SIMP-4440 and added acceptance test
• Removed cruft:
  • Removed grub from metadata.json and .fixtures.yml because nothing uses it
  • Removed NSCD-related cruft (/etc/pam_ldap.conf) from ancient ldap code

• Mon Feb 12 2018 Liz Nemsick [email protected] - 6.3.0-0

• Update upperbound on puppetlabs/concat version to < 5.0.0

• Fri Jan 19 2018 Nick Miller [email protected] - 6.3.0-0

• If the host has joined an IPA domain, set GSSAPIAuthentication to 'yes' in the ssh server and client configuration files.

• Wed Aug 30 2017 Trevor Vaughan [email protected] - 6.2.1-0

• Update to augeasproviders_grub 3

• Fri Aug 18 2017 Liz Nemsick [email protected] - 6.2.1-0

• Update concat version in metadata.json & build/rpm_metadata/requires

• Tue Jun 20 2017 Liz Nemsick [email protected] - 6.2.0-0

• Convert internally-used Puppet 3 functions to Puppet 4
  • ssh_config_bool_translate is now ssh::config_bool_translate
  • ssh_format_host_entry_for_sorting now ssh::format_host_entry_for_sorting
• Create Puppet 4 versions of externally-used Puppet 3 functions and mark the Puppet 3 functions as deprecated. They will be removed in a later release.
  • ssh_autokey should be replaced with ssh::autokey
  • ssh_global_known_hosts should be replaced with ssh::global_known_hosts

• Tue Mar 28 2017 Nicholas Hughes - 6.1.0-0

• Set permissions back to what the RPM sets and security scans expect
  • /etc/ssh/moduli
  • /var/empty/sshd
  • /var/empty/sshd/etc
  • /var/empty/sshd/etc/localtime

• Thu Mar 23 2017 Trevor Vaughan [email protected] - 6.1.0-0

• Reverted 'ssh::server::conf::trusted_nets' to 'ALL' by default to prevent lockouts from cloud systems

• Mon Mar 20 2017 Liz Nemsick [email protected] - 6.0.1-0

• move passgen to Puppet[:vardir]

• Thu Mar 9 2017 Dylan Cochran [email protected] - 6.0.1-0

• Remove some utf-8 smart quotes that were accidentally added to host_config_entry.pp

• Thu Feb 23 2017 Nick Miller [email protected] - 6.0.1-0

• Changed the default UsePrivilegeSeparation setting in sshd_config to use the vendor default of 'sandbox'
• Changed the default value of simp_options::trusted_nets to ['ALL'] to prevent permanent lockouts when a console isn't available.

• Thu Jan 19 2017 Nick Markowski [email protected] - 6.0.0-0

• Updated pki scheme, application certs now managed in /etc/pki/simp_apps/sshd/x509

• Tue Jan 10 2017 Trevor Vaughan [email protected] - 6.0.0-0

• Updated to use CTR ciphers instead of CBC as a fallback

• Tue Dec 20 2016 Liz Nemsick [email protected] - 6.0.0-0

• Use simp_options module for global catalysts
• Use strongly typed parameters
• Rename defined type ssh::client::add_entry to ssh::client::host_config_entry

• Wed Nov 23 2016 Jeanne Greulich [email protected] - 5.0.0-0

• Fix dependencies for simp 6 bump

• Mon Nov 21 2016 Chris Tessmer [email protected] - 5.0.0-0

• Updated to compliance_markup version 2

• Wed Nov 16 2016 Liz Nemsick [email protected] - 5.0.0-0

• Updated iptables dependency version

• Wed Oct 12 2016 Trevor Vaughan [email protected] - 5.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Fri Sep 30 2016 Chris Tessmer [email protected] - 4.1.12-0

• Fixed dependencies in metadata.json prior to a Forge push.

• Wed Sep 28 2016 Chris Tessmer [email protected] - 4.1.11-0

• Fix Forge haveged dependency name

• Tue Sep 06 2016 Nick Markowski [email protected] - 4.1.10-0

• Modified AuthorizedKeysCommand to be /usr/bin/sss_ssh_authorizedkeys if sssd is enabled.

