.fixtures.yml

@@ -0,0 +1,12 @@
+fixtures:
+  repositories:
+    "stdlib":
+      repo: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+      ref: "3.2.0"
+    "common":
+      repo: "git://github.com/ghoneycutt/puppet-module-common.git"
+      ref: "v1.0.0"
+    "firewall":
+      repo: "git://github.com/puppetlabs/puppetlabs-firewall.git"
+  symlinks:
+    "ssh": "#{source_dir}"

.gitignore

@@ -1,3 +1,4 @@
+# Default .gitignore for Ruby
 *.gem
 *.rbc
 .bundle
@@ -16,3 +17,14 @@ tmp
 .yardoc
 _yardoc
 doc/
+
+# Vim
+*.swp
+
+# OS X
+.DS_Store
+
+# Puppet
+metadata.json
+coverage/
+spec/fixtures/modules/*

.travis.yml

@@ -0,0 +1,16 @@
+---
+env:
+- PUPPET_VERSION=2.7.23
+- PUPPET_VERSION=3.2.4
+notifications:
+email: false
+rvm:
+- 1.9.3
+- 1.8.7
+matrix:
+  allow_failures:
+  - env: PUPPET_VERSION=2.7.23
+language: ruby
+before_script: "gem install --no-ri --no-rdoc bundler"
+script: 'bundle exec rake validate && bundle exec rake lint && SPEC_OPTS="--format documentation" bundle exec rake spec'
+gemfile: Gemfile

CHANGELOG

@@ -0,0 +1,2 @@
+2.0.0 - 2013-05-16 Garrett Honeycutt <code@garretthoneycutt.com>
+* Rebirth

Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 2.7']
+gem 'puppet', puppetversion
+gem 'puppetlabs_spec_helper', '>= 0.1.0'
+gem 'puppet-lint', '>= 0.3.2'
+gem 'facter', '>= 1.7.0', "< 1.8.0"

LICENSE

@@ -0,0 +1,13 @@
+Copyright (C) 2010-2013 Garrett Honeycutt <code@garretthoneycutt.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

Modulefile

@@ -0,0 +1,12 @@
+name    'ghoneycutt-ssh'
+version '2.3.0'
+source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
+author 'ghoneycutt'
+license 'Apache License, Version 2.0'
+summary 'Manages SSH'
+description 'Manage SSH'
+project_page 'https://github.com/ghoneycutt/puppet-module-ssh'
+
+dependency 'puppetlabs/stdlib',   '3.2.x'
+dependency 'ghoneycutt/common',   '1.0.0'
+dependency 'puppetlabs/firewall'

