Merge pull request #151 from alxwr/issue-98

CentOS does not support ed25519; fixes #98

openssh/config.sls

@@ -36,7 +36,7 @@ ssh_config:
     {%- endif %}
 {% endif %}
 
-{%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
+{%- for keyType in openssh['host_key_algos'].split(',') %}
 {%-   set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
 {%-   set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}
 {%-   if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}

openssh/defaults.yaml

@@ -1,24 +1,29 @@
-openssh:
-  sshd_enable: True
-  sshd_binary: /usr/sbin/sshd
-  sshd_config: /etc/ssh/sshd_config
-  sshd_config_src: salt://openssh/files/sshd_config
-  sshd_config_user: root
-  sshd_config_group: root
-  sshd_config_mode: '644'
-  sshd_config_backup: True
-  ssh_config: /etc/ssh/ssh_config
-  ssh_config_src: salt://openssh/files/ssh_config
-  ssh_config_user: root
-  ssh_config_group: root
-  ssh_config_mode: '644'
-  ssh_config_backup: True
-  banner: /etc/ssh/banner
-  banner_src: salt://openssh/files/banner
-  ssh_known_hosts: /etc/ssh/ssh_known_hosts
-  dig_pkg: dnsutils
-  ssh_moduli: /etc/ssh/moduli
-  root_group: root
+default:
+  openssh:
+    sshd_enable: True
+    sshd_binary: /usr/sbin/sshd
+    sshd_config: /etc/ssh/sshd_config
+    sshd_config_src: salt://openssh/files/sshd_config
+    sshd_config_user: root
+    sshd_config_group: root
+    sshd_config_mode: '644'
+    sshd_config_backup: True
+    ssh_config: /etc/ssh/ssh_config
+    ssh_config_src: salt://openssh/files/ssh_config
+    ssh_config_user: root
+    ssh_config_group: root
+    ssh_config_mode: '644'
+    ssh_config_backup: True
+    banner: /etc/ssh/banner
+    banner_src: salt://openssh/files/banner
+    ssh_known_hosts: /etc/ssh/ssh_known_hosts
+    dig_pkg: dnsutils
+    ssh_moduli: /etc/ssh/moduli
+    root_group: root
+    # Prevent merge of array; always override values
+    host_key_algos: ecdsa,ed25519,rsa
+    # To manage/remove DSA:
+    #host_key_algos: dsa,ecdsa,ed25519,rsa
 
