From edb956ee98c58b0e6f05d83d7c42d96dc28967a2 Mon Sep 17 00:00:00 2001
From: Garrett Honeycutt <code@garretthoneycutt.com>
Date: Thu, 16 May 2013 16:06:06 +0200
Subject: [PATCH] initial commit

---
 .gitignore                |  12 +++
 CHANGELOG                 |   2 +
 LICENSE                   |  13 ++++
 Modulefile                |  12 +++
 Rakefile                  |   3 +
 manifests/init.pp         | 156 ++++++++++++++++++++++++++++++++++++++
 spec/spec_helper.rb       |   2 +
 templates/ssh_config.erb  |  56 ++++++++++++++
 templates/sshd_config.erb | 122 +++++++++++++++++++++++++++++
 tests/init.pp             |   1 +
 10 files changed, 379 insertions(+)
 create mode 100644 CHANGELOG
 create mode 100644 LICENSE
 create mode 100644 Modulefile
 create mode 100644 Rakefile
 create mode 100644 manifests/init.pp
 create mode 100644 spec/spec_helper.rb
 create mode 100644 templates/ssh_config.erb
 create mode 100644 templates/sshd_config.erb
 create mode 100644 tests/init.pp

diff --git a/.gitignore b/.gitignore
index 560d1a6..ab2d950 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+# Default .gitignore for Ruby
 *.gem
 *.rbc
 .bundle
@@ -16,3 +17,14 @@ tmp
 .yardoc
 _yardoc
 doc/
+
+# Vim
+*.swp
+
+# OS X
+.DS_Store
+
+# Puppet
+metadata.json
+coverage/
+spec/fixtures/modules/*
diff --git a/CHANGELOG b/CHANGELOG
new file mode 100644
index 0000000..1c89f54
--- /dev/null
+++ b/CHANGELOG
@@ -0,0 +1,2 @@
+2.0.0 - 2013-05-16 Garrett Honeycutt <code@garretthoneycutt.com>
+* Rebirth
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..b1b251c
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,13 @@
+Copyright (C) 2010-2013 Garrett Honeycutt <code@garretthoneycutt.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/Modulefile b/Modulefile
new file mode 100644
index 0000000..9c46840
--- /dev/null
+++ b/Modulefile
@@ -0,0 +1,12 @@
+name    'ghoneycutt-ssh'
+version '2.0.0'
+source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
+author 'ghoneycutt'
+license 'Apache License, Version 2.0'
+summary 'Manages SSH'
+description 'Manage SSH'
+project_page 'https://github.com/ghoneycutt/puppet-module-ssh'
+
+dependency 'puppetlabs/stdlib',  '3.2.x'
+dependency 'ghoneycutt/common',  '0.0.1'
+dependency 'puppetlabs/firewall', '>= 0.2.1'
diff --git a/Rakefile b/Rakefile
new file mode 100644
index 0000000..22eae90
--- /dev/null
+++ b/Rakefile
@@ -0,0 +1,3 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..ac21aac
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,156 @@
+# == Class: ssh
+#
+# Manage ssh client and server
+#
+# == Parameters:
+#
+#  $permit_root_login: defaults to 'no',
+#   valid values = yes/without-password/forced-commands-only/no
+#
+class ssh (
+  $packages                = ['openssh-server',
+                              'openssh-server',
+                              'openssh-clients'],
+  $permit_root_login       = 'no',
+  $purge_keys              = 'true',
+  $manage_firewall         = false,
+  $ssh_config_path         = '/etc/ssh/ssh_config',
+  $ssh_config_owner        = 'root',
+  $ssh_config_group        = 'root',
+  $ssh_config_mode         = '0644',
+  $sshd_config_path        = '/etc/ssh/sshd_config',
+  $sshd_config_owner       = 'root',
+  $sshd_config_group       = 'root',
+  $sshd_config_mode        = '0600',
+  $service_ensure          = 'running',
+  $service_name            = 'sshd',
+  $service_enable          = 'true',
+  $service_hasrestart      = 'true',
+  $service_hasstatus       = 'true',
+  $ssh_key_ensure          = 'present',
+  $ssh_key_type            = 'ssh-rsa',
+  $manage_root_ssh_config  = 'false',
+  $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
+) {
+
+  case $permit_root_login {
+    'no', 'yes', 'without-password', 'forced-commands-only': {
+      # noop
+    }
+    default: {
+      fail("permit_root_login may be either 'yes', 'without-password', 'forced-commands-only' or 'no' and is set to ${permit_root_login}")
+    }
+  }
+
+  case $ssh_key_type {
+    'ssh-rsa','rsa': {
+      $key = $::sshrsakey
+    }
+    'ssh-dsa','dsa': {
+      $key = $::sshdsakey
+    }
+    default: {
+      fail("ssh_key_type must be 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is ${ssh_key_type}")
+    }
+  }
+
+  case $purge_keys {
+    'true','false': {
+      # noop
+    }
+    default: {
+      fail("purge_keys must be 'true' or 'false' and is ${purge_keys}")
+    }
+  }
+
+  package { 'ssh_packages':
+    ensure => installed,