• Thu Aug 04 2016 Nick Miller [email protected] - 4.1.9-0

• Updated rpm requires to properly expire old versions

• Mon Jul 11 2016 Trevor Vaughan [email protected] - 4.1.8-0

• Migration to semantic versioning and fix of the build system

• Tue Jul 05 2016 Nick Miller [email protected] - 4.1.7-0

• The defaults for use_iptables and use_ldap will now follow the global catalysts. Updated acceptance tests.

• Thu Jun 30 2016 Nick Markowski [email protected] - 4.1.6-0

• Use_haveged is now a global catalyst.

• Wed Jun 22 2016 Nick Markowski [email protected] - 4.1.5-0

• Pupmod-haveged now included by default to assist with entropy generation.

• Tue Jun 07 2016 Nick Markowski [email protected] - 4.1.4-0

• The openssh_version fact is now compatible with ruby 1.8.7.

• Sat May 21 2016 Trevor Vaughan [email protected] - 4.1.4-0

• Ensure that we set the proper SELinux port connection options for sshd if using a non-standard port.

• Wed Apr 20 2016 Nick Markowski [email protected] - 4.1.3-0

• Created an openssh_version fact.
• Modified kex algorithm set:
  • No longer set kex prior to openssh v 5.7
  • Curve25519 kex only set in openssh v 6.5

• Tue Mar 22 2016 Nick Markowski [email protected] - 4.1.2-0

• Openssh-ldap is no longer installed when use_sssd is true.

• Sat Mar 19 2016 Trevor Vaughan [email protected] - 4.1.1-0

• Migrated use_simp_pki to a global catalyst.

• Mon Mar 14 2016 Nick Markowski [email protected] - 4.1.0-15

• Ensure that EL6.7 uses SSSD over NSCD

• Thu Feb 25 2016 Ralph Wright [email protected] - 4.1.0-14

• Added compliance function support

• Mon Jan 18 2016 Carl Caum [email protected] - 4.1.0-13

• Removed empty logic block that was causing compilation errors in Puppet 4.

• Wed Dec 09 2015 Nick Markowski [email protected] - 4.1.0-12

• CCE-3660-8 compliance. Do not allow empty ssh passwords.

• Fri Dec 04 2015 Chris Tessmer [email protected] - 4.1.0-12

• Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
• Moved parameter validation to the top of each class.

• Fri Nov 20 2015 Trevor Vaughan [email protected] - 4.1.0-11

• Updated the code to work around a bug in the OpenSSH client where FIPS mode fails if the 'Cipher' parameter is present in /etc/ssh/ssh_config

• Mon Nov 09 2015 Chris Tessmer [email protected] - 4.1.0-11

• migration to simplib and simpcat (lib/ only)

• Fri Sep 18 2015 Nick Markowski [email protected] - 4.1.0-10

• Updated the ssh client ciphers to match the ssh server ciphers.

• Wed Jul 29 2015 Trevor Vaughan [email protected] - 4.1.0-9

• Incorporated the updated SSH Augeas Lenses
• Created a sub-rpm for the lenses to account for the modified license terms
• Added support for default KexAlgorithms
• Added sensible defaults for the SSH server in both FIPS and non-FIPS mode
• Note: I have not yet tested these in FIPS enforcing mode so adjustments may need to be made

• Fri Feb 20 2015 Trevor Vaughan [email protected] - 4.1.0-8

• Added support for the new augeasproviders_ssh module
• Migrated to the new 'simp' environment.

• Fri Feb 06 2015 Trevor Vaughan [email protected] - 4.1.0-7

• Made all of the custom functions environment aware
• Enhanced the ssh_keygen function to return private keys if so instructed since we can use that to eradicate some automatically generated cruft in the module spaces.
• Changed puppet-server requirement to puppet

• Fri Dec 19 2014 Trevor Vaughan [email protected] - 4.1.0-6

• Added a function, ssh_format_host_entry_for_sorting, that is explicitly for use by the concat_fragment part of ssh::client::add_entry. It handles proper sorting order when wildcards and question marks are used.

• Sun Jun 22 2014 Kendall Moore [email protected] - 4.1.0-5

• Removed all non FIPS compliant ciphers from ssh server and client configs.

• Thu Jun 19 2014 Trevor Vaughan [email protected] - 4.1.0-5

• Added support for the 'AuthorizedKeysCommandUser' in sshd_config since this is now required in RHEL >= 7.

• Thu Jun 05 2014 Nick Markowski [email protected] - 4.1.0-4

• Set compression off in sshd_config by default.

• Thu May 22 2014 Trevor Vaughan [email protected] - 4.1.0-3

• Fixed a resource chaining issue with /etc/ssh/ldap.conf. The source had not been declared properly so the dependency chain was not being enforced.

• Fri Apr 11 2014 Kendall Moore [email protected] - 4.1.0-2

• Refactored manifests and removed singleton defines for puppet 3 and hiera compatibility.
• Added spec tests.
• Added function sshd_config_bool_translate to translate booleans into yes/no variables.

• Sun Apr 06 2014 Trevor Vaughan [email protected] - 4.1.0-2

• Added hooks for various top-level variables for increased configuration flexibility.

• Tue Jan 28 2014 Kendall Moore [email protected] 4.1.0-1

• Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
• Removed the management of most variables by default from ssh::server::conf. The remainder are now managed by an sshd augeas provider.
• ALL supported variables are now settable via extdata as ssh::server::conf::
• This means that you can easily manipulate any variable as well as setting those that are not natively managed using the augeas provider.
• This work was done for supporting OpenShift

• Thu Jan 02 2014 Trevor Vaughan [email protected] - 4.1.0-0

• AVC errors were being generated due to the /etc/ssh/ldap.conf file being a symlink. This is now copied directly from /etc/pam_ldap.conf instead of linked.

• Mon Oct 07 2013 Kendall Moore [email protected] - 4.0.0-2

• Updated all erb templates to properly scope variables.

• Wed Sep 25 2013 Trevor Vaughan [email protected] - 4.0.0-1

• Added the ability to modify the hosts that can connect to sshd via IPTables using a client_nets variable.

• Thu May 02 2013 Trevor Vaughan [email protected] - 4.0.0-0

• Changed all localtime symlinks to file copies since SELinux does not like symlinks in these cases.

• Tue Apr 16 2013 Nick Markowski [email protected] - 2.0.0-9

• All ssh public key authentication now directly uses LDAP.
• Added ldap.conf to /etc/ssh.
• Added openssh-ldap rpm and authorizedkeyscommand wrapper to template.
• SSH fully manages /etc/ssh/local_keys.

• Mon Dec 10 2012 Maintenance 2.0.0-8

• Created a Cucumber test to ensure that the SSH daemon is running.
• Created a Cucumber test which creates a temporary user, and ensures that they can SSH into the puppet server.

• Thu Nov 08 2012 Maintenance 2.0.0-7

• The ssh_global_known_hosts function now automatically deletes any short name key files that conflict with a long name file prior to manipulating the catalog.

• Fri Jul 20 2012 Maintenance 2.0.0-6

• Added a custom type 'sshkey_prune' that, given a target file, prunes all ssh keys that Puppet doesn't know about.
• Updated the ssh_global_known_hosts function to expire old keys after 7 days by default. Users may specify their own number of expire days or set to 0 to never expire any keys.

• Wed Apr 11 2012 Maintenance 2.0.0-5

• Fixed bug with ssh_global_known_hosts such that it uses 'host_aliases' instead of 'alias' since the latter has be deprecated.
• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 2.0.0-4

• Added the CBC ciphers back to the SSH server default config since their absence was causing issues with various scripting languages.
• Reformatted against the Puppet Labs style guide.
• Improved test stubs.

• Mon Dec 26 2011 Maintenance 2.0.0-3

• Updated the spec file to not require a separate file list.

• Tue May 31 2011 Maintenance - 2.0.0-2

• Set PrintLastLog to 'no' by default since this is now handled by PAM.
• Removed CBC ciphers from the client and server.
• No longer enable X11 forwarding on SSH servers by default.
• Reduce the acceptable SSH cipher set to AES without CBC.

• Fri Feb 11 2011 Maintenance - 2.0.0-1

• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Updated to use concat_build and concat_fragment types.

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Maintenance - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jun 30 2010 Maintenance 1.0-1

• /etc/ssh/ssh_known_hosts is now collected from all puppet managed hosts without using stored configs.

• Tue May 25 2010 Maintenance 1.0-0

• Code refactoring.