diff --git a/openssh/config.sls b/openssh/config.sls index 9fbe895e..76a11a10 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -36,7 +36,7 @@ ssh_config: {%- endif %} {% endif %} -{%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %} +{%- for keyType in openssh['host_key_algos'].split(',') %} {%- set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %} {%- set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %} {%- if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %} diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml index f26d7844..4a98490a 100644 --- a/openssh/defaults.yaml +++ b/openssh/defaults.yaml @@ -1,24 +1,29 @@ -openssh: - sshd_enable: True - sshd_binary: /usr/sbin/sshd - sshd_config: /etc/ssh/sshd_config - sshd_config_src: salt://openssh/files/sshd_config - sshd_config_user: root - sshd_config_group: root - sshd_config_mode: '644' - sshd_config_backup: True - ssh_config: /etc/ssh/ssh_config - ssh_config_src: salt://openssh/files/ssh_config - ssh_config_user: root - ssh_config_group: root - ssh_config_mode: '644' - ssh_config_backup: True - banner: /etc/ssh/banner - banner_src: salt://openssh/files/banner - ssh_known_hosts: /etc/ssh/ssh_known_hosts - dig_pkg: dnsutils - ssh_moduli: /etc/ssh/moduli - root_group: root +default: + openssh: + sshd_enable: True + sshd_binary: /usr/sbin/sshd + sshd_config: /etc/ssh/sshd_config + sshd_config_src: salt://openssh/files/sshd_config + sshd_config_user: root + sshd_config_group: root + sshd_config_mode: '644' + sshd_config_backup: True + ssh_config: /etc/ssh/ssh_config + ssh_config_src: salt://openssh/files/ssh_config + ssh_config_user: root + ssh_config_group: root + ssh_config_mode: '644' + ssh_config_backup: True + banner: /etc/ssh/banner + banner_src: salt://openssh/files/banner + ssh_known_hosts: /etc/ssh/ssh_known_hosts + dig_pkg: dnsutils + ssh_moduli: /etc/ssh/moduli + root_group: root + # Prevent merge of array; always override values + host_key_algos: ecdsa,ed25519,rsa + # To manage/remove DSA: + #host_key_algos: dsa,ecdsa,ed25519,rsa -sshd_config: {} -ssh_config: {} + sshd_config: {} + ssh_config: {} diff --git a/openssh/map.jinja b/openssh/map.jinja index c6a0ae43..a907f5e7 100644 --- a/openssh/map.jinja +++ b/openssh/map.jinja @@ -1,120 +1,22 @@ -{## Start with defaults from defaults.yaml ##} -{% import_yaml "openssh/defaults.yaml" as default_settings %} - -{## -Setup variable using grains['os_family'] based logic, only add key:values here -that differ from whats in defaults.yaml -##} -{% set os_family_map = salt['grains.filter_by']({ - 'Arch': { - 'server': 'openssh', - 'client': 'openssh', - 'service': 'sshd', - 'dig_pkg': 'bind-tools', - }, - 'Debian': { - 'server': 'openssh-server', - 'client': 'openssh-client', - 'service': 'ssh', - }, - 'FreeBSD': { - 'service': 'sshd', - 'dig_pkg': 'bind-tools', - 'sshd_config_group': 'wheel', - 'ssh_config_group': 'wheel', - }, - 'OpenBSD': { - 'service': 'sshd', - 'sshd_config_group': 'wheel', - 'ssh_config_group': 'wheel', - }, - 'Gentoo': { - 'server': 'net-misc/openssh', - 'client': 'net-misc/openssh', - 'service': 'sshd', - 'dig_pkg': 'net-dns/bind-tools', - }, - 'RedHat': { - 'server': 'openssh-server', - 'client': 'openssh-clients', - 'service': 'sshd', - 'dig_pkg': 'bind-utils', - }, - 'Suse': { - 'server': 'openssh', - 'client': 'openssh', - 'service': 'sshd', - 'dig_pkg': 'bind-utils', - }, - 'Solaris': { - 'service': 