+    name   => $packages,
+  }
+
+  file  { 'ssh_config' :
+    ensure  => file,
+    path    => $ssh_config_path,
+    owner   => $ssh_config_owner,
+    group   => $ssh_config_group,
+    mode    => $ssh_config_mode,
+    content => template('ssh/ssh_config.erb'),
+    require => Package['ssh_packages'],
+  }
+
+  file  { 'sshd_config' :
+    ensure  => file,
+    path    => $sshd_config_path,
+    mode    => $sshd_config_mode,
+    owner   => $sshd_config_owner,
+    group   => $sshd_config_group,
+    content => template('ssh/sshd_config.erb'),
+    require => Package['ssh_packages'],
+  }
+
+  case $manage_root_ssh_config {
+    'true': {
+
+      include common
+
+      common::mkdir_p { "${::root_home}/.ssh": }
+
+      file { 'root_ssh_dir':
+        ensure  => directory,
+        path    => "${::root_home}/.ssh",
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0700',
+        require => Common::Mkdir_p["${::root_home}/.ssh"],
+      }
+
+      file { 'root_ssh_config':
+        ensure  => file,
+        path    => "${::root_home}/.ssh/config",
+        content => $root_ssh_config_content,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0600',
+      }
+    }
+    'false': {
+      # noop
+    }
+    default: {
+      fail("manage_root_ssh_config is <${manage_root_ssh_config}> and must be \'true\' or \'false\'.")
+    }
+  }
+
+  service { 'sshd_service' :
+    ensure     => $service_ensure,
+    name       => $service_name,
+    enable     => $service_enable,
+    hasrestart => $service_hasrestart,
+    hasstatus  => $service_hasstatus,
+    subscribe  => File['sshd_config'],
+  }
+
+  if $manage_firewall == true {
+    firewall { '22 open port 22 for SSH':
+      action => 'accept',
+      dport  => 22,
+      proto  => 'tcp',
+    }
+  }
+
+  # export each node's ssh key
+  @@sshkey { $::fqdn :
+    ensure  => $ssh_key_ensure,
+    type    => $ssh_key_type,
+    key     => $key,
+    require => Package['ssh_packages'],
+  }
+
+  # import all nodes' ssh keys
+  Sshkey <<||>>
+
+  # remove ssh key's not managed by puppet
+  resources  { 'sshkey':
+    purge => $purge_keys,
+  }
+}
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
new file mode 100644
index 0000000..dc7e9f4
--- /dev/null
+++ b/spec/spec_helper.rb
@@ -0,0 +1,2 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/module_spec_helper'
diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
new file mode 100644
index 0000000..41ca8a8
--- /dev/null
+++ b/templates/ssh_config.erb
@@ -0,0 +1,56 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+
+#	$OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+   PasswordAuthentication yes
+   PubkeyAuthentication yes
+#   HostbasedAuthentication no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+   IdentityFile ~/.ssh/id_rsa
+   IdentityFile ~/.ssh/id_dsa
+#   Port 22
+   Protocol 2
+#   Cipher 3des
+#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+Host *
+	GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+	ForwardX11Trusted yes
+# Send locale-related environment variables
+	SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+	SendEnv LC_IDENTIFICATION LC_ALL
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
new file mode 100644
index 0000000..fc3d2cc
--- /dev/null
+++ b/templates/sshd_config.erb
@@ -0,0 +1,122 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+
+#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+
+#Port 22
+#Protocol 2,1
+Protocol 2
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 768
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin <%= @permit_root_login %>
+#StrictModes yes
+#MaxAuthTries 6
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile	.ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+GSSAPIAuthentication yes
+#GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication mechanism.
+# Depending on your PAM configuration, this may bypass the setting of
+# PasswordAuthentication, PermitEmptyPasswords, and
+# "PermitRootLogin without-password". If you just want the PAM account and
+# session checks to run without PAM authentication, then enable this but set
+# ChallengeResponseAuthentication=no
+#UsePAM no
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+##Banner /etc/motd
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
diff --git a/tests/init.pp b/tests/init.pp
new file mode 100644
index 0000000..13a4638
--- /dev/null
+++ b/tests/init.pp
@@ -0,0 +1 @@
+include ssh