Parcourir la source

Added support to manage ssh certificates

master
Carlos Perelló Marín il y a 11 ans
Parent
révision
47211d0648
5 fichiers modifiés avec 102 ajouts et 39 suppressions
  1. +1
    -1
      LICENSE
  2. +13
    -7
      README.rst
  3. +43
    -0
      openssh/auth.sls
  4. +2
    -1
      openssh/files/sshd_config
  5. +43
    -30
      pillar.example

+ 1
- 1
LICENSE Voir le fichier

@@ -1,4 +1,4 @@
Copyright (c) 2013 Salt Stack Formulas
Copyright (c) 2013-2014 Salt Stack Formulas

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

+ 13
- 7
README.rst Voir le fichier

@@ -18,20 +18,26 @@ Available states

Installs the ``openssh`` server package and service.

``openssh.config``
``openssh.auth``
-----------

Manages SSH certificates for users.

``openssh.banner``
------------------

Installs the ssh daemon configuration file included in this formula
(under "openssh/files"). This configuration file is populated
by values from pillar. ``pillar.example`` results in the generation
of the default ``sshd_config`` file on Debian Wheezy.
Installs a banner that users see when SSH-ing in.

``openssh.client``
------------------

Installs the openssh client package.

``openssh.banner``
``openssh.config``
------------------

Installs a banner that users see when SSH-ing in.
Installs the ssh daemon configuration file included in this formula
(under "openssh/files"). This configuration file is populated
by values from pillar. ``pillar.example`` results in the generation
of the default ``sshd_config`` file on Debian Wheezy.


+ 43
- 0
openssh/auth.sls Voir le fichier

@@ -0,0 +1,43 @@
include:
- openssh

{% from "openssh/map.jinja" import openssh with context %}
{% set openssh_pillar = pillar.get('openssh', {}) %}
{% set auth = openssh_pillar.get('auth', {}) %}
{% for user,keys in auth.items() -%}
{% for key in keys -%}
{% if 'present' in key and key['present'] %}
{{ key['name'] }}:
ssh_auth.present:
- user: {{ user }}
{% if 'source' in key %}
- source: {{ key['source'] }}
{% else %}
{% if 'enc' in key %}
- enc: {{ key['enc'] }}
{% endif %}
{% if 'comment' in key %}
- comment: {{ key['comment'] }}
{% endif %}
{% if 'options' in key %}
- options: {{ key['options'] }}
{% endif %}
{% endif %}
- require:
- service: {{ openssh.service }}
{% else %}
{{ key['name'] }}:
ssh_auth.absent:
- user: {{ user }}
{% if 'enc' in key %}
- enc: {{ key['enc'] }}
{% endif %}
{% if 'comment' in key %}
- comment: {{ key['comment'] }}
{% endif %}
{% if 'options' in key %}
- options: {{ key['options'] }}
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}

+ 2
- 1
openssh/files/sshd_config Voir le fichier

@@ -1,4 +1,5 @@
{% set sshd_config = pillar.get('sshd_config', {}) %}
{% set openssh_pillar = pillar.get('openssh', {}) %}
{% set sshd_config = openssh_pillar.get('sshd_config', {}) %}

# This file is managed by salt. Manual changes risk being overwritten.
# The contents of the original sshd_config are kept on the bottom for

+ 43
- 30
pillar.example Voir le fichier

@@ -1,30 +1,43 @@
sshd_config:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes
openssh:
sshd_config:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes

auth:
joe:
- name: JOE_VALID_SSH_PUBLIC_KEY
present: True
enc: ssh-rsa
comment: main key
- name: JOE_NON_VALID_SSH_PUBLIC_KEY
present: False
enc: ssh-rsa
comment: obsolete key - removed


Chargement…
Annuler
Enregistrer