From 2f28a008c2964205bc1b818429d34ec6b776113a Mon Sep 17 00:00:00 2001 From: matthew-parlette Date: Fri, 25 Apr 2014 16:33:07 -0400 Subject: [PATCH 01/40] Cleared out static parts of config since it was causing issues --- openssh/files/sshd_config | 123 -------------------------------------- pillar.example | 1 + 2 files changed, 1 insertion(+), 123 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index f26f29d..b722ae2 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -18,126 +18,3 @@ {%- endfor %} {%- endif %} {%- endfor %} - -# What ports, IPs and protocols we listen for -#Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -#Protocol 2 -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#Privilege Separation is turned on for security -#UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 3600 -#ServerKeyBits 768 - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: -#LoginGraceTime 120 -#PermitRootLogin yes -#StrictModes yes - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -#ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -#X11Forwarding yes -#X11DisplayOffset 10 -#PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -#AcceptEnv LANG LC_* - -#Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd no # pam does that -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -{% if grains['os_family'] == 'RedHat' %} -UsePrivilegeSeparation yes # RedHat/Centos 6.4 and earlier currently ship 5.3 (sandbox introduced in OpenSSH 5.9) -{% else %} -UsePrivilegeSeparation sandbox # Default for new installations. -{% endif %} -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -Banner /etc/ssh/banner - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server diff --git a/pillar.example b/pillar.example index cd89e7b..58a404c 100644 --- a/pillar.example +++ b/pillar.example @@ -12,6 +12,7 @@ sshd_config: LogLevel: INFO LoginGraceTime: 120 PermitRootLogin: yes + PasswordAuthentication: no StrictModes: yes RSAAuthentication: yes PubkeyAuthentication: yes From 7521398506d96675a0c49b5a57a46003a49030b7 Mon Sep 17 00:00:00 2001 From: Oleg Tsarev Date: Thu, 24 Apr 2014 00:29:47 +0200 Subject: [PATCH 02/40] Removed unneeded whitespace from auth.sls --- openssh/auth.sls | 49 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/openssh/auth.sls b/openssh/auth.sls index f7690b3..617b117 100644 --- a/openssh/auth.sls +++ b/openssh/auth.sls @@ -1,43 +1,42 @@ include: - openssh - -{% from "openssh/map.jinja" import openssh with context %} -{% set openssh_pillar = pillar.get('openssh', {}) %} -{% set auth = openssh_pillar.get('auth', {}) %} -{% for user,keys in auth.items() -%} - {% for key in keys -%} +{%- from "openssh/map.jinja" import openssh with context -%} +{%- set openssh_pillar = pillar.get('openssh', {}) -%} +{%- set auth = openssh_pillar.get('auth', {}) -%} +{%- for user,keys in auth.items() -%} + {%- for key in keys -%} {% if 'present' in key and key['present'] %} {{ key['name'] }}: ssh_auth.present: - user: {{ user }} - {% if 'source' in key %} + {%- if 'source' in key %} - source: {{ key['source'] }} - {% else %} - {% if 'enc' in key %} + {%- else %} + {%- if 'enc' in key %} - enc: {{ key['enc'] }} - {% endif %} - {% if 'comment' in key %} + {%- endif -%} + {%- if 'comment' in key %} - comment: {{ key['comment'] }} - {% endif %} - {% if 'options' in key %} + {%- endif -%} + {%- if 'options' in key %} - options: {{ key['options'] }} - {% endif %} - {% endif %} + {%- endif -%} + {%- endif %} - require: - service: {{ openssh.service }} - {% else %} + {%- else %} {{ key['name'] }}: ssh_auth.absent: - user: {{ user }} - {% if 'enc' in key %} + {%- if 'enc' in key %} - enc: {{ key['enc'] }} - {% endif %} - {% if 'comment' in key %} + {%- endif -%} + {%- if 'comment' in key %} - comment: {{ key['comment'] }} - {% endif %} - {% if 'options' in key %} + {%- endif -%} + {%- if 'options' in key %} - options: {{ key['options'] }} - {% endif %} - {% endif %} - {% endfor %} -{% endfor %} + {%- endif -%} + {%- endif -%} + {%- endfor -%} +{%- endfor -%} From cdfab3953d47ab7c3f2bb97f05988a2fd184524d Mon Sep 17 00:00:00 2001 From: matthew-parlette Date: Sat, 26 Apr 2014 18:22:17 -0400 Subject: [PATCH 03/40] Define a line for each option. This provides a default option (according to the package-provided config file) for each option in the config. --- openssh/files/sshd_config | 101 ++++++++++++++++++++++++++++++++------ 1 file changed, 86 insertions(+), 15 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index b722ae2..e56beac 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -1,20 +1,91 @@ -{% set sshd_config = pillar.get('sshd_config', {}) %} - # This file is managed by salt. Manual changes risk being overwritten. # The contents of the original sshd_config are kept on the bottom for # quick reference. # See the sshd_config(5) manpage for details -{% for keyword, argument in sshd_config.iteritems() %} - {%- if argument is sameas true %} -{{ keyword }} yes - {%- elif argument is sameas false %} -{{ keyword }} no - {%- elif argument is string or argument is number %} -{{ keyword }} {{ argument }} - {%- else %} - {%- for item in argument %} -{{ keyword }} {{ item }} - {%- endfor %} - {%- endif %} -{%- endfor %} +# What ports, IPs and protocols we listen for +Port {{ salt['pillar.get']('sshd_config:Port','22') }} +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +ListenAddress {{ salt['pillar.get']('sshd_config:ListenAddress','0.0.0.0') }} +Protocol {{ salt['pillar.get']('sshd_config:Protocol','2') }} + +# HostKeys for protocol version 2 +{% for host_key in salt['pillar.get']('sshd_config:',['/etc/ssh/ssh_host_rsa_key','/etc/ssh/ssh_host_dsa_key','/etc/ssh/ssh_host_ecdsa_key']) %} +HostKey {{ host_key }} +{% endfor %} + +#Privilege Separation is turned on for security +UsePrivilegeSeparation {{ salt['pillar.get']('sshd_config:UsePrivilegeSeparation','yes') }} + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval {{ salt['pillar.get']('sshd_config:KeyRegenerationInterval','3600') }} +ServerKeyBits {{ salt['pillar.get']('sshd_config:ServerKeyBits','768') }} + +# Logging +SyslogFacility {{ salt['pillar.get']('sshd_config:SyslogFacility','AUTH') }} +LogLevel {{ salt['pillar.get']('sshd_config:LogLevel','INFO') }} + +# Authentication: +LoginGraceTime {{ salt['pillar.get']('sshd_config:LoginGracetime','120') }} +PermitRootLogin {{ salt['pillar.get']('sshd_config:PermitRootLogin','no') }} +StrictModes {{ salt['pillar.get']('sshd_config:StrictModes','yes') }} + +RSAAuthentication {{ salt['pillar.get']('sshd_config:RSAAuthentication','yes') }} +PubkeyAuthentication {{ salt['pillar.get']('sshd_config:PubkeyAuthentication','yes') }} +AuthorizedKeysFile {{ salt['pillar.get']('sshd_config:AuthorizedKeysFile','%h/.ssh/authorized_keys') }} + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts {{ salt['pillar.get']('sshd_config:IgnoreRhosts','yes') }} +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication {{ salt['pillar.get']('sshd_config:RhostsRSAAuthentication','no') }} +# similar for protocol version 2 +HostbasedAuthentication {{ salt['pillar.get']('sshd_config:HostbasedAuthentication','no') }} +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +IgnoreUserKnownHosts {{ salt['pillar.get']('sshd_config:IgnoreUserKnownHosts','yes') }} + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords {{ salt['pillar.get']('sshd_config:PermitEmptyPasswords','no') }} + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication {{ salt['pillar.get']('sshd_config:ChallengeResponseAuthentication','no') }} + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication {{ salt['pillar.get']('sshd_config:PasswordAuthentication','yes') }} + +# Kerberos options +KerberosAuthentication {{ salt['pillar.get']('sshd_config:KerberosAuthentication','no') }} +KerberosGetAFSToken {{ salt['pillar.get']('sshd_config:KerberosGetAFSToken','no') }} +KerberosOrLocalPasswd {{ salt['pillar.get']('sshd_config:KerberosOrLocalPasswd','yes') }} +KerberosTicketCleanup {{ salt['pillar.get']('sshd_config:KerberosTicketCleanup','yes') }} + +# GSSAPI options +GSSAPIAuthentication {{ salt['pillar.get']('sshd_config:GSSAPIAuthentication','no') }} +GSSAPICleanupCredentials {{ salt['pillar.get']('sshd_config:GSSAPICleanupCredentials','yes') }} + +X11Forwarding {{ salt['pillar.get']('sshd_config:X11Forwarding','yes') }} +X11DisplayOffset {{ salt['pillar.get']('sshd_config:X11DisplayOffset','10') }} +PrintMotd {{ salt['pillar.get']('sshd_config:PrintMotd','no') }} +PrintLastLog {{ salt['pillar.get']('sshd_config:PrintLastLog','yes') }} +TCPKeepAlive {{ salt['pillar.get']('sshd_config:TCPKeepAlive','yes') }} +UseLogin {{ salt['pillar.get']('sshd_config:UseLogin','no') }} + +MaxStartups {{ salt['pillar.get']('sshd_config:MaxStartups','10:30:60') }} +Banner {{ salt['pillar.get']('sshd_config:Banner','/etc/issue.net') }} + +# Allow client to pass locale environment variables +AcceptEnv {{ salt['pillar.get']('sshd_config:AcceptEnv','LANG LC_*') }} + +Subsystem {{ salt['pillar.get']('sshd_config:Subsystem','sftp /usr/lib/openssh/sftp-server') }} + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM {{ salt['pillar.get']('sshd_config:UsePAM','yes') }} From 4b4f4b5d3dc1fd6db7f9a16bbf0a11f09af3269b Mon Sep 17 00:00:00 2001 From: matthew-parlette Date: Sun, 27 Apr 2014 14:52:58 -0400 Subject: [PATCH 04/40] Explicitly defined options as strings. This fixes an issue where PyYAML was converting yes and no into True and False in the generated sshd_config file. --- pillar.example | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/pillar.example b/pillar.example index 58a404c..1e46152 100644 --- a/pillar.example +++ b/pillar.example @@ -5,30 +5,30 @@ sshd_config: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - UsePrivilegeSeparation: yes + UsePrivilegeSeparation: 'yes' KeyRegenerationInterval: 3600 ServerKeyBits: 768 SyslogFacility: AUTH LogLevel: INFO LoginGraceTime: 120 - PermitRootLogin: yes - PasswordAuthentication: no - StrictModes: yes - RSAAuthentication: yes - PubkeyAuthentication: yes - IgnoreRhosts: yes - RhostsRSAAuthentication: no - HostbasedAuthentication: no - PermitEmptyPasswords: no - ChallengeResponseAuthentication: no - X11Forwarding: yes + PermitRootLogin: 'yes' + PasswordAuthentication: 'no' + StrictModes: 'yes' + RSAAuthentication: 'yes' + PubkeyAuthentication: 'yes' + IgnoreRhosts: 'yes' + RhostsRSAAuthentication: 'no' + HostbasedAuthentication: 'no' + PermitEmptyPasswords: 'no' + ChallengeResponseAuthentication: 'no' + X11Forwarding: 'yes' X11DisplayOffset: 10 - PrintMotd: no - PrintLastLog: yes - TCPKeepAlive: yes + PrintMotd: 'no' + PrintLastLog: 'yes' + TCPKeepAlive: 'yes' AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" - UsePAM: yes + UsePAM: 'yes' openssh: auth: From 48ebd1b07b6f5acc379e568a6e901cb6945dc91f Mon Sep 17 00:00:00 2001 From: Oleg Tsarev Date: Thu, 24 Apr 2014 00:29:11 +0200 Subject: [PATCH 05/40] Changed sshd_config generation to more readable scheme. Synced file with default from Ubuntu 12.04 latest --- openssh/files/sshd_config | 136 ++++++++++++++++++++++++++------------ 1 file changed, 94 insertions(+), 42 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index e56beac..2ebe63f 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -1,83 +1,118 @@ +{%- set sshd_config = pillar.get('sshd_config', {}) -%} +{#- present in sshd_config and known in actual file options -#} +{%- set processed_options = [] -%} + +{#- macros for render option according to present -#} +{%- macro option_impl(keyword, default, present) -%} + {%- if present -%} + {%- do processed_options.append(keyword) -%} + {%- set prefix='' -%} + {%- else -%} + {%- set prefix='#' -%} + {%- endif -%} + {%- set value = sshd_config.get(keyword, default) -%} + {%- if value is sameas true -%} +{{ prefix }}{{ keyword }} yes + {%- elif value is sameas false -%} +{{ prefix }}{{ keyword }} no + {%- elif value is string or value is number -%} +{{ prefix }}{{ keyword }} {{ value }} + {%- else -%} +{%- for single_value in value -%} +{{ prefix }}{{ keyword }} {{ single_value }} +{% endfor -%} + {%- endif -%} +{%- endmacro -%} + +{#- macros for render option commented by default -#} +{%- macro option(keyword, default, present) -%} +{{ option_impl(keyword, default, keyword in sshd_config) }} +{%- endmacro -%} + +{#- macros for render option uncommented by default -#} +{%- macro option_default_uncommented(keyword, default, present) -%} +{{ option_impl(keyword, default, True) }} +{%- endmacro -%} + # This file is managed by salt. Manual changes risk being overwritten. # The contents of the original sshd_config are kept on the bottom for # quick reference. # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for -Port {{ salt['pillar.get']('sshd_config:Port','22') }} +{{ option('Port', 22) }} # Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -ListenAddress {{ salt['pillar.get']('sshd_config:ListenAddress','0.0.0.0') }} -Protocol {{ salt['pillar.get']('sshd_config:Protocol','2') }} +{{ option('ListenAddress', ['::', '0.0.0.0']) -}} +{{ option_default_uncommented('Protocol', 2) }} # HostKeys for protocol version 2 -{% for host_key in salt['pillar.get']('sshd_config:',['/etc/ssh/ssh_host_rsa_key','/etc/ssh/ssh_host_dsa_key','/etc/ssh/ssh_host_ecdsa_key']) %} -HostKey {{ host_key }} -{% endfor %} +{{ option_default_uncommented('HostKey', ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']) -}} #Privilege Separation is turned on for security -UsePrivilegeSeparation {{ salt['pillar.get']('sshd_config:UsePrivilegeSeparation','yes') }} +{{ option_default_uncommented('UsePrivilegeSeparation', 'yes') }} # Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval {{ salt['pillar.get']('sshd_config:KeyRegenerationInterval','3600') }} -ServerKeyBits {{ salt['pillar.get']('sshd_config:ServerKeyBits','768') }} +{{ option_default_uncommented('KeyRegenerationInterval', 3600) }} +{{ option_default_uncommented('ServerKeyBits', 768) }} # Logging -SyslogFacility {{ salt['pillar.get']('sshd_config:SyslogFacility','AUTH') }} -LogLevel {{ salt['pillar.get']('sshd_config:LogLevel','INFO') }} +{{ option_default_uncommented('SyslogFacility', 'AUTH') }} +{{ option_default_uncommented('LogLevel', 'INFO') }} # Authentication: -LoginGraceTime {{ salt['pillar.get']('sshd_config:LoginGracetime','120') }} -PermitRootLogin {{ salt['pillar.get']('sshd_config:PermitRootLogin','no') }} -StrictModes {{ salt['pillar.get']('sshd_config:StrictModes','yes') }} +{{ option_default_uncommented('LoginGraceTime', 120) }} +{{ option_default_uncommented('PermitRootLogin', 'no') }} +{{ option_default_uncommented('StrictModes', 'yes') }} -RSAAuthentication {{ salt['pillar.get']('sshd_config:RSAAuthentication','yes') }} -PubkeyAuthentication {{ salt['pillar.get']('sshd_config:PubkeyAuthentication','yes') }} -AuthorizedKeysFile {{ salt['pillar.get']('sshd_config:AuthorizedKeysFile','%h/.ssh/authorized_keys') }} +{{ option('DSAAuthentication', 'yes') }} +{{ option_default_uncommented('RSAAuthentication', 'yes') }} +{{ option_default_uncommented('PubkeyAuthentication', 'yes') }} +{{ option('AuthorizedKeysFile', '%h/.ssh/authorized_keys') }} # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts {{ salt['pillar.get']('sshd_config:IgnoreRhosts','yes') }} +{{ option_default_uncommented('IgnoreRhosts', 'yes') }} # For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication {{ salt['pillar.get']('sshd_config:RhostsRSAAuthentication','no') }} +{{ option_default_uncommented('RhostsRSAAuthentication', 'no') }} # similar for protocol version 2 -HostbasedAuthentication {{ salt['pillar.get']('sshd_config:HostbasedAuthentication','no') }} +{{ option_default_uncommented('HostbasedAuthentication', 'no') }} # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -IgnoreUserKnownHosts {{ salt['pillar.get']('sshd_config:IgnoreUserKnownHosts','yes') }} +{{ option('IgnoreUserKnownHosts', 'yes') }} # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords {{ salt['pillar.get']('sshd_config:PermitEmptyPasswords','no') }} +{{ option_default_uncommented('PermitEmptyPasswords', 'no') }} # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -ChallengeResponseAuthentication {{ salt['pillar.get']('sshd_config:ChallengeResponseAuthentication','no') }} +{{ option_default_uncommented('ChallengeResponseAuthentication', 'no') }} # Change to no to disable tunnelled clear text passwords -PasswordAuthentication {{ salt['pillar.get']('sshd_config:PasswordAuthentication','yes') }} +{{ option('PasswordAuthentication', 'yes') }} # Kerberos options -KerberosAuthentication {{ salt['pillar.get']('sshd_config:KerberosAuthentication','no') }} -KerberosGetAFSToken {{ salt['pillar.get']('sshd_config:KerberosGetAFSToken','no') }} -KerberosOrLocalPasswd {{ salt['pillar.get']('sshd_config:KerberosOrLocalPasswd','yes') }} -KerberosTicketCleanup {{ salt['pillar.get']('sshd_config:KerberosTicketCleanup','yes') }} +{{ option('KerberosAuthentication', 'no') }} +{{ option('KerberosGetAFSToken', 'no') }} +{{ option('KerberosOrLocalPasswd', 'yes') }} +{{ option('KerberosTicketCleanup', 'yes') }} # GSSAPI options -GSSAPIAuthentication {{ salt['pillar.get']('sshd_config:GSSAPIAuthentication','no') }} -GSSAPICleanupCredentials {{ salt['pillar.get']('sshd_config:GSSAPICleanupCredentials','yes') }} +{{ option('GSSAPIAuthentication', 'no') }} +{{ option('GSSAPICleanupCredentials', 'yes') }} -X11Forwarding {{ salt['pillar.get']('sshd_config:X11Forwarding','yes') }} -X11DisplayOffset {{ salt['pillar.get']('sshd_config:X11DisplayOffset','10') }} -PrintMotd {{ salt['pillar.get']('sshd_config:PrintMotd','no') }} -PrintLastLog {{ salt['pillar.get']('sshd_config:PrintLastLog','yes') }} -TCPKeepAlive {{ salt['pillar.get']('sshd_config:TCPKeepAlive','yes') }} -UseLogin {{ salt['pillar.get']('sshd_config:UseLogin','no') }} +{{ option_default_uncommented('X11Forwarding', 'yes') }} +{{ option('AllowTcpForwarding', 'yes') }} +{{ option_default_uncommented('X11DisplayOffset', '10') }} +{{ option_default_uncommented('PrintMotd', 'no') }} +{{ option_default_uncommented('PrintLastLog', 'yes') }} +{{ option_default_uncommented('TCPKeepAlive', 'yes') }} +{{ option('UseLogin', 'no') }} -MaxStartups {{ salt['pillar.get']('sshd_config:MaxStartups','10:30:60') }} -Banner {{ salt['pillar.get']('sshd_config:Banner','/etc/issue.net') }} +{{ option('MaxStartups', '10:30:60') }} +{{ option('Banner', '/etc/issue.net') }} # Allow client to pass locale environment variables -AcceptEnv {{ salt['pillar.get']('sshd_config:AcceptEnv','LANG LC_*') }} +{{ option_default_uncommented('AcceptEnv', 'LANG LC_*') }} -Subsystem {{ salt['pillar.get']('sshd_config:Subsystem','sftp /usr/lib/openssh/sftp-server') }} +{{ option_default_uncommented('Subsystem', 'sftp /usr/lib/openssh/sftp-server') }} # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -88,4 +123,21 @@ Subsystem {{ salt['pillar.get']('sshd_config:Subsystem','sftp /usr/lib/openssh/s # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM {{ salt['pillar.get']('sshd_config:UsePAM','yes') }} +{{ option_default_uncommented('UsePAM', 'yes') }} + +{# Handling unknown in salt template options #} +{%- for keyword, argument in sshd_config.iteritems() %} + {%- if not keyword in processed_options -%} + {%- if argument is sameas true %} +{{ keyword }} yes + {%- elif argument is sameas false %} +{{ keyword }} no + {%- elif argument is string or argument is number %} +{{ keyword }} {{ argument }} + {%- else %} + {%- for item in argument %} +{{ keyword }} {{ item }} + {%- endfor %} + {%- endif %} + {%- endif -%} +{%- endfor %} From 970777b9bb1ce2d43bf8a72b5892cce9d9181e83 Mon Sep 17 00:00:00 2001 From: Wes Turner Date: Tue, 22 Jul 2014 00:35:11 -0500 Subject: [PATCH 06/40] Add a UseDNS option to sshd_config --- openssh/files/sshd_config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 2ebe63f..a3756bc 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -125,6 +125,9 @@ # and ChallengeResponseAuthentication to 'no'. {{ option_default_uncommented('UsePAM', 'yes') }} +# DNS resolve and map remote IP addresses +{{ option('UseDNS', 'yes') }} + {# Handling unknown in salt template options #} {%- for keyword, argument in sshd_config.iteritems() %} {%- if not keyword in processed_options -%} From 44946b414223105aca412f5349f7c581709c3cc5 Mon Sep 17 00:00:00 2001 From: Wes Turner Date: Tue, 22 Jul 2014 00:37:41 -0500 Subject: [PATCH 07/40] Add a UseDNS option to pillar.example --- pillar.example | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar.example b/pillar.example index 1e46152..4edbbd3 100644 --- a/pillar.example +++ b/pillar.example @@ -29,6 +29,7 @@ sshd_config: AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' + UseDNS: 'yes' openssh: auth: From b39ea29c0c72319cf9df7a270f25420e12193423 Mon Sep 17 00:00:00 2001 From: Nitin Madhok Date: Mon, 28 Jul 2014 19:03:24 -0400 Subject: [PATCH 08/40] Update README.rst Fixing broken link --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index d41cb55..ee2de6b 100644 --- a/README.rst +++ b/README.rst @@ -5,7 +5,7 @@ Install and configure an openssh server. .. note:: See the full `Salt Formulas installation and usage instructions - `_. + `_. Available states ================ From edc208b79bbce122f580b633c9b7fbfa88af873a Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 8 Aug 2014 13:38:27 +0100 Subject: [PATCH 09/40] Add FreeBSD compatibility --- openssh/init.sls | 4 ++++ openssh/map.jinja | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/openssh/init.sls b/openssh/init.sls index 6d447fe..3cf9be6 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -1,10 +1,14 @@ {% from "openssh/map.jinja" import openssh with context %} openssh: + {% if openssh.server is defined %} pkg.installed: - name: {{ openssh.server }} + {% endif %} service.running: - enable: True - name: {{ openssh.service }} + {% if openssh.server is defined %} - require: - pkg: {{ openssh.server }} + {% endif %} diff --git a/openssh/map.jinja b/openssh/map.jinja index 0ba5b62..4a8c687 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -17,4 +17,11 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, + 'FreeBSD': { + 'service': 'sshd', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + } }, merge=salt['pillar.get']('openssh:lookup')) %} From 2876a691b030ad35db34aeddb09d2aa9658089e3 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Tue, 19 Aug 2014 20:52:30 +0100 Subject: [PATCH 10/40] Remove reference to root group By not specifying it, root user's group should be used. --- openssh/config.