Browse Source

Added support to manage ssh certificates

tags/v0.41.0
Carlos Perelló Marín 11 years ago
parent
commit
47211d0648
5 changed files with 102 additions and 39 deletions
  1. +1
    -1
      LICENSE
  2. +13
    -7
      README.rst
  3. +43
    -0
      openssh/auth.sls
  4. +2
    -1
      openssh/files/sshd_config
  5. +43
    -30
      pillar.example

+ 1
- 1
LICENSE View File

Copyright (c) 2013 Salt Stack Formulas
Copyright (c) 2013-2014 Salt Stack Formulas


Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

+ 13
- 7
README.rst View File



Installs the ``openssh`` server package and service. Installs the ``openssh`` server package and service.


``openssh.config``
``openssh.auth``
-----------

Manages SSH certificates for users.

``openssh.banner``
------------------ ------------------


Installs the ssh daemon configuration file included in this formula
(under "openssh/files"). This configuration file is populated
by values from pillar. ``pillar.example`` results in the generation
of the default ``sshd_config`` file on Debian Wheezy.
Installs a banner that users see when SSH-ing in.


``openssh.client`` ``openssh.client``
------------------ ------------------


Installs the openssh client package. Installs the openssh client package.


``openssh.banner``
``openssh.config``
------------------ ------------------


Installs a banner that users see when SSH-ing in.
Installs the ssh daemon configuration file included in this formula
(under "openssh/files"). This configuration file is populated
by values from pillar. ``pillar.example`` results in the generation
of the default ``sshd_config`` file on Debian Wheezy.


+ 43
- 0
openssh/auth.sls View File

include:
- openssh

{% from "openssh/map.jinja" import openssh with context %}
{% set openssh_pillar = pillar.get('openssh', {}) %}
{% set auth = openssh_pillar.get('auth', {}) %}
{% for user,keys in auth.items() -%}
{% for key in keys -%}
{% if 'present' in key and key['present'] %}
{{ key['name'] }}:
ssh_auth.present:
- user: {{ user }}
{% if 'source' in key %}
- source: {{ key['source'] }}
{% else %}
{% if 'enc' in key %}
- enc: {{ key['enc'] }}
{% endif %}
{% if 'comment' in key %}
- comment: {{ key['comment'] }}
{% endif %}
{% if 'options' in key %}
- options: {{ key['options'] }}
{% endif %}
{% endif %}
- require:
- service: {{ openssh.service }}
{% else %}
{{ key['name'] }}:
ssh_auth.absent:
- user: {{ user }}
{% if 'enc' in key %}
- enc: {{ key['enc'] }}
{% endif %}
{% if 'comment' in key %}
- comment: {{ key['comment'] }}
{% endif %}
{% if 'options' in key %}
- options: {{ key['options'] }}
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}

+ 2
- 1
openssh/files/sshd_config View File

{% set sshd_config = pillar.get('sshd_config', {}) %}
{% set openssh_pillar = pillar.get('openssh', {}) %}
{% set sshd_config = openssh_pillar.get('sshd_config', {}) %}


# This file is managed by salt. Manual changes risk being overwritten. # This file is managed by salt. Manual changes risk being overwritten.
# The contents of the original sshd_config are kept on the bottom for # The contents of the original sshd_config are kept on the bottom for

+ 43
- 30
pillar.example View File

sshd_config:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes
openssh:
sshd_config:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes

auth:
joe:
- name: JOE_VALID_SSH_PUBLIC_KEY
present: True
enc: ssh-rsa
comment: main key
- name: JOE_NON_VALID_SSH_PUBLIC_KEY
present: False
enc: ssh-rsa
comment: obsolete key - removed


Loading…
Cancel
Save