ssh-puppet

[root@server ~]# puppet module search ssh
Notice: Searching https://forgeapi.puppetlabs.com
NAME DESCRIPTION AUTHOR KEYWORDS
aptituz-ssh puppet module to manage ssh @aptituz hostkey openssh ssh
systemsathomesdotcom-ssh puppet module to manage ssh @systemsathomesdotcom hostkey openssh ssh
attachmentgenie-ssh Puppet ssh Module @attachmentgenie ssh-server ssh-client ssh
thias-ssh SSH module @thias openssh ssh sshd
spiette-ssh openssh server and client configuration @spiette ssh debian ubuntu rhel
dhoppe-ssh This module installs, configures and manages the SSH s… @dhoppe ssh
thbe-ssh SSH management module @thbe rhel redhat scientific ssh
mtulio-ssh Module to manage SSH server and their config file. @mtulio openssh sshd ssh linux
ghoneycutt-ssh Manages SSH @ghoneycutt ssh sshd openssh sshkey
halyard-ssh Configure ssh via Boxen @halyard
saz-ssh Manage SSH client and server via Puppet. @saz ssh hosts server fedora sshd

———————————————————————————–
[root@server ~]# puppet module install saz-ssh
Notice: Preparing to install into /etc/puppet/modules …
Notice: Downloading from https://forgeapi.puppetlabs.com
Notice: Installing — do not interrupt …
/etc/puppet/modules
└─┬ saz-ssh (v2.8.1)
├── puppetlabs-concat (v2.1.0)
└── puppetlabs-stdlib (v4.12.0)
———————————————————————————–
[root@server ~]# ln /etc/puppet/hieradata/common.yaml /var/lib/hiera/common.yaml

[root@server ~]# cat /etc/puppet/hieradata/common.yaml

classes:
– ‘ssh’
sshd::storeconfigs_enabled: false
sshd::server_options:
PrintMotd: ‘yes’
Protocol: ‘2’
PasswordAuthentication: ‘yes’
PermitRootLogin: ‘yes’
SyslogFacility: ‘AUTHPRIV’
———————————————————————————–
[root@client ~]# cat /etc/ssh/sshd_config | grep -i root
#PermitRootLogin yes

[root@client ~]# cat /etc/ssh/sshd_config | grep -i PrintMotd
#PrintMotd yes

[root@client ~]# cat /etc/ssh/sshd_config | grep -i SyslogFacility
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
———————————————————————————–
[root@client ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for client.puppet.com
Info: Applying configuration version ‘1465746254’
Notice: /Stage[main]/Ssh::Client::Config/File[/etc/ssh/ssh_config]/content:
— /etc/ssh/ssh_config 2015-07-24 02:01:22.000000000 -0400
+++ /tmp/puppet-file20160612-6308-1l0ayfs-0 2016-06-12 11:44:17.983854912 -0400
@@ -1,59 +1,5 @@
-# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
+# File managed by Puppet

-# This is the ssh client system-wide configuration file. See
-# ssh_config(5) for more information. This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.

-# Configuration data is parsed as follows:
-# 1. command line options
-# 2. user-specific file
-# 3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.

-# Site-wide defaults for some commonly used options. For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.

-# Host *
-# ForwardAgent no
-# ForwardX11 no
-# RhostsRSAAuthentication no
-# RSAAuthentication yes
-# PasswordAuthentication yes
-# HostbasedAuthentication no
-# GSSAPIAuthentication no
-# GSSAPIDelegateCredentials no
-# GSSAPIKeyExchange no
-# GSSAPITrustDNS no
-# BatchMode no
-# CheckHostIP yes
-# AddressFamily any
-# ConnectTimeout 0
-# StrictHostKeyChecking ask
-# IdentityFile ~/.ssh/identity
-# IdentityFile ~/.ssh/id_rsa
-# IdentityFile ~/.ssh/id_dsa
-# Port 22
-# Protocol 2,1
-# Cipher 3des
-# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
-# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
-# EscapeChar ~
-# Tunnel no
-# TunnelDevice any:any
-# PermitLocalCommand no
-# VisualHostKey no
Host *
– GSSAPIAuthentication yes
-# If this option is set to yes then remote X11 clients will have full access
-# to the original X11 display. As virtually no X11 client supports the untrusted
-# mode correctly we set this to yes.
– ForwardX11Trusted yes
-# Send locale-related environment variables
– SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
– SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
– SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
– SendEnv XMODIFIERS
+ HashKnownHosts yes
+ SendEnv LANG LC_*

