From 92ac8a32aa483d3fed2b358983565b704ceb9269 Mon Sep 17 00:00:00 2001 From: Mark Eggert Date: Thu, 2 Jan 2014 22:34:48 -0600 Subject: [PATCH 1/3] Modifying OpenSSH formula state to populate public/private DSA and RSA keys based on pillar data --- openssh/init.sls | 42 ++++++++++++++++++++++++++++++++++++++++++ pillar.example | 18 ++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/openssh/init.sls b/openssh/init.sls index 6ea329b..25266b6 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -12,14 +12,56 @@ openssh: - file: sshd_banner - watch: - file: sshd_config + {% if salt['pillar.get']('openssh:provide_dsa_keys', False) %} + - file: /etc/ssh/ssh_host_dsa_key + - file: /etc/ssh/ssh_host_dsa_key.pub + {% endif %} + {% if salt['pillar.get']('openssh:provide_rsa_keys', False) %} + - file: /etc/ssh/ssh_host_rsa_key + - file: /etc/ssh/ssh_host_rsa_key.pub + {% endif %} sshd_config: file.managed: - name: /etc/ssh/sshd_config - source: salt://openssh/files/sshd_config + - user: root + - mode: 600 sshd_banner: file.managed: - name: /etc/ssh/banner - source: salt://openssh/files/banner - template: jinja + +{% if salt['pillar.get']('openssh:provide_dsa_keys', False) %} +ssh_host_dsa_key: + file.managed: + - name: /etc/ssh/ssh_host_dsa_key + - contents_pillar: 'openssh:dsa:private_key' + - user: root + - mode: 600 + +ssh_host_dsa_key.pub: + file.managed: + - name: /etc/ssh/ssh_host_dsa_key.pub + - contents_pillar: 'openssh:dsa:public_key' + - user: root + - mode: 600 +{% endif %} + +{% if salt['pillar.get']('openssh:provide_rsa_keys', False) %} +ssh_host_rsa_key: + file.managed: + - name: /etc/ssh/ssh_host_rsa_key + - contents_pillar: 'openssh:rsa:private_key' + - user: root + - mode: 600 + +ssh_host_rsa_key.pub: + file.managed: + - name: /etc/ssh/ssh_host_rsa_key.pub + - contents_pillar: 'openssh:rsa:public_key' + - user: root + - mode: 600 +{% endif %} diff --git a/pillar.example b/pillar.example index e69de29..cad6153 100644 --- a/pillar.example +++ b/pillar.example @@ -0,0 +1,18 @@ +#``openssh`` formula configuration: +openssh: + dsa: + private_key: | + -----BEGIN DSA PRIVATE KEY----- + NOT_DEFINED + -----END DSA PRIVATE KEY----- + public_key: | + ssh-dss NOT_DEFINED + provide_dsa_keys: False + provide_rsa_keys: False + rsa: + private_key: | + -----BEGIN RSA PRIVATE KEY----- + NOT_DEFINED + -----END RSA PRIVATE KEY----- + public_key: | + ssh-rsa NOT_DEFINED From d35929876f673979940552b9b8f2a258b8ed7b86 Mon Sep 17 00:00:00 2001 From: Mark Eggert Date: Thu, 2 Jan 2014 23:50:59 -0600 Subject: [PATCH 2/3] Modifying OpenSSH formula service name on RedHat since it is called 'sshd', not 'ssh' --- openssh/init.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openssh/init.sls b/openssh/init.sls index 25266b6..2acb85e 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -6,7 +6,11 @@ openssh: {% endif %} service.running: - enable: True + {% if grains['os_family'] == 'RedHat' %} + - name: sshd + {% else %} - name: ssh + {% endif %} - require: - pkg: openssh - file: sshd_banner From 2e229681c7c63fba0c132ec4572538ba28e4e030 Mon Sep 17 00:00:00 2001 From: Mark Eggert Date: Fri, 3 Jan 2014 00:11:17 -0600 Subject: [PATCH 3/3] Adding a small variable to the OpenSSH sshd_config file so that the service will work correctly on Centos 6.4 and earlier --- openssh/files/sshd_config | 4 ++++ openssh/init.sls | 1 + 2 files changed, 5 insertions(+) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index b59c59c..1a9ed64 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -102,7 +102,11 @@ PrintMotd no # pam does that #PrintLastLog yes #TCPKeepAlive yes #UseLogin no +{% if grains['os_family'] == 'RedHat' %} +UsePrivilegeSeparation yes # RedHat/Centos 6.4 and earlier currently ship 5.3 (sandbox introduced in OpenSSH 5.9) +{% else %} UsePrivilegeSeparation sandbox # Default for new installations. +{% endif %} #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 diff --git a/openssh/init.sls b/openssh/init.sls index 2acb85e..bff357d 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -29,6 +29,7 @@ sshd_config: file.managed: - name: /etc/ssh/sshd_config - source: salt://openssh/files/sshd_config + - template: jinja - user: root - mode: 600