Saltstack Official OpenSSH Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

140 line
4.2KB

  1. {%- set tplroot = tpldir.split('/')[0] %}
  2. {%- from tplroot ~ "/map.jinja" import openssh, ssh_config, sshd_config with context %}
  3. {%- from tplroot ~ "/libtofs.jinja" import files_switch %}
  4. include:
  5. - openssh
  6. {%- if sshd_config %}
  7. sshd_config:
  8. file.managed:
  9. - name: {{ openssh.sshd_config }}
  10. {#- Preserve backward compatibility using the `if` below #}
  11. - source: {{ openssh.sshd_config_src if '://' in openssh.sshd_config_src
  12. else files_switch( [openssh.sshd_config_src],
  13. 'sshd_config'
  14. ) }}
  15. - template: jinja
  16. - context:
  17. sshd_config: {{ sshd_config | json }}
  18. - user: {{ openssh.sshd_config_user }}
  19. - group: {{ openssh.sshd_config_group }}
  20. - mode: {{ openssh.sshd_config_mode }}
  21. - check_cmd: {{ openssh.sshd_binary }} -t -f
  22. {%- if openssh.sshd_config_backup %}
  23. - backup: minion
  24. {%- endif %}
  25. - watch_in:
  26. - service: {{ openssh.service }}
  27. {%- endif %}
  28. {%- if ssh_config %}
  29. ssh_config:
  30. file.managed:
  31. - name: {{ openssh.ssh_config }}
  32. {#- Preserve backward compatibility using the `if` below #}
  33. - source: {{ openssh.ssh_config_src if '://' in openssh.ssh_config_src
  34. else files_switch( [openssh.ssh_config_src],
  35. 'ssh_config'
  36. ) }}
  37. - template: jinja
  38. - context:
  39. ssh_config: {{ ssh_config | json }}
  40. - user: {{ openssh.ssh_config_user }}
  41. - group: {{ openssh.ssh_config_group }}
  42. - mode: {{ openssh.ssh_config_mode }}
  43. {%- if openssh.ssh_config_backup %}
  44. - backup: minion
  45. {%- endif %}
  46. {%- endif %}
  47. {%- for keyType in openssh['host_key_algos'].split(',') %}
  48. {%- set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
  49. {%- set keySize = openssh.get('generate_' ~ keyType ~ '_size', False) %}
  50. {%- if openssh.get('provide_' ~ keyType ~ '_keys', False) %}
  51. ssh_host_{{ keyType }}_key:
  52. file.managed:
  53. - name: {{ keyFile }}
  54. - contents_pillar: 'openssh:{{ keyType }}:private_key'
  55. - user: root
  56. - mode: 600
  57. {%- if sshd_config %}
  58. - require_in:
  59. - file: sshd_config
  60. {%- endif %}
  61. - watch_in:
  62. - service: {{ openssh.service }}
  63. ssh_host_{{ keyType }}_key.pub:
  64. file.managed:
  65. - name: {{ keyFile }}.pub
  66. - contents_pillar: 'openssh:{{ keyType }}:public_key'
  67. - user: root
  68. - mode: 600
  69. {%- if sshd_config %}
  70. - require_in:
  71. - file: sshd_config
  72. {%- endif %}
  73. - watch_in:
  74. - service: {{ openssh.service }}
  75. {%- elif openssh.get('generate_' ~ keyType ~ '_keys', False) %}
  76. {%- if keySize and openssh.get('enforce_' ~ keyType ~ '_size', False) %}
  77. ssh_remove_short_{{ keyType }}_key:
  78. cmd.run:
  79. - name: "rm -f {{ keyFile }} {{ keyFile }}.pub"
  80. - onlyif: "test -f {{ keyFile }}.pub && test `ssh-keygen -l -f {{ keyFile }}.pub 2>/dev/null | awk '{print $1}'` -lt {{ keySize }}"
  81. - require_in:
  82. - cmd: ssh_generate_host_{{ keyType }}_key
  83. {%- endif %}
  84. ssh_generate_host_{{ keyType }}_key:
  85. cmd.run:
  86. {%- set keySizePart = "-b {}".format(keySize) if keySize else "" %}
  87. - name: "rm {{ keyFile }}*; ssh-keygen -t {{ keyType }} {{ keySizePart }} -N '' -f {{ keyFile }}"
  88. - unless: "test -s {{ keyFile }}"
  89. - runas: root
  90. {%- if sshd_config %}
  91. - require_in:
  92. - file: sshd_config
  93. {%- endif %}
  94. - watch_in:
  95. - service: {{ openssh.service }}
  96. ssh_host_{{ keyType }}_key: # set permissions
  97. file.managed:
  98. - name: {{ keyFile }}
  99. - replace: false
  100. - mode: '0600'
  101. - require:
  102. - cmd: ssh_generate_host_{{ keyType }}_key
  103. {%- if sshd_config %}
  104. - require_in:
  105. - file: sshd_config
  106. {%- endif %}
  107. {%- elif openssh.get('absent_' ~ keyType ~ '_keys', False) %}
  108. ssh_host_{{ keyType }}_key:
  109. file.absent:
  110. - name: {{ keyFile }}
  111. - watch_in:
  112. - service: {{ openssh.service }}
  113. ssh_host_{{ keyType }}_key.pub:
  114. file.absent:
  115. - name: {{ keyFile }}.pub
  116. - watch_in:
  117. - service: {{ openssh.service }}
  118. {%- endif %}
  119. {%- endfor %}
  120. {%- if sshd_config.get('UsePrivilegeSeparation', '')|lower == 'yes' %}
  121. /var/run/sshd:
  122. file.directory:
  123. - user: root
  124. - mode: 755
  125. - require_in:
  126. - file: sshd_config
  127. - watch_in:
  128. - service: {{ openssh.service }}
  129. {%- endif %}