From 272b3e442d5d03c2e610da57d3a11d943c1243c0 Mon Sep 17 00:00:00 2001
From: Johan Wennerberg <johan.x.wennerberg@ericsson.com>
Date: Thu, 5 Sep 2013 14:42:41 +0200
Subject: [PATCH] Add parameters to ssh_config and sshd_config

---
 README.md                 | 66 +++++++++++++++++++++++++++++++++++++++
 manifests/init.pp         | 57 +++++++++++++++++++--------------
 templates/ssh_config.erb  |  9 ++++++
 templates/sshd_config.erb | 17 +++++++---
 4 files changed, 121 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index ff5acbd..27a63af 100644
--- a/README.md
+++ b/README.md
@@ -61,6 +61,24 @@ ssh_config's mode.
 
 - *Default*: '0644'
 
+ssh_config_forward_x11
+----------------------
+ForwardX11 option in ssh_config. Not set by default.
+
+- *Default*: undef
+
+ssh_config_forward_agent
+------------------------
+ForwardAgent option in ssh_config. Not set by default.
+
+- *Default*: undef
+
+ssh_config_server_alive_interval
+--------------------------------
+ServerAliveInterval option in ssh_config. Not set by default.
+
+- *Default*: undef
+
 sshd_config_path
 ----------------
 Path to sshd_config.
@@ -85,6 +103,54 @@ sshd_config's mode.
 
 - *Default*: '0600'
 
+sshd_config_syslog_facility
+---------------------------
+SyslogFacility option in sshd_config.
+
+- *Default*: 'AUTH'
+
+sshd_config_login_grace_time
+----------------------------
+LoginGraceTime option in sshd_config.
+
+- *Default*: '120'
+
+sshd_config_challenge_resp_auth
+-------------------------------
+ChallengeResponseAuthentication option in sshd_config.
+
+- *Default*: 'no'
+
+sshd_config_print_motd
+----------------------
+PrintMotd option in sshd_config.
+
+- *Default*: 'yes'
+
+sshd_config_use_dns
+-------------------
+UseDNS option in sshd_config.
+
+- *Default*: 'yes'
+
+sshd_config_banner
+------------------
+Banner option in sshd_config.
+
+- *Default*: 'none'
+
+sshd_config_xauth_location
+--------------------------
+XAuthLocation option in sshd_config.
+
+- *Default*: '/usr/bin/xauth'
+
+sshd_config_subsystem_sftp
+--------------------------
+Path to sftp file transfer subsystem in sshd_config.
+
+- *Default*: '/usr/libexec/openssh/sftp-server'
+
 service_ensure
 --------------
 Ensure SSH service is running. Valid values are 'stopped' and 'running'.
diff --git a/manifests/init.pp b/manifests/init.pp
index bf8f19a..8516d26 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -131,29 +131,40 @@
 # - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
 #
 class ssh (
-  $packages                = ['openssh-server',
-                              'openssh-server',
-                              'openssh-clients'],
-  $permit_root_login       = 'no',
-  $purge_keys              = 'true',
-  $manage_firewall         = false,
-  $ssh_config_path         = '/etc/ssh/ssh_config',
-  $ssh_config_owner        = 'root',
-  $ssh_config_group        = 'root',
-  $ssh_config_mode         = '0644',
-  $sshd_config_path        = '/etc/ssh/sshd_config',
-  $sshd_config_owner       = 'root',
-  $sshd_config_group       = 'root',
-  $sshd_config_mode        = '0600',
-  $service_ensure          = 'running',
-  $service_name            = 'sshd',
-  $service_enable          = 'true',
-  $service_hasrestart      = 'true',
-  $service_hasstatus       = 'true',
-  $ssh_key_ensure          = 'present',
-  $ssh_key_type            = 'ssh-rsa',
-  $manage_root_ssh_config  = 'false',
-  $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
+  $packages                         = ['openssh-server',
+                                        'openssh-server',
+                                        'openssh-clients'],
+  $permit_root_login                = 'no',
+  $purge_keys                       = 'true',
+  $manage_firewall                  = false,
+  $ssh_config_path                  = '/etc/ssh/ssh_config',
+  $ssh_config_owner                 = 'root',
+  $ssh_config_group                 = 'root',
+  $ssh_config_mode                  = '0644',
+  $ssh_config_forward_x11           = undef,
+  $ssh_config_forward_agent         = undef,
+  $ssh_config_server_alive_interval = undef,
+  $sshd_config_path                 = '/etc/ssh/sshd_config',
+  $sshd_config_owner                = 'root',
+  $sshd_config_group                = 'root',
+  $sshd_config_mode                 = '0600',
+  $sshd_config_syslog_facility      = 'AUTH',
+  $sshd_config_login_grace_time     = '120',
+  $sshd_config_challenge_resp_auth  = 'no',
+  $sshd_config_print_motd           = 'yes',
+  $sshd_config_use_dns              = 'yes',
+  $sshd_config_banner               = 'none',
+  $sshd_config_xauth_location       = '/usr/bin/xauth',
+  $sshd_config_subsystem_sftp       = '/usr/libexec/openssh/sftp-server',
+  $service_ensure                   = 'running',
+  $service_name                     = 'sshd',
+  $service_enable                   = 'true',
+  $service_hasrestart               = 'true',
+  $service_hasstatus                = 'true',
+  $ssh_key_ensure                   = 'present',
+  $ssh_key_type                     = 'ssh-rsa',
+  $manage_root_ssh_config           = 'false',
+  $root_ssh_config_content          = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
 ) {
 
