Added support to manage ssh certificates

This commit is contained in:
Carlos Perelló Marín 2014-02-09 23:38:30 +01:00
parent 6e418aa945
commit 47211d0648
5 changed files with 104 additions and 41 deletions

View File

@ -1,4 +1,4 @@
Copyright (c) 2013 Salt Stack Formulas
Copyright (c) 2013-2014 Salt Stack Formulas
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

View File

@ -18,6 +18,21 @@ Available states
Installs the ``openssh`` server package and service.
``openssh.auth``
-----------
Manages SSH certificates for users.
``openssh.banner``
------------------
Installs a banner that users see when SSH-ing in.
``openssh.client``
------------------
Installs the openssh client package.
``openssh.config``
------------------
@ -26,12 +41,3 @@ Installs the ssh daemon configuration file included in this formula
by values from pillar. ``pillar.example`` results in the generation
of the default ``sshd_config`` file on Debian Wheezy.
``openssh.client``
------------------
Installs the openssh client package.
``openssh.banner``
------------------
Installs a banner that users see when SSH-ing in.

43
openssh/auth.sls Normal file
View File

@ -0,0 +1,43 @@
include:
- openssh
{% from "openssh/map.jinja" import openssh with context %}
{% set openssh_pillar = pillar.get('openssh', {}) %}
{% set auth = openssh_pillar.get('auth', {}) %}
{% for user,keys in auth.items() -%}
{% for key in keys -%}
{% if 'present' in key and key['present'] %}
{{ key['name'] }}:
ssh_auth.present:
- user: {{ user }}
{% if 'source' in key %}
- source: {{ key['source'] }}
{% else %}
{% if 'enc' in key %}
- enc: {{ key['enc'] }}
{% endif %}
{% if 'comment' in key %}
- comment: {{ key['comment'] }}
{% endif %}
{% if 'options' in key %}
- options: {{ key['options'] }}
{% endif %}
{% endif %}
- require:
- service: {{ openssh.service }}
{% else %}
{{ key['name'] }}:
ssh_auth.absent:
- user: {{ user }}
{% if 'enc' in key %}
- enc: {{ key['enc'] }}
{% endif %}
{% if 'comment' in key %}
- comment: {{ key['comment'] }}
{% endif %}
{% if 'options' in key %}
- options: {{ key['options'] }}
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}

View File

@ -1,4 +1,5 @@
{% set sshd_config = pillar.get('sshd_config', {}) %}
{% set openssh_pillar = pillar.get('openssh', {}) %}
{% set sshd_config = openssh_pillar.get('sshd_config', {}) %}
# This file is managed by salt. Manual changes risk being overwritten.
# The contents of the original sshd_config are kept on the bottom for

View File

@ -1,30 +1,43 @@
sshd_config:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes
openssh:
sshd_config:
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation: yes
KeyRegenerationInterval: 3600
ServerKeyBits: 768
SyslogFacility: AUTH
LogLevel: INFO
LoginGraceTime: 120
PermitRootLogin: yes
StrictModes: yes
RSAAuthentication: yes
PubkeyAuthentication: yes
IgnoreRhosts: yes
RhostsRSAAuthentication: no
HostbasedAuthentication: no
PermitEmptyPasswords: no
ChallengeResponseAuthentication: no
X11Forwarding: yes
X11DisplayOffset: 10
PrintMotd: no
PrintLastLog: yes
TCPKeepAlive: yes
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: yes
auth:
joe:
- name: JOE_VALID_SSH_PUBLIC_KEY
present: True
enc: ssh-rsa
comment: main key
- name: JOE_NON_VALID_SSH_PUBLIC_KEY
present: False
enc: ssh-rsa
comment: obsolete key - removed