Saltstack Official OpenSSH Formula
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.

121 líneas
3.6KB

  1. {% from "openssh/map.jinja" import openssh with context %}
  2. {%- set manage_sshd_config = salt['pillar.get']('sshd_config', False) %}
  3. include:
  4. - openssh
  5. {% if manage_sshd_config %}
  6. sshd_config:
  7. file.managed:
  8. - name: {{ openssh.sshd_config }}
  9. - source: {{ openssh.sshd_config_src }}
  10. - template: jinja
  11. - user: {{ openssh.sshd_config_user }}
  12. - group: {{ openssh.sshd_config_group }}
  13. - mode: {{ openssh.sshd_config_mode }}
  14. - check_cmd: {{ openssh.sshd_binary }} -t -f
  15. - watch_in:
  16. - service: {{ openssh.service }}
  17. {% endif %}
  18. {% if salt['pillar.get']('ssh_config', False) %}
  19. ssh_config:
  20. file.managed:
  21. - name: {{ openssh.ssh_config }}
  22. - source: {{ openssh.ssh_config_src }}
  23. - template: jinja
  24. - user: {{ openssh.ssh_config_user }}
  25. - group: {{ openssh.ssh_config_group }}
  26. - mode: {{ openssh.ssh_config_mode }}
  27. {% endif %}
  28. {%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
  29. {%- set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
  30. {%- set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}
  31. {%- if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}
  32. ssh_host_{{ keyType }}_key:
  33. file.managed:
  34. - name: {{ keyFile }}
  35. - contents_pillar: 'openssh:{{ keyType }}:private_key'
  36. - user: root
  37. - mode: 600
  38. {%- if manage_sshd_config %}
  39. - require_in:
  40. - file: sshd_config
  41. {%- endif %}
  42. - watch_in:
  43. - service: {{ openssh.service }}
  44. ssh_host_{{ keyType }}_key.pub:
  45. file.managed:
  46. - name: {{ keyFile }}.pub
  47. - contents_pillar: 'openssh:{{ keyType }}:public_key'
  48. - user: root
  49. - mode: 600
  50. {%- if manage_sshd_config %}
  51. - require_in:
  52. - file: sshd_config
  53. {%- endif %}
  54. - watch_in:
  55. - service: {{ openssh.service }}
  56. {%- elif salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %}
  57. {%- if keySize and salt['pillar.get']('openssh:enforce_' ~ keyType ~ '_size', False) %}
  58. ssh_remove_short_{{ keyType }}_key:
  59. cmd.run:
  60. - name: "rm -f {{ keyFile }} {{ keyFile }}.pub"
  61. - onlyif: "test -f {{ keyFile }}.pub && test `ssh-keygen -l -f {{ keyFile }}.pub 2>/dev/null | awk '{print $1}'` -lt {{ keySize }}"
  62. - require_in:
  63. - cmd: ssh_generate_host_{{ keyType }}_key
  64. {%- endif %}
  65. ssh_generate_host_{{ keyType }}_key:
  66. cmd.run:
  67. {%- set keySizePart = "-b {}".format(keySize) if keySize else "" %}
  68. - name: "rm {{ keyFile }}*; ssh-keygen -t {{ keyType }} {{ keySizePart }} -N '' -f {{ keyFile }}"
  69. - unless: "test -s {{ keyFile }}"
  70. - runas: root
  71. {%- if manage_sshd_config %}
  72. - require_in:
  73. - file: sshd_config
  74. {%- endif %}
  75. - watch_in:
  76. - service: {{ openssh.service }}
  77. ssh_host_{{ keyType }}_key: # set permissions
  78. file.managed:
  79. - name: {{ keyFile }}
  80. - replace: false
  81. - mode: 0600
  82. - require:
  83. - cmd: ssh_generate_host_{{ keyType }}_key
  84. {%- if manage_sshd_config %}
  85. - require_in:
  86. - file: sshd_config
  87. {%- endif %}
  88. {%- elif salt['pillar.get']('openssh:absent_' ~ keyType ~ '_keys', False) %}
  89. ssh_host_{{ keyType }}_key:
  90. file.absent:
  91. - name: {{ keyFile }}
  92. - watch_in:
  93. - service: {{ openssh.service }}
  94. ssh_host_{{ keyType }}_key.pub:
  95. file.absent:
  96. - name: {{ keyFile }}.pub
  97. - watch_in:
  98. - service: {{ openssh.service }}
  99. {%- endif %}
  100. {%- endfor %}
  101. {%- if salt['pillar.get']('sshd_config:UsePrivilegeSeparation', '')|lower == 'yes' %}
  102. /var/run/sshd:
  103. file.directory:
  104. - user: root
  105. - mode: 755
  106. - require_in:
  107. - file: sshd_config
  108. - watch_in:
  109. - service: {{ openssh.service }}
  110. {% endif %}