   case $permit_root_login {
diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
index eada5a5..e5ab70f 100644
--- a/templates/ssh_config.erb
+++ b/templates/ssh_config.erb
@@ -50,6 +50,15 @@ Host *
 # to the original X11 display. As virtually no X11 client supports the untrusted
 # mode correctly we set this to yes.
   ForwardX11Trusted yes
+<% if @ssh_config_forward_agent -%>
+  ForwardAgent <%= @ssh_config_forward_agent %>
+<% end -%>
+<% if @ssh_config_forward_x11 -%>
+  ForwardX11 <%= @ssh_config_forward_x11 %>
+<% end -%>
+<% if @ssh_config_server_alive_interval -%>
+  ServerAliveInterval <%= @ssh_config_server_alive_interval %>
+<% end -%>
 # Send locale-related environment variables
   SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
   SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index fc3d2cc..ecad246 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -33,12 +33,13 @@ Protocol 2
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
-SyslogFacility AUTHPRIV
+SyslogFacility <%= @sshd_config_syslog_facility %>
 #LogLevel INFO
 
 # Authentication:
 
-#LoginGraceTime 2m
+#LoginGraceTime 120
+LoginGraceTime <%= @sshd_config_login_grace_time %>
 PermitRootLogin <%= @permit_root_login %>
 #StrictModes yes
 #MaxAuthTries 6
@@ -64,7 +65,7 @@ PasswordAuthentication yes
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication <%= @sshd_config_challenge_resp_auth %>
 
 # Kerberos options
 #KerberosAuthentication no
@@ -100,6 +101,7 @@ X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
+PrintMotd <%= @sshd_config_print_motd %>
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
@@ -110,13 +112,18 @@ X11Forwarding yes
 #ClientAliveCountMax 3
 #ShowPatchLevel no
 #UseDNS yes
+UseDNS <%= @sshd_config_use_dns %>
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
 #PermitTunnel no
 #ChrootDirectory none
 
 # no default banner path
-##Banner /etc/motd
+#Banner none
+Banner <%= @sshd_config_banner %>
+
+#XAuthLocation /usr/bin/xauth
+XAuthLocation <%= @sshd_config_xauth_location %>
 
 # override default of no subsystems
-Subsystem	sftp	/usr/libexec/openssh/sftp-server
+Subsystem	sftp	<%= @sshd_config_subsystem_sftp %>