From 47211d06487d58e85a6aff5117bc68fbc7d13de4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Perell=C3=B3=20Mar=C3=ADn?= Date: Sun, 9 Feb 2014 23:38:30 +0100 Subject: [PATCH] Added support to manage ssh certificates --- LICENSE | 2 +- README.rst | 24 ++++++++----- openssh/auth.sls | 43 +++++++++++++++++++++++ openssh/files/sshd_config | 3 +- pillar.example | 73 +++++++++++++++++++++++---------------- 5 files changed, 104 insertions(+), 41 deletions(-) create mode 100644 openssh/auth.sls diff --git a/LICENSE b/LICENSE index 52ec1c1..47d69b9 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ - Copyright (c) 2013 Salt Stack Formulas + Copyright (c) 2013-2014 Salt Stack Formulas Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.rst b/README.rst index e16ba66..d41cb55 100644 --- a/README.rst +++ b/README.rst @@ -18,6 +18,21 @@ Available states Installs the ``openssh`` server package and service. +``openssh.auth`` +----------- + +Manages SSH certificates for users. + +``openssh.banner`` +------------------ + +Installs a banner that users see when SSH-ing in. + +``openssh.client`` +------------------ + +Installs the openssh client package. + ``openssh.config`` ------------------ @@ -26,12 +41,3 @@ Installs the ssh daemon configuration file included in this formula by values from pillar. ``pillar.example`` results in the generation of the default ``sshd_config`` file on Debian Wheezy. -``openssh.client`` ------------------- - -Installs the openssh client package. - -``openssh.banner`` ------------------- - -Installs a banner that users see when SSH-ing in. diff --git a/openssh/auth.sls b/openssh/auth.sls new file mode 100644 index 0000000..f7690b3 --- /dev/null +++ b/openssh/auth.sls @@ -0,0 +1,43 @@ +include: + - openssh + +{% from "openssh/map.jinja" import openssh with context %} +{% set openssh_pillar = pillar.get('openssh', {}) %} +{% set auth = openssh_pillar.get('auth', {}) %} +{% for user,keys in auth.items() -%} + {% for key in keys -%} + {% if 'present' in key and key['present'] %} +{{ key['name'] }}: + ssh_auth.present: + - user: {{ user }} + {% if 'source' in key %} + - source: {{ key['source'] }} + {% else %} + {% if 'enc' in key %} + - enc: {{ key['enc'] }} + {% endif %} + {% if 'comment' in key %} + - comment: {{ key['comment'] }} + {% endif %} + {% if 'options' in key %} + - options: {{ key['options'] }} + {% endif %} + {% endif %} + - require: + - service: {{ openssh.service }} + {% else %} +{{ key['name'] }}: + ssh_auth.absent: + - user: {{ user }} + {% if 'enc' in key %} + - enc: {{ key['enc'] }} + {% endif %} + {% if 'comment' in key %} + - comment: {{ key['comment'] }} + {% endif %} + {% if 'options' in key %} + - options: {{ key['options'] }} + {% endif %} + {% endif %} + {% endfor %} +{% endfor %} diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 43e2566..496f1e0 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -1,4 +1,5 @@ -{% set sshd_config = pillar.get('sshd_config', {}) %} +{% set openssh_pillar = pillar.get('openssh', {}) %} +{% set sshd_config = openssh_pillar.get('sshd_config', {}) %} # This file is managed by salt. Manual changes risk being overwritten. # The contents of the original sshd_config are kept on the bottom for diff --git a/pillar.example b/pillar.example index 53db7c0..c8e4067 100644 --- a/pillar.example +++ b/pillar.example @@ -1,30 +1,43 @@ -sshd_config: - Port: 22 - Protocol: 2 - HostKey: - - /etc/ssh/ssh_host_rsa_key - - /etc/ssh/ssh_host_dsa_key - - /etc/ssh/ssh_host_ecdsa_key - UsePrivilegeSeparation: yes - KeyRegenerationInterval: 3600 - ServerKeyBits: 768 - SyslogFacility: AUTH - LogLevel: INFO - LoginGraceTime: 120 - PermitRootLogin: yes - StrictModes: yes - RSAAuthentication: yes - PubkeyAuthentication: yes - IgnoreRhosts: yes - RhostsRSAAuthentication: no - HostbasedAuthentication: no - PermitEmptyPasswords: no - ChallengeResponseAuthentication: no - X11Forwarding: yes - X11DisplayOffset: 10 - PrintMotd: no - PrintLastLog: yes - TCPKeepAlive: yes - AcceptEnv: "LANG LC_*" - Subsystem: "sftp /usr/lib/openssh/sftp-server" - UsePAM: yes +openssh: + sshd_config: + Port: 22 + Protocol: 2 + HostKey: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_dsa_key + - /etc/ssh/ssh_host_ecdsa_key + UsePrivilegeSeparation: yes + KeyRegenerationInterval: 3600 + ServerKeyBits: 768 + SyslogFacility: AUTH + LogLevel: INFO + LoginGraceTime: 120 + PermitRootLogin: yes + StrictModes: yes + RSAAuthentication: yes + PubkeyAuthentication: yes + IgnoreRhosts: yes + RhostsRSAAuthentication: no + HostbasedAuthentication: no + PermitEmptyPasswords: no + ChallengeResponseAuthentication: no + X11Forwarding: yes + X11DisplayOffset: 10 + PrintMotd: no + PrintLastLog: yes + TCPKeepAlive: yes + AcceptEnv: "LANG LC_*" + Subsystem: "sftp /usr/lib/openssh/sftp-server" + UsePAM: yes + + auth: + joe: + - name: JOE_VALID_SSH_PUBLIC_KEY + present: True + enc: ssh-rsa + comment: main key + - name: JOE_NON_VALID_SSH_PUBLIC_KEY + present: False + enc: ssh-rsa + comment: obsolete key - removed +