'network/ssh', - 'sshd_config_group': 'root', - 'ssh_config_group': 'root', - 'dig_pkg': 'bind', - 'sshd_binary': '/usr/lib/ssh/sshd', - }, - } - , grain="os_family" - , merge=salt['pillar.get']('openssh:lookup')) -%} - -{## Merge the flavor_map to the default settings ##} -{% do default_settings.openssh.update(os_family_map) %} - -{## Merge in openssh:lookup pillar ##} -{% set openssh = salt['pillar.get']( - 'openssh', - default=default_settings.openssh, - merge=True - ) -%} - -{% set os_family_map = salt['grains.filter_by']({ - 'FreeBSD': { - 'Subsystem': 'sftp /usr/libexec/sftp-server', - }, - 'OpenBSD': { - 'Subsystem': 'sftp /usr/libexec/sftp-server', - }, - 'Suse': { - 'Subsystem': 'sftp /usr/lib/ssh/sftp-server', - }, - 'Arch': { - 'Subsystem': 'sftp /usr/lib/ssh/sftp-server', - }, - 'Debian': { - 'Subsystem': 'sftp /usr/lib/openssh/sftp-server', - }, - 'RedHat': { - 'Subsystem': 'sftp /usr/libexec/openssh/sftp-server', - }, - 'Solaris': { - 'Subsystem': 'sftp internal-sftp', - }, - 'default': {} - } - , grain="os_family" - , merge=salt['pillar.get']('sshd_config:lookup')) -%} - -{% set os_finger_map = salt['grains.filter_by']({ - 'CentOS-6': { - }, - 'default': {} - } - , grain="osfinger" - , merge=salt['pillar.get']('sshd_config:lookup')) -%} - - -{## Merge the flavor_map to the default settings ##} -{% do default_settings.sshd_config.update(os_family_map) %} -{% do default_settings.sshd_config.update(os_finger_map) %} - -{## Merge in sshd_config:lookup pillar ##} -{% set sshd_config = salt['pillar.get']( - 'sshd_config', - default=default_settings.sshd_config, - merge=True - ) -%} +# -*- coding: utf-8 -*- +# vim: ft=jinja + +{## Start imports as ##} +{% import_yaml 'openssh/defaults.yaml' as default_settings %} +{% import_yaml 'openssh/osfamilymap.yaml' as osfamilymap %} +{% import_yaml 'openssh/osmap.yaml' as osmap %} +{% import_yaml 'openssh/osfingermap.yaml' as osfingermap %} + +{% set defaults = salt['grains.filter_by'](default_settings, + default='default', + merge=salt['grains.filter_by'](osfamilymap, grain='os_family', + merge=salt['grains.filter_by'](osmap, grain='os', + merge=salt['grains.filter_by'](osfingermap, grain='osfinger') + ) + ) +) %} + +{## merge the openssh pillar ##} +{% set openssh = salt['pillar.get']('openssh', default=defaults['openssh'], merge=True) %} +{% set ssh_config = salt['pillar.get']('ssh_config', default=defaults['ssh_config'], merge=True) %} +{% set sshd_config = salt['pillar.get']('sshd_config', default=defaults['sshd_config'], merge=True) %} diff --git a/openssh/osfamilymap.yaml b/openssh/osfamilymap.yaml new file mode 100644 index 00000000..15ffacfb --- /dev/null +++ b/openssh/osfamilymap.yaml @@ -0,0 +1,68 @@ +Arch: + openssh: + server: openssh + client: openssh + service: sshd + dig_pkg: bind-tools + sshd_config: + Subsystem: sftp /usr/lib/ssh/sftp-server + +Debian: + openssh: + server: openssh-server + client: openssh-client + service: ssh + sshd_config: + Subsystem: sftp /usr/lib/openssh/sftp-server + +FreeBSD: + openssh: + service: sshd + dig_pkg: bind-tools + sshd_config_group: wheel + ssh_config_group: wheel + sshd_config: + Subsystem: sftp /usr/libexec/sftp-server + +Gentoo: + openssh: + server: net-misc/openssh + client: net-misc/openssh + service: sshd + dig_pkg: net-dns/bind-tools + +OpenBSD: + openssh: + service: sshd + sshd_config_group: wheel + ssh_config_group: wheel + sshd_config: + Subsystem: sftