This module manages OpenSSH server with a specific focus on managing security-related configurations in the sshd_config file. The default values should satisfy the following security controls:
- linux06.2001: Set SSH protocol to 2
- linux06.2002: Set LogLevel to VERBOSE
- linux06.2003: Set permissions on /etc/sshd_config
- linux06.2004: Disable SSH X11 Forwarding
- linux06.2005: Set SSH MaxAuthTries to 4 or less
- linux06.2006: Set IgnoreRhosts to Yes
- linux06.2007: Set HostbasedAuthentication to No
- linux06.2008: Disable SSH root login
- linux06.2009: Set SSH PermitEmptyPasswords to No
- linux06.2010: Do not allow users to set environment options
- linux06.2011: Use only approved ciphers in counter mode
- linux06.2012: Set idle timeout intervale for user login
- linux06.2013: Limit access via SSH
- linux06.2014: Set SSH banner
To use this module, simply include ssh. It will run with the default
parameter values (see Parameters below) or with whatever
parameters have been specified in Hiera.
You can optionally use this module by declaring the class with your own values by calling the class:
class { ssh:
client_alive_interval => '900',
permit_root_login => 'yes',
port => '9009',
x11_forwarding => 'yes',
}The module supports a number of parameters. Most of these are applied to the
sshd_config file via the sshd_config.erb
template, so values should be passed in as you would expect them to appear in
sshd_config. For information on how OpenSSH uses these values, refer to the
sshd_config manpage (man sshd_config).
Defaults to an empty string, resulting in no entry being added to sshd_config.
Valid values are 'yes', 'no'. Defaults to 'no'.
Defaults to an empty string, resulting in no entry being added to sshd_config.
A comma-separated list of ciphers to support. Defaults to 'aes128-ctr,aes192-ctr,aes256-ctr'. Valid entries are:
- 3des-cbc
- aes128-cbc
- aes192-cbc
- aes256-cbc
- aes128-ctr
- aes192-ctr
- aes256-ctr
- arcfour128
- arcfour256
- arcfour
- blowfish-cbc
- cast128-cbc
Defaults to '0'.
Defaults to '300'.
Defaults to an empty string, resulting in no entry being added to sshd_config.
Defaults to an empty string, resulting in no entry being added to sshd_config.
Valid values are 'yes', 'no'. Defaults to 'no'.
Valid values are 'yes', 'no'. Defaults to 'yes'.
The local address(es) that sshd should listen on. Defaults to '0.0.0.0' (all local addresses).
Sets the logging level for sshd. Valid values are 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3'. Defaults to 'VERBOSE'.
Defaults to 'hmac-sha1'.
Defaults to '4'.
Sets the desired package state of the (SSH) package specified by the
package_name parameter. Valid values are the same as those
for the Puppet package resource.
Note that specifying a package version number here will pin that version and
ensure it is installed (if available from a package repository). Defaults to
'present'.
The name of the package to install. Defaults to 'openssh-server'.
Valid values are 'yes', 'no'. Defaults to 'no'.
Valid values are 'yes', 'no'. Defaults to 'no'.
Valid values are 'yes', 'no'. Defaults to 'no'.
The port on which sshd should listen. Defaults to '22'.
Defaults to '2'.
Valid values are 'yes', 'no'. Defaults to 'no'.
Whether the sshd service should be started on boot. Valid values
are the same as those for the Puppet service resource.
Defaults to true.
The desired state of the sshd service. Valid values are the same as those for the Puppet service resource.
Defaults to 'running'.
The banner to apply for SSH logins. Defaults to '/etc/motd'.
Valid values are 'yes', 'no'. Defaults to 'no'.