Info: Computing checksum on file /etc/ssh/ssh_config
Info: /Stage[main]/Ssh::Client::Config/File[/etc/ssh/ssh_config]: Filebucketed /etc/ssh/ssh_config to puppet with sum 69908a2d0c5ca21a2b1685defbf4cf8b
Notice: /Stage[main]/Ssh::Client::Config/File[/etc/ssh/ssh_config]/content: content changed ‘{md5}69908a2d0c5ca21a2b1685defbf4cf8b’ to ‘{md5}6b6e968bce40150262b7ab85822e7c07’
Notice: /Stage[main]/Ssh::Client::Config/File[/etc/ssh/ssh_known_hosts]/ensure: created
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/etc/ssh/sshd_config]/content:
— /etc/ssh/sshd_config 2015-07-24 02:01:22.000000000 -0400
+++ /tmp/puppet-file20160612-6308-mjiana-0 2016-06-12 11:44:18.134857985 -0400
@@ -1,138 +1,8 @@
-# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+# File is managed by Puppet

-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.

-# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
-# default value.

-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::

-# Disable legacy (protocol version 1) support in the server for new
-# installations. In future the default will change to require explicit
-# activation of protocol 1
-Protocol 2

-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key

-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024

-# Logging
-# obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-SyslogFacility AUTHPRIV
-#LogLevel INFO

-# Authentication:

-#LoginGraceTime 2m
-#PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10

-#RSAAuthentication yes
-#PubkeyAuthentication yes
-#AuthorizedKeysFile .ssh/authorized_keys
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandRunAs nobody

-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don’t trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don’t read the user’s ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes

-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-PasswordAuthentication yes

-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+AcceptEnv LANG LC_*
ChallengeResponseAuthentication no

-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-#KerberosUseKuserok yes

-# GSSAPI options
-#GSSAPIAuthentication no
-GSSAPIAuthentication yes
-#GSSAPICleanupCredentials yes
-GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no

-# Set this to ‘yes’ to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of “PermitRootLogin without-password”.
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to ‘no’.
-#UsePAM no
+PrintMotd no
+Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes

-# Accept locale-related environment variables
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-AcceptEnv XMODIFIERS

-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#ShowPatchLevel no
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none

-# no default banner path
-#Banner none

-# override default of no subsystems
-Subsystem sftp /usr/libexec/openssh/sftp-server

-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# ForceCommand cvs server

Info: Computing checksum on file /etc/ssh/sshd_config
Info: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 53ad75eb1f2269d23f6e4228353cbca3
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/etc/ssh/sshd_config]/content: content changed ‘{md5}53ad75eb1f2269d23f6e4228353cbca3’ to ‘{md5}027db6f7533ecb6b1753277f2bbbb372’
Info: Concat[/etc/ssh/sshd_config]: Scheduling refresh of Service[sshd]
Info: Class[Ssh::Server::Config]: Scheduling refresh of Class[Ssh::Server::Service]
Info: Class[Ssh::Server::Service]: Scheduling refresh of Service[sshd]
Notice: /Stage[main]/Ssh::Server::Service/Service[sshd]: Triggered ‘refresh’ from 2 events
Notice: Finished catalog run in 1.29 seconds
———————————————————————————–
[root@client ~]# cat /etc/ssh/sshd_config | grep -i PrintMotd
PrintMotd no

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s