README.md

@@ -1,4 +1,237 @@
-puppet-module-ssh
-=================
+# puppet-module-ssh #
 
-Puppet module to manage SSH
+Manage ssh client and server.
+
+The module uses exported resources to manage ssh keys and removes ssh keys that are not managed by puppet. This behavior is managed by the parameters ssh_key_ensure and purge_keys.
+
+===
+
+# Compatability #
+
+This module has been tested to work on the following systems.
+
+ * EL 5
+ * EL 6
+ * SLES 11
+
+===
+
+# Parameters #
+
+keys
+----
+Hash of keys for user's ~/.ssh/authorized_keys
+
+- *Default*: undefined
+
+packages
+--------
+Array of package names used for installation.
+
+- *Default*: 'openssh-server', 'openssh-server', 'openssh-clients'
+
+permit_root_login
+-----------------
+Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'.
+
+- *Default*: no
+
+purge_keys
+----------
+Remove keys not managed by puppet.
+
+- *Default*: 'true'
+
+manage_firewall
+---------------
+Open firewall for SSH service.
+
+- *Default*: false
+
+ssh_config_path
+---------------
+Path to ssh_config.
+
+- *Default*: '/etc/ssh/ssh_config'
+
+ssh_config_owner
+----------------
+ssh_config's owner.
+
+- *Default*: 'root'
+
+ssh_config_group
+----------------
+ssh_config's group.
+
+- *Default*: 'root'
+
+ssh_config_mode
+---------------
+ssh_config's mode.
+
+- *Default*: '0644'
+
+ssh_config_forward_x11
+----------------------
+ForwardX11 option in ssh_config. Not set by default.
+
+- *Default*: undef
+
+ssh_config_forward_agent
+------------------------
+ForwardAgent option in ssh_config. Not set by default.
+
+- *Default*: undef
+
+ssh_config_server_alive_interval
+--------------------------------
+ServerAliveInterval option in ssh_config. Not set by default.
+
+- *Default*: undef
+
+sshd_config_path
+----------------
+Path to sshd_config.
+
+- *Default*: '/etc/ssh/sshd_config
+
+sshd_config_owner
+-----------------
+sshd_config's owner.
+
+- *Default*: 'root'
+
+sshd_config_group
+----------------
+sshd_config's group.
+
+- *Default*: 'root'
+
+sshd_config_mode
+---------------
+sshd_config's mode.
+
+- *Default*: '0600'
+
+sshd_config_syslog_facility
+---------------------------
+SyslogFacility option in sshd_config.
+
+- *Default*: 'AUTH'
+
+sshd_config_login_grace_time
+----------------------------
+LoginGraceTime option in sshd_config.
+
+- *Default*: '120'
+
+sshd_config_challenge_resp_auth
+-------------------------------
+ChallengeResponseAuthentication option in sshd_config.
+
+- *Default*: 'no'
+
+sshd_config_print_motd
+----------------------
+PrintMotd option in sshd_config.
+
+- *Default*: 'yes'
+
+sshd_config_use_dns
+-------------------
+UseDNS option in sshd_config.
+
+- *Default*: 'yes'
+
+sshd_config_banner
+------------------
+Banner option in sshd_config.
+
+- *Default*: 'none'
+
+sshd_config_xauth_location
+--------------------------
+XAuthLocation option in sshd_config.
+
+- *Default*: '/usr/bin/xauth'
+
+sshd_config_subsystem_sftp
+--------------------------
+Path to sftp file transfer subsystem in sshd_config.
+
+- *Default*: '/usr/libexec/openssh/sftp-server'
+
+service_ensure
+--------------
+Ensure SSH service is running. Valid values are 'stopped' and 'running'.
+
+- *Default*: 'running'
+
+service_name
+------------
+Name of the SSH service.
+
+- *Default*: 'sshd'
+
+service_enable
+--------------
+Start SSH at boot. Valid values are 'true', 'false' and 'manual'.
+
+- *Default*: 'true'
+
+service_hasrestart
+------------------
+Specify that the init script has a restart command. Valid values are 'true' and 'false'.
+
+- *Default*: 'true'
+
+service_hasstatus
+-----------------
+Declare whether the service's init script has a functional status command. Valid values are 'true' and 'false'
+
+- *Default*: 'true'
+
+ssh_key_ensure
+--------------
+Export node SSH key. Valid values are 'present' and 'absent'.
+
+- *Default*: 'present'
+
+ssh_key_type
+------------
+Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-rsa'
+
+- *Default*: 'ssh-rsa'
+
+manage_root_ssh_config
+----------------------
+Manage SSH config of root. Valid values are 'true' and 'false'.
+
+- *Default*: 'false'
+
+root_ssh_config_content
+-----------------------
+Content of root's ~/.ssh/config.
+
+- *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
+
+===
+
+# Manage user's ssh_authorized_keys
+This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key. See the [Type Reference](http://docs.puppetlabs.com/references/stable/type.html#ssh_authorized_key) for a complete list.
+
+## Sample usage:
+Push authorized key "root_for_userX" and remove key "root_for_userY" through Hiera.
+
+<pre>
+ssh::keys:
+  root_for_userX:
+    ensure: present
+    user: root
+    type: dsa
+    key: AAAA...==
+  root_for_userY:
+    ensure: absent
+    user: root
+</pre>

Rakefile

@@ -0,0 +1,12 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.ignore_paths = ["spec/**/*.pp"]
+
+desc "Run puppet in noop mode and check for syntax errors."
+task :validate do
+   Dir['manifests/**/*.pp'].each do |path|
+     sh "puppet parser validate --noop #{path}"
+   end
+end