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/openssh/config.sls b/openssh/config.sls index b16ab28..857eecd 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -9,7 +9,6 @@ sshd_config: - source: {{ openssh.sshd_config_src }} - template: jinja - user: root - - group: root - mode: 644 - watch_in: - service: openssh From ce46343562a89ea5b8b1b5bc8ae75d1859507965 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Sun, 24 Aug 2014 11:50:36 +0100 Subject: [PATCH 11/40] Config: Refactor host key provisioning into loop --- openssh/config.sls | 36 +++++++++--------------------------- 1 file changed, 9 insertions(+), 27 deletions(-) diff --git a/openssh/config.sls b/openssh/config.sls index 857eecd..a42fcd1 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -13,42 +13,24 @@ sshd_config: - watch_in: - service: openssh -{% if salt['pillar.get']('openssh:provide_dsa_keys', False) %} -ssh_host_dsa_key: +{% for keyType in ['dsa', 'rsa'] %} +{% if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %} +ssh_host_{{ keyType }}_key: file.managed: - - name: /etc/ssh/ssh_host_dsa_key - - contents_pillar: 'openssh:dsa:private_key' + - name: /etc/ssh/ssh_host_{{ keyType }}_key + - contents_pillar: 'openssh:{{ keyType }}:private_key' - user: root - mode: 600 - require_in: - service: {{ openssh.service }} -ssh_host_dsa_key.pub: +ssh_host_{{ keyType }}_key.pub: file.managed: - - name: /etc/ssh/ssh_host_dsa_key.pub - - contents_pillar: 'openssh:dsa:public_key' - - user: root - - mode: 600 - - require_in: - - service: {{ openssh.service }} -{% endif %} - -{% if salt['pillar.get']('openssh:provide_rsa_keys', False) %} -ssh_host_rsa_key: - file.managed: - - name: /etc/ssh/ssh_host_rsa_key - - contents_pillar: 'openssh:rsa:private_key' - - user: root - - mode: 600 - - require_in: - - service: {{ openssh.service }} - -ssh_host_rsa_key.pub: - file.managed: - - name: /etc/ssh/ssh_host_rsa_key.pub - - contents_pillar: 'openssh:rsa:public_key' + - name: /etc/ssh/ssh_host_{{ keyType }}_key.pub + - contents_pillar: 'openssh:{{ keyType }}:public_key' - user: root - mode: 600 - require_in: - service: {{ openssh.service }} {% endif %} +{% endfor %} \ No newline at end of file From 73eaef4ea0811962d1b360837365b439f9612e54 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Sun, 24 Aug 2014 11:51:06 +0100 Subject: [PATCH 12/40] Config: Add support for ECDSA host keys --- openssh/config.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/config.sls b/openssh/config.sls index a42fcd1..3cf3376 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -13,7 +13,7 @@ sshd_config: - watch_in: - service: openssh -{% for keyType in ['dsa', 'rsa'] %} +{% for keyType in ['ecdsa', 'dsa', 'rsa'] %} {% if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %} ssh_host_{{ keyType }}_key: file.managed: From 25aa1a6733ea6927e2d14edff20469807c645131 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Sun, 24 Aug 2014 12:18:37 +0100 Subject: [PATCH 13/40] Update pillar.example --- pillar.example | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pillar.example b/pillar.example index 4edbbd3..678e2f3 100644 --- a/pillar.example +++ b/pillar.example @@ -49,7 +49,15 @@ openssh: -----END DSA PRIVATE KEY----- public_key: | ssh-dss NOT_DEFINED + ecdsa: + private_key: | + -----BEGIN EC PRIVATE KEY----- + NOT_DEFINED + -----END EC PRIVATE KEY----- + public_key: | + ecdsa-sha2-nistp256 NOT_DEFINED provide_dsa_keys: False + provide_ecdsa_keys: False provide_rsa_keys: False rsa: private_key: | From 6fb57f40bcb65826d6f803f6ff05bdd0eebbd791 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Sun, 24 Aug 2014 16:08:41 +0100 Subject: [PATCH 14/40] Config: Add support for generating keys --- openssh/config.sls | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openssh/config.sls b/openssh/config.sls index 3cf3376..2f3a29e 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -14,7 +14,14 @@ sshd_config: - service: openssh {% for keyType in ['ecdsa', 'dsa', 'rsa'] %} -{% if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %} +{% if salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %} +ssh_generate_host_{{ keyType }}_key: + cmd.run: + - name: ssh-keygen -t {{ keyType }} -N '' -f /etc/ssh/ssh_host_{{ keyType }}_key + - creates: /etc/ssh/ssh_host_{{ keyType }}_key + - user: root + +{% elif salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %} ssh_host_{{ keyType }}_key: file.managed: - name: /etc/ssh/ssh_host_{{ keyType }}_key From eb9dec1b9d151a0ed4da667a2d97bb395252a38c Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Sun, 24 Aug 2014 16:44:33 +0100 Subject: [PATCH 15/40] Update pillar example --- pillar.example | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pillar.example b/pillar.example index 4edbbd3..9f63464 100644 --- a/pillar.example +++ b/pillar.example @@ -51,6 +51,9 @@ openssh: ssh-dss NOT_DEFINED provide_dsa_keys: False provide_rsa_keys: False + generate_dsa_keys: False + generate_ecdsa_keys: False + generate_rsa_keys: False rsa: private_key: | -----BEGIN RSA PRIVATE KEY----- From c100fc88a3fbe001281d0d39a335c092186b5e23 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 10:47:35 -0500 Subject: [PATCH 16/40] allow for "Match" inside of an sshd_config --- openssh/files/sshd_config | 55 +++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 22 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index a3756bc..91e534e 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -2,15 +2,10 @@ {#- present in sshd_config and known in actual file options -#} {%- set processed_options = [] -%} -{#- macros for render option according to present -#} -{%- macro option_impl(keyword, default, present) -%} - {%- if present -%} - {%- do processed_options.append(keyword) -%} - {%- set prefix='' -%} - {%- else -%} - {%- set prefix='#' -%} - {%- endif -%} - {%- set value = sshd_config.get(keyword, default) -%} +{#- generic renderer used for sshd matches, known options, -#} +{#- and unknown options -#} +{%- macro render_option(keyword, default, config_dict=sshd_config) -%} + {%- set value = config_dict.get(keyword, default) -%} {%- if value is sameas true -%} {{ prefix }}{{ keyword }} yes {%- elif value is sameas false -%} @@ -24,6 +19,20 @@ {%- endif -%} {%- endmacro -%} +{#- macros for render option according to present -#} +{%- macro option_impl(keyword, default, present) -%} + {%- if present -%} + {%- do processed_options.append(keyword) -%} + {%- set prefix='' -%} + {%- else -%} + {%- set prefix='#' -%} + {%- endif -%} + {#- add prefix to keyword and/or default -#} + {%- set keyword = prefix ~ default -%} + {%- set default = prefix ~ default -%} +{{ render_option(keyword, default) }} +{%- endmacro -%} + {#- macros for render option commented by default -#} {%- macro option(keyword, default, present) -%} {{ option_impl(keyword, default, keyword in sshd_config) }} @@ -129,18 +138,20 @@ {{ option('UseDNS', 'yes') }} {# Handling unknown in salt template options #} -{%- for keyword, argument in sshd_config.iteritems() %} - {%- if not keyword in processed_options -%} - {%- if argument is sameas true %} -{{ keyword }} yes - {%- elif argument is sameas false %} -{{ keyword }} no - {%- elif argument is string or argument is number %} -{{ keyword }} {{ argument }} - {%- else %} - {%- for item in argument %} -{{ keyword }} {{ item }} - {%- endfor %} - {%- endif %} +{%- for keyword in sshd_config.keys() %} + {#- Matches have to be at the bottem and should be handled differently -#} + {%- if not keyword in processed_options and keyword != 'matches' -%} +{#- send a blank default as it doesn't matter -#} +{{ render_option(keyword, '') }} {%- endif -%} {%- endfor %} + +{# Handle matches last as they need to go at the bottom #} +{%- if 'matches' in sshd_config %} + {%- for match in sshd_config['matches'].values() %} +Match {{ match['type'].keys()[0] match['type'].values()[0] }} + {%- for keyword in match['options'].keys() %} + {{ render_option(keyword, '', config_dict=match['type']) }} + {%- endfor %} + {%- endfor %} +{%- endif %} From ba72c1e8b72588732f825256922457ba3315c8dc Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 10:55:19 -0500 Subject: [PATCH 17/40] remove prefix when not needed --- openssh/files/sshd_config | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 91e534e..642cbb8 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -7,14 +7,14 @@ {%- macro render_option(keyword, default, config_dict=sshd_config) -%} {%- set value = config_dict.get(keyword, default) -%} {%- if value is sameas true -%} -{{ prefix }}{{ keyword }} yes +{{ keyword }} yes {%- elif value is sameas false -%} -{{ prefix }}{{ keyword }} no +{{ keyword }} no {%- elif value is string or value is number -%} -{{ prefix }}{{ keyword }} {{ value }} +{{ keyword }} {{ value }} {%- else -%} {%- for single_value in value -%} -{{ prefix }}{{ keyword }} {{ single_value }} +{{ keyword }} {{ single_value }} {% endfor -%} {%- endif -%} {%- endmacro -%} From abf6e09fbb99e0f24051ac74352814df4b384e7a Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:16:58 -0500 Subject: [PATCH 18/40] Fix a typo in the match jinja --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 642cbb8..23ab0e2 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -149,7 +149,7 @@ {# Handle matches last as they need to go at the bottom #} {%- if 'matches' in sshd_config %} {%- for match in sshd_config['matches'].values() %} -Match {{ match['type'].keys()[0] match['type'].values()[0] }} +Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }} {%- for keyword in match['options'].keys() %} {{ render_option(keyword, '', config_dict=match['type']) }} {%- endfor %} From 85c97b450abf7a6bcba26a4ebe49213341b2ddd1 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:19:37 -0500 Subject: [PATCH 19/40] fix a typo in keywords being sent improperly --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 23ab0e2..6d931a4 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -28,7 +28,7 @@ {%- set prefix='#' -%} {%- endif -%} {#- add prefix to keyword and/or default -#} - {%- set keyword = prefix ~ default -%} + {%- set keyword = prefix ~ keyword -%} {%- set default = prefix ~ default -%} {{ render_option(keyword, default) }} {%- endmacro -%} From 1a2de43ed74bb0f075afbb731d195cc1f9824621 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:21:31 -0500 Subject: [PATCH 20/40] defaults do not need a prefix --- openssh/files/sshd_config | 1 - 1 file changed, 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 6d931a4..d289b92 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -29,7 +29,6 @@ {%- endif -%} {#- add prefix to keyword and/or default -#} {%- set keyword = prefix ~ keyword -%} - {%- set default = prefix ~ default -%} {{ render_option(keyword, default) }} {%- endmacro -%} From b24101264f6c13c5d2d907f5fb19be5562ed284d Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:26:10 -0500 Subject: [PATCH 21/40] make sure to match options as the options dict! --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index d289b92..34ca22f 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -150,7 +150,7 @@ {%- for match in sshd_config['matches'].values() %} Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }} {%- for keyword in match['options'].keys() %} - {{ render_option(keyword, '', config_dict=match['type']) }} + {{ render_option(keyword, '', config_dict=match['options']) }} {%- endfor %} {%- endfor %} {%- endif %} From 51277cc2f9d9332946bd96a5b5fbfdee60b42002 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:42:17 -0500 Subject: [PATCH 22/40] add pillar example --- pillar.example | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pillar.example b/pillar.example index 42007da..70ec760 100644 --- a/pillar.example +++ b/pillar.example @@ -30,6 +30,15 @@ sshd_config: Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' + matches: + sftp_chroot: + type: + Group: sftpusers + options: + ChrootDirectory: /sftp-chroot/%u + X11Forwarding: no + AllowTcpForwarding: no + ForceCommand: internal-sftp openssh: auth: From 8616d3d130fc4943d1b70bb81809a91e0f0a9653 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 12:01:57 -0500 Subject: [PATCH 23/40] fix comment --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 34ca22f..1299a32 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -27,7 +27,7 @@ {%- else -%} {%- set prefix='#' -%} {%- endif -%} - {#- add prefix to keyword and/or default -#} + {#- add prefix to keyword -#} {%- set keyword = prefix ~ keyword -%} {{ render_option(keyword, default) }} {%- endmacro -%} From 09ca7de060d90ba9cafaa38fd481f3f9753a1976 Mon Sep 17 00:00:00 2001 From: Tim Jones Date: Sun, 26 Oct 2014 20:27:11 +0100 Subject: [PATCH 24/40] Allow newline after ListenAddress --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 1299a32..e936654 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -50,7 +50,7 @@ # What ports, IPs and protocols we listen for {{ option('Port', 22) }} # Use these options to restrict which interfaces/protocols sshd will bind to -{{ option('ListenAddress', ['::', '0.0.0.0']) -}} +{{ option('ListenAddress', ['::', '0.0.0.0']) }} {{ option_default_uncommented('Protocol', 2) }} # HostKeys for protocol version 2 From a83409182f8fe7434488ee73adb728f64b2c4775 Mon Sep 17 00:00:00 2001 From: Skyler Berg Date: Tue, 18 Nov 2014 14:58:57 -0800 Subject: [PATCH 25/40] Fix jinja spacing mistake for unknown options When specifying multiple unknown ssh options, they would all appear on the same line. --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index e936654..4f2b3cb 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -140,7 +140,7 @@ {%- for keyword in sshd_config.keys() %} {#- Matches have to be at the bottem and should be handled differently -#} {%- if not keyword in processed_options and keyword != 'matches' -%} -{#- send a blank default as it doesn't matter -#} +{#- send a blank default as it doesn't matter #} {{ render_option(keyword, '') }} {%- endif -%} {%- endfor %} From 1efce43d558f3012b700355b04ad9feaae75d8a7 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Mon, 8 Dec 2014 21:38:23 +0100 Subject: [PATCH 26/40] Added Opensuse support to map.jinja --- openssh/map.jinja | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/openssh/map.jinja b/openssh/map.jinja index 4a8c687..00818f6 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -17,11 +17,20 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, - 'FreeBSD': { - 'service': 'sshd', - 'sshd_config': '/etc/ssh/sshd_config', - 'sshd_config_src': 'salt://openssh/files/sshd_config', - 'banner': '/etc/ssh/banner', - 'banner_src': 'salt://openssh/files/banner', - } + 'Suse': { + 'server': 'openssh', + 'client': 'openssh', + 'service': 