-sshd_config: {}
-ssh_config: {}
+  sshd_config: {}
+  ssh_config: {}

openssh/map.jinja

@@ -1,120 +1,22 @@
-{## Start with  defaults from defaults.yaml ##}
-{% import_yaml "openssh/defaults.yaml" as default_settings %}
-
-{##
-Setup variable using grains['os_family'] based logic, only add key:values here
-that differ from whats in defaults.yaml
-##}
-{% set os_family_map = salt['grains.filter_by']({
-    'Arch': {
-      'server': 'openssh',
-      'client': 'openssh',
-      'service': 'sshd',
-      'dig_pkg': 'bind-tools',
-    },
-    'Debian': {
-      'server': 'openssh-server',
-      'client': 'openssh-client',
-      'service': 'ssh',
-    },
-    'FreeBSD': {
-      'service': 'sshd',
-      'dig_pkg': 'bind-tools',
-      'sshd_config_group': 'wheel',
-      'ssh_config_group': 'wheel',
-    },
-    'OpenBSD': {
-      'service': 'sshd',
-      'sshd_config_group': 'wheel',
-      'ssh_config_group': 'wheel',
-    },
-    'Gentoo': {
-      'server': 'net-misc/openssh',
-      'client': 'net-misc/openssh',
-      'service': 'sshd',
-      'dig_pkg': 'net-dns/bind-tools',
-    },
-    'RedHat': {
-      'server': 'openssh-server',
-      'client': 'openssh-clients',
-      'service': 'sshd',
-      'dig_pkg': 'bind-utils',
-    },
-    'Suse': {
-      'server': 'openssh',
-      'client': 'openssh',
-      'service': 'sshd',
-      'dig_pkg': 'bind-utils',
-    },
-    'Solaris': {
-      'service': 'network/ssh',
-      'sshd_config_group': 'root',
-      'ssh_config_group': 'root',
-      'dig_pkg': 'bind',
-      'sshd_binary': '/usr/lib/ssh/sshd',
-    },
-  }
-  , grain="os_family"
-  , merge=salt['pillar.get']('openssh:lookup'))
-%}
-
-{## Merge the flavor_map to the default settings ##}
-{% do default_settings.openssh.update(os_family_map) %}
-
-{## Merge in openssh:lookup pillar ##}
-{% set openssh = salt['pillar.get'](
-    'openssh',
-    default=default_settings.openssh,
-    merge=True
-  )
-%}
-
-{% set os_family_map = salt['grains.filter_by']({
-    'FreeBSD': {
-        'Subsystem': 'sftp /usr/libexec/sftp-server',
-    },
-    'OpenBSD': {
-        'Subsystem': 'sftp /usr/libexec/sftp-server',
-    },
-    'Suse': {
-        'Subsystem': 'sftp /usr/lib/ssh/sftp-server',
-    },
-    'Arch': {
-        'Subsystem': 'sftp /usr/lib/ssh/sftp-server',
-    },
-    'Debian': {
-        'Subsystem': 'sftp /usr/lib/openssh/sftp-server',
-    },
-    'RedHat': {
-        'Subsystem': 'sftp /usr/libexec/openssh/sftp-server',
-    },
-    'Solaris': {
-        'Subsystem': 'sftp internal-sftp',
-    },
-    'default': {}
-  }
-  , grain="os_family"
-  , merge=salt['pillar.get']('sshd_config:lookup'))
-%}
-
-{% set os_finger_map = salt['grains.filter_by']({
-    'CentOS-6': {
-    },
-    'default': {}
-  }
-  , grain="osfinger"
-  , merge=salt['pillar.get']('sshd_config:lookup'))
-%}
-
-
-{## Merge the flavor_map to the default settings ##}
-{% do default_settings.sshd_config.update(os_family_map) %}
-{% do default_settings.sshd_config.update(os_finger_map) %}
-
-{## Merge in sshd_config:lookup pillar ##}
-{% set sshd_config = salt['pillar.get'](
-    'sshd_config',
-    default=default_settings.sshd_config,
-    merge=True
-  )
-%}
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
+
+{## Start imports as  ##}
+{% import_yaml 'openssh/defaults.yaml' as default_settings %}
+{% import_yaml 'openssh/osfamilymap.yaml' as osfamilymap %}
+{% import_yaml 'openssh/osmap.yaml' as osmap %}
+{% import_yaml 'openssh/osfingermap.yaml' as osfingermap %}
+
+{% set defaults = salt['grains.filter_by'](default_settings,
+    default='default',
+    merge=salt['grains.filter_by'](osfamilymap, grain='os_family',
+      merge=salt['grains.filter_by'](osmap, grain='os',
+        merge=salt['grains.filter_by'](osfingermap, grain='osfinger')
+      )
+    )
+) %}
+
+{## merge the openssh pillar ##}
+{% set openssh = salt['pillar.get']('openssh', default=defaults['openssh'], merge=True) %}
+{% set ssh_config = salt['pillar.get']('ssh_config', default=defaults['ssh_config'], merge=True) %}
+{% set sshd_config = salt['pillar.get']('sshd_config', default=defaults['sshd_config'], merge=True) %}

openssh/osfamilymap.yaml

@@ -0,0 +1,68 @@
+Arch:
+  openssh:
+    server: openssh
+    client: openssh
+    service: sshd
+    dig_pkg: bind-tools
+  sshd_config:
+    Subsystem: sftp /usr/lib/ssh/sftp-server
+
+Debian:
+  openssh:
+    server: openssh-server
+    client: openssh-client
+    service: ssh
+  sshd_config:
+    Subsystem: sftp /usr/lib/openssh/sftp-server
+
+FreeBSD:
+  openssh:
+    service: sshd
+    dig_pkg: bind-tools
+    sshd_config_group: wheel
+    ssh_config_group: wheel
+  sshd_config:
+    Subsystem: sftp /usr/libexec/sftp-server
+
+Gentoo:
+  openssh:
+    server: net-misc/openssh
+    client: net-misc/openssh
+    service: sshd
+    dig_pkg: net-dns/bind-tools
+
+OpenBSD:
+  openssh:
+    service: sshd
+    sshd_config_group: wheel
+    ssh_config_group: wheel
+  sshd_config:
+    Subsystem: sftp /usr/libexec/sftp-server
+
+RedHat:
+  openssh:
+    server: openssh-server
+    client: openssh-clients
+    service: sshd
+    dig_pkg: bind-utils
+  sshd_config:
+    Subsystem: sftp /usr/libexec/openssh/sftp-server
+
+Solaris:
+  openssh:
+    service: network/ssh
+    sshd_config_group: root
+    ssh_config_group: root
+    dig_pkg: bind
+    sshd_binary: /usr/lib/ssh/sshd
+  sshd_config:
+    Subsystem: sftp internal-sftp
+
+Suse:
+  openssh:
+    server: openssh
+    client: openssh
+    service: sshd
+    dig_pkg: bind-utils
+  sshd_config:
+    Subsystem: sftp /usr/lib/ssh/sftp-server

openssh/osfingermap.yaml

@@ -0,0 +1,4 @@
+Ubuntu-18.04: {}
+CentOS-6:
+  openssh:
+    host_key_algos: ecdsa,rsa

openssh/osmap.yaml

@@ -0,0 +1 @@
+FreeBSD: {}