'sshd', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + }, + 'FreeBSD': { + 'service': 'sshd', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + } }, merge=salt['pillar.get']('openssh:lookup')) %} From 9263857193cadd5d116c19d86c12913d1be5dc36 Mon Sep 17 00:00:00 2001 From: Nitin Madhok Date: Mon, 8 Dec 2014 15:43:40 -0500 Subject: [PATCH 27/40] Update map.jinja Correct indentation --- openssh/map.jinja | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openssh/map.jinja b/openssh/map.jinja index 00818f6..0bee842 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -26,11 +26,11 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, - 'FreeBSD': { - 'service': 'sshd', - 'sshd_config': '/etc/ssh/sshd_config', - 'sshd_config_src': 'salt://openssh/files/sshd_config', - 'banner': '/etc/ssh/banner', - 'banner_src': 'salt://openssh/files/banner', - } + 'FreeBSD': { + 'service': 'sshd', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + } }, merge=salt['pillar.get']('openssh:lookup')) %} From 131a5cafcbc1315606fab9669c10e34c2c10d7ef Mon Sep 17 00:00:00 2001 From: Nitin Madhok Date: Mon, 8 Dec 2014 15:46:30 -0500 Subject: [PATCH 28/40] Update map.jinja --- openssh/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/map.jinja b/openssh/map.jinja index 0bee842..6be1017 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -17,7 +17,7 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, - 'Suse': { + 'openSUSE': { 'server': 'openssh', 'client': 'openssh', 'service': 'sshd', From 620cc0f199807618d9049fa3a0b7e0c51fbdfdd0 Mon Sep 17 00:00:00 2001 From: Nitin Madhok Date: Mon, 8 Dec 2014 16:01:00 -0500 Subject: [PATCH 29/40] Update map.jinja --- openssh/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/map.jinja b/openssh/map.jinja index 6be1017..0bee842 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -17,7 +17,7 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, - 'openSUSE': { + 'Suse': { 'server': 'openssh', 'client': 'openssh', 'service': 'sshd', From 33f21a097637f9b1d84e8ad694ebc882240870a1 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Mon, 15 Dec 2014 07:00:17 +0100 Subject: [PATCH 30/40] Add support for ED25519 host keys --- openssh/config.sls | 2 +- pillar.example | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/openssh/config.sls b/openssh/config.sls index 2f3a29e..66c3625 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -13,7 +13,7 @@ sshd_config: - watch_in: - service: openssh -{% for keyType in ['ecdsa', 'dsa', 'rsa'] %} +{% for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %} {% if salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %} ssh_generate_host_{{ keyType }}_key: cmd.run: diff --git a/pillar.example b/pillar.example index 70ec760..bf82fe9 100644 --- a/pillar.example +++ b/pillar.example @@ -78,3 +78,13 @@ openssh: -----END RSA PRIVATE KEY----- public_key: | ssh-rsa NOT_DEFINED + + generate_ed25519_keys: False + provide_ed25519_keys: False + ed25519: + private_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + NOT_DEFINED + -----END OPENSSH PRIVATE KEY----- + public_key: | + ssh-ed25519 NOT_DEFINED From 5d0f69ad2c461ab0068535dbd56f14d0103e3016 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Mon, 15 Dec 2014 07:00:45 +0100 Subject: [PATCH 31/40] Cleanups for host key pillar example --- openssh/config.sls | 2 +- pillar.example | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/openssh/config.sls b/openssh/config.sls index 66c3625..13c3e96 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -40,4 +40,4 @@ ssh_host_{{ keyType }}_key.pub: - require_in: - service: {{ openssh.service }} {% endif %} -{% endfor %} \ No newline at end of file +{% endfor %} diff --git a/pillar.example b/pillar.example index bf82fe9..c6c6694 100644 --- a/pillar.example +++ b/pillar.example @@ -51,6 +51,9 @@ openssh: present: False enc: ssh-rsa comment: obsolete key - removed + + generate_dsa_keys: False + provide_dsa_keys: False dsa: private_key: | -----BEGIN DSA PRIVATE KEY----- @@ -58,6 +61,9 @@ openssh: -----END DSA PRIVATE KEY----- public_key: | ssh-dss NOT_DEFINED + + generate_ecdsa_keys: False + provide_ecdsa_keys: False ecdsa: private_key: | -----BEGIN EC PRIVATE KEY----- @@ -65,12 +71,9 @@ openssh: -----END EC PRIVATE KEY----- public_key: | ecdsa-sha2-nistp256 NOT_DEFINED - provide_dsa_keys: False - provide_ecdsa_keys: False - provide_rsa_keys: False - generate_dsa_keys: False - generate_ecdsa_keys: False + generate_rsa_keys: False + provide_rsa_keys: False rsa: private_key: | -----BEGIN RSA PRIVATE KEY----- From 5871efb5bded2cd0837b9bf78d6cc460fb9c8089 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Thu, 1 Jan 2015 00:44:17 +0100 Subject: [PATCH 32/40] added archlinux support to openssh map.jinja --- openssh/map.jinja | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/openssh/map.jinja b/openssh/map.jinja index 0bee842..566b265 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -32,5 +32,14 @@ 'sshd_config_src': 'salt://openssh/files/sshd_config', 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', - } + }, + 'Arch': { + 'server': 'openssh', + 'client': 'openssh', + 'service': 'sshd.socket', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + }, }, merge=salt['pillar.get']('openssh:lookup')) %} From b843d8168b9d17a51e293e3f3c7b8e3ddc6a6fa8 Mon Sep 17 00:00:00 2001 From: Bohdan Kmit Date: Fri, 16 Jan 2015 17:21:10 +0000 Subject: [PATCH 33/40] add ed25519 host key type; add AuthenticationMethods option --- openssh/files/sshd_config | 3 ++- pillar.example | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 4f2b3cb..2985fb3 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -54,7 +54,7 @@ {{ option_default_uncommented('Protocol', 2) }} # HostKeys for protocol version 2 -{{ option_default_uncommented('HostKey', ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']) -}} +{{ option_default_uncommented('HostKey', ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']) -}} #Privilege Separation is turned on for security {{ option_default_uncommented('UsePrivilegeSeparation', 'yes') }} @@ -92,6 +92,7 @@ # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) {{ option_default_uncommented('ChallengeResponseAuthentication', 'no') }} +{{ option('AuthenticationMethods', 'publickey,keyboard-interactive') }} # Change to no to disable tunnelled clear text passwords {{ option('PasswordAuthentication', 'yes') }} diff --git a/pillar.example b/pillar.example index c6c6694..264d112 100644 --- a/pillar.example +++ b/pillar.example @@ -5,6 +5,7 @@ sshd_config: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation: 'yes' KeyRegenerationInterval: 3600 ServerKeyBits: 768 @@ -21,6 +22,7 @@ sshd_config: HostbasedAuthentication: 'no' PermitEmptyPasswords: 'no' ChallengeResponseAuthentication: 'no' + AuthenticationMethods 'publickey,keyboard-interactive' X11Forwarding: 'yes' X11DisplayOffset: 10 PrintMotd: 'no' From 33ee94555711434bde32371af6e745c413466ad2 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Fri, 16 Jan 2015 22:56:59 +0100 Subject: [PATCH 34/40] Added AllowUsers,AllowGroups,DenyUsers,DenyGroups This will add more options to set to secure openssh - AllowUsers - AllowGroups - DenyUsers - DenyGroups --- openssh/files/sshd_config | 19 +++++++++++++++++++ pillar.example | 2 ++ 2 files changed, 21 insertions(+) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 2985fb3..f0be13a 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -137,6 +137,25 @@ # DNS resolve and map remote IP addresses {{ option('UseDNS', 'yes') }} +# Restricting Users and Hosts +# example: +# AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke +# AllowGroups wheel staff +# +# Keep in mind that using AllowUsers or AllowGroups means that anyone +# not Matching one of the supplied patterns will be denied access by default. +# Also, in order for sshd to allow access based on full or partial hostnames it +# needs to to a DNS lookup +# +# DenyUsers +{{ option('DenyUsers', '') }} +# AllowUsers +{{ option('AllowUsers', '') }} +# DenyGroups +{{ option('DenyGroups', '') }} +# AllowGroups +{{ option('AllowGroups', '') }} + {# Handling unknown in salt template options #} {%- for keyword in sshd_config.keys() %} {#- Matches have to be at the bottem and should be handled differently -#} diff --git a/pillar.example b/pillar.example index 264d112..9f32fce 100644 --- a/pillar.example +++ b/pillar.example @@ -32,6 +32,8 @@ sshd_config: Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' + AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' + AllowGroups: 'wheel staff' matches: sftp_chroot: type: From 6e65cdad03d4e858de4c7cab7751ad5d8117c9b1 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Sat, 17 Jan 2015 20:04:03 +0100 Subject: [PATCH 35/40] add DenyUsers and DenyGroups example --- pillar.example | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index 9f32fce..e3f7a27 100644 --- a/pillar.example +++ b/pillar.example @@ -33,7 +33,10 @@ sshd_config: UsePAM: 'yes' UseDNS: 'yes' AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' - AllowGroups: 'wheel staff' + DenyUsers: 'yoda chewbaca@112.10.21.1' + AllowGroups: 'wheel staff imperial' + DenyGroups: 'rebel' + Deny matches: sftp_chroot: type: From 6efc9818857459bb07fcfaf908c3374374a0dca8 Mon Sep 17 00:00:00 2001 From: Bernd Schlapsi Date: Tue, 30 Dec 2014 23:27:52 +0100 Subject: [PATCH 36/40] Refactor auth.sls to allow more keys for one user --- openssh/auth.sls | 51 +++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/openssh/auth.sls b/openssh/auth.sls index 617b117..8825991 100644 --- a/openssh/auth.sls +++ b/openssh/auth.sls @@ -1,15 +1,18 @@ -include: - - openssh -{%- from "openssh/map.jinja" import openssh with context -%} -{%- set openssh_pillar = pillar.get('openssh', {}) -%} -{%- set auth = openssh_pillar.get('auth', {}) -%} -{%- for user,keys in auth.items() -%} - {%- for key in keys -%} - {% if 'present' in key and key['present'] %} +{%- macro print_name(identifier, key) -%} +{%- if 'name' in key %} {{ key['name'] }}: - ssh_auth.present: - - user: {{ user }} - {%- if 'source' in key %} +{%- else %} +{{ identifier }}: +{%- endif %} +{%- endmacro -%} + +{%- macro print_ssh_auth(identifier, key) -%} + {%- if 'user' in key %} + - user: {{ key['user'] }} + {%- else %} + - user: {{ identifier }} + {%- endif %} + {%- if 'present' in key and key['present'] and 'source' in key %} - source: {{ key['source'] }} {%- else %} {%- if 'enc' in key %} @@ -22,21 +25,25 @@ include: - options: {{ key['options'] }} {%- endif -%} {%- endif %} +{%- endmacro -%} + +include: + - openssh +{%- from "openssh/map.jinja" import openssh with context -%} +{%- set openssh_pillar = pillar.get('openssh', {}) -%} +{%- set auth = openssh_pillar.get('auth', {}) -%} +{%- for identifier,keys in auth.items() -%} + {%- for key in keys -%} + {% if 'present' in key and key['present'] %} +{{ print_name(identifier, key) }}: + ssh_auth.present: + {{ print_ssh_auth(identifier, key) }} - require: - service: {{ openssh.service }} {%- else %} -{{ key['name'] }}: +{{ print_name(identifier, key) }}: ssh_auth.absent: - - user: {{ user }} - {%- if 'enc' in key %} - - enc: {{ key['enc'] }} - {%- endif -%} - {%- if 'comment' in key %} - - comment: {{ key['comment'] }} - {%- endif -%} - {%- if 'options' in key %} - - options: {{ key['options'] }} - {%- endif -%} + {{ print_ssh_auth(identifier, key) }} {%- endif -%} {%- endfor -%} {%- endfor -%} From 128d4acfa2db38328ad8e5b71ba28be637431dc7 Mon Sep 17 00:00:00 2001 From: Bernd Schlapsi Date: Wed, 28 Jan 2015 23:00:47 +0100 Subject: [PATCH 37/40] Update pillar.example with two valid ssh-keys --- pillar.example | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/pillar.example b/pillar.example index e3f7a27..ab7f662 100644 --- a/pillar.example +++ b/pillar.example @@ -49,12 +49,18 @@ sshd_config: openssh: auth: - joe: - - name: JOE_VALID_SSH_PUBLIC_KEY + joe-valid-ssh-key-desktop: + - user: joe present: True enc: ssh-rsa - comment: main key - - name: JOE_NON_VALID_SSH_PUBLIC_KEY + comment: main key - desktop + joe-valid-ssh-key-notebook: + - user: joe + present: True + enc: ssh-rsa + comment: main key - notebook + joe-non-valid-ssh-key: + - user: joe present: False enc: ssh-rsa comment: obsolete key - removed From 28e0916840084ee51d314f0cc0e19f257bf249c3 Mon Sep 17 00:00:00 2001 From: Marc Schiffbauer Date: Mon, 23 Mar 2015 14:55:40 +0100 Subject: [PATCH 38/40] sort distros alphabetically --- openssh/map.jinja | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/openssh/map.jinja b/openssh/map.jinja index 566b265..0ebd307 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -1,4 +1,13 @@ {% set openssh = salt['grains.filter_by']({ + 'Arch': { + 'server': 'openssh', + 'client': 'openssh', + 'service': 'sshd.socket', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + }, 'Debian': { 'server': 'openssh-server', 'client': 'openssh-client', @@ -8,6 +17,13 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, + 'FreeBSD': { + 'service': 'sshd', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + }, 'RedHat': { 'server': 'openssh-server', 'client': 'openssh', @@ -26,20 +42,4 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, - 'FreeBSD': { - 'service': 'sshd', - 'sshd_config': '/etc/ssh/sshd_config', - 'sshd_config_src': 'salt://openssh/files/sshd_config', - 'banner': '/etc/ssh/banner', - 'banner_src': 'salt://openssh/files/banner', - }, - 'Arch': { - 'server': 'openssh', - 'client': 'openssh', - 'service': 'sshd.socket', - 'sshd_config': '/etc/ssh/sshd_config', - 'sshd_config_src': 'salt://openssh/files/sshd_config', - 'banner': '/etc/ssh/banner', - 'banner_src': 'salt://openssh/files/banner', - }, }, merge=salt['pillar.get']('openssh:lookup')) %} From c6aeaf4dc5a651b2590d52f8f5ce463c4958bb68 Mon Sep 17 00:00:00 2001 From: Marc Schiffbauer Date: Mon, 23 Mar 2015 14:56:12 +0100 Subject: [PATCH 39/40] add gentoo support --- openssh/map.jinja | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/openssh/map.jinja b/openssh/map.jinja index 0ebd307..883c96d 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -24,6 +24,15 @@ 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', }, + 'Gentoo': { + 'server': 'net-misc/openssh', + 'client': 'net-misc/openssh', + 'service': 'sshd', + 'sshd_config': '/etc/ssh/sshd_config', + 'sshd_config_src': 'salt://openssh/files/sshd_config', + 'banner': '/etc/ssh/banner', + 'banner_src': 'salt://openssh/files/banner', + }, 'RedHat': { 'server': 'openssh-server', 'client': 'openssh', From 1b74efd2d08aff7f24d272120cc7fbb035faae43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= Date: Thu, 26 Mar 2015 17:50:32 +0100 Subject: [PATCH 40/40] Add a new openssh.known_hosts state This state manages /etc/ssh/ssh_known_hosts and fills it with public SSH host keys of other minions. --- README.rst | 39 +++++++++++++++++++++++++++++++++++ openssh/files/ssh_known_hosts | 34 ++++++++++++++++++++++++++++++ openssh/known_hosts.sls | 16 ++++++++++++++ openssh/map.jinja | 12 +++++++++++ pillar.example | 24 +++++++++++++++++++++ 5 files changed, 125 insertions(+) create mode 100644 openssh/files/ssh_known_hosts create mode 100644 openssh/known_hosts.sls diff --git a/README.rst b/README.rst index ee2de6b..d33b9ab 100644 --- a/README.rst +++ b/README.rst @@ -41,3 +41,42 @@ Installs the ssh daemon configuration file included in this formula by values from pillar. ``pillar.example`` results in the generation of the default ``sshd_config`` file on Debian Wheezy. +``openssh.known_hosts`` +----------------------- + +Manages the site-wide ssh_known_hosts file and fills it with the +public SSH host keys of all minions. You can restrict the set of minions +whose keys are listed by using the pillar data ``openssh:known_hosts:target`` +and ``openssh:known_hosts:expr_form`` (those fields map directly to the +corresponding attributes of the ``mine.get`` function). + +The Salt mine is used to share the public SSH host keys, you must thus +configure it accordingly on all hosts that must export their keys. Two +mine functions are required, one that exports the keys (one key per line, +as they are stored in ``/etc/ssh/ssh_host_*_key.pub``) and one that defines +the public hostname that the keys are associated to. Here's the way to +setup those functions through pillar:: + + # Required for openssh.known_hosts + mine_functions: + public_ssh_host_keys: + mine_function: cmd.run + cmd: cat /etc/ssh/ssh_host_*_key.pub + public_ssh_hostname: + mine_function: grains.get + key: id + +The above example assumes that the minion identifier is a valid DNS name +that can be used to connect to the host. If that's not the case, you might +want to use the ``fqdn`` grain instead of the ``id`` one. The above example +also uses the default mine function names used by this formula. If you have to +use other names, then you should indicate the names to use in pillar keys +``openssh:known_hosts:mine_keys_function`` and +``openssh:known_hosts:mine_hostname_function``. + +You can also integrate alternate DNS names of the various hosts in the +ssh_known_hosts files. You just have to list all the alternate DNS names as a +list in the ``openssh:known_hosts:aliases`` pillar key. Whenever the IPv4 or +IPv6 behind one of those DNS entries matches an IPv4 or IPv6 behind the +official hostname of a minion, the alternate DNS name will be associated to the +minion's public SSH host key. diff --git a/openssh/files/ssh_known_hosts b/openssh/files/ssh_known_hosts new file mode 100644 index 0000000..62849d4 --- /dev/null +++ b/openssh/files/ssh_known_hosts @@ -0,0 +1,34 @@ +{%- set target = salt['pillar.get']('openssh:known_hosts:target', '*') -%} +{%- set expr_form = salt['pillar.get']('openssh:known_hosts:expr_form', 'glob') -%} +{%- set keys_function = salt['pillar.get']('openssh:known_hosts:mine_keys_function', 'public_ssh_host_keys') -%} +{%- set hostname_function = salt['pillar.get']('openssh:known_hosts:mine_hostname_function', 'public_ssh_hostname') -%} +{#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name + in the SSH known_hosts entry -#} +{%- set aliases = salt['pillar.get']('openssh:known_hosts:aliases', []) -%} +{%- set aliases_ips = {} -%} +{%- for alias in aliases -%} + {%- for ip in salt['dig.A'](alias) + salt['dig.AAAA'](alias) -%} + {%- do aliases_ips.setdefault(ip, []).append(alias) -%} + {%- endfor -%} +{%- endfor -%} +{#- Loop over targetted minions -#} +{%- set host_keys = salt['mine.get'](target, keys_function, expr_form=expr_form) -%} +{%- set host_names = salt['mine.get'](target, hostname_function, expr_form=expr_form) -%} +{%- for host, keys in host_keys|dictsort -%} + {%- set ip4 = salt['dig.A'](host) -%} + {%- set ip6 = salt['dig.AAAA'](host) -%} + {%- set names = [host_names.get(host, host)] -%} + {%- for ip in ip4 + ip6 -%} + {%- do names.append(ip) -%} + {%- for alias in aliases_ips.get(ip, []) -%} + {%- if alias not in names -%} + {%- do names.append(alias) -%} + {%- endif -%} + {%- endfor -%} + {%- endfor -%} + {%- for line in keys.split('\n') -%} + {%- if line -%} +{{ ','.join(names) }} {{ line }} +{% endif -%} + {%- endfor -%} +{%- endfor -%} diff --git a/openssh/known_hosts.sls b/openssh/known_hosts.sls new file mode 100644 index 0000000..8f8d2a8 --- /dev/null +++ b/openssh/known_hosts.sls @@ -0,0 +1,16 @@ +{% from "openssh/map.jinja" import openssh with context %} + +ensure dig is available: + pkg.installed: + - name: {{ openssh.dig_pkg }} + +manage ssh_known_hosts file: + file.managed: + - name: {{ openssh.ssh_known_hosts }} + - source: salt://openssh/files/ssh_known_hosts + - template: jinja + - user: root + - group: root + - mode: 644 + - require: + - pkg: ensure dig is available diff --git a/openssh/map.jinja b/openssh/map.jinja index 883c96d..17e9f8d 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -7,6 +7,8 @@ 'sshd_config_src': 'salt://openssh/files/sshd_config', 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', + 'dig_pkg': 'dnsutils', + 'ssh_known_hosts': '/etc/ssh/ssh_known_hosts', }, 'Debian': { 'server': 'openssh-server', @@ -16,6 +18,8 @@ 'sshd_config_src': 'salt://openssh/files/sshd_config', 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', + 'dig_pkg': 'dnsutils', + 'ssh_known_hosts': '/etc/ssh/ssh_known_hosts', }, 'FreeBSD': { 'service': 'sshd', @@ -23,6 +27,8 @@ 'sshd_config_src': 'salt://openssh/files/sshd_config', 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', + 'dig_pkg': 'bind-tools', + 'ssh_known_hosts': '/etc/ssh/ssh_known_hosts', }, 'Gentoo': { 'server': 'net-misc/openssh', @@ -32,6 +38,8 @@ 'sshd_config_src': 'salt://openssh/files/sshd_config', 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', + 'dig_pkg': 'net-dns/bind-tools', + 'ssh_known_hosts': '/etc/ssh/ssh_known_hosts', }, 'RedHat': { 'server': 'openssh-server', @@ -41,6 +49,8 @@ 'sshd_config_src': 'salt://openssh/files/sshd_config', 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', + 'dig_pkg': 'bind-utils', + 'ssh_known_hosts': '/etc/ssh/ssh_known_hosts', }, 'Suse': { 'server': 'openssh', @@ -50,5 +60,7 @@ 'sshd_config_src': 'salt://openssh/files/sshd_config', 'banner': '/etc/ssh/banner', 'banner_src': 'salt://openssh/files/banner', + 'dig_pkg': 'bind-utils', + 'ssh_known_hosts': '/etc/ssh/ssh_known_hosts', }, }, merge=salt['pillar.get']('openssh:lookup')) %} diff --git a/pillar.example b/pillar.example index ab7f662..720b8c4 100644 --- a/pillar.example +++ b/pillar.example @@ -104,3 +104,27 @@ openssh: -----END OPENSSH PRIVATE KEY----- public_key: | ssh-ed25519 NOT_DEFINED + + known_hosts: + # The next 2 settings restrict the set of minions that will be added in + # the generated ssh_known_hosts files (the default is to match all minions) + target: '*' + expr_form: 'glob' + # Name of mining functions used to gather public keys and hostnames + # (the default values are shown here) + mine_keys_function: public_ssh_host_keys + mine_hostname_function: public_ssh_hostname + # List of DNS entries also pointing to our managed machines and that we want + # to inject in our generated ssh_known_hosts file + aliases: + - cname-to-minion.example.org + - alias.example.org + +# Required for openssh.known_hosts +mine_functions: + public_ssh_host_keys: + mine_function: cmd.run + cmd: cat /etc/ssh/ssh_host_*_key.pub + public_ssh_hostname: + mine_function: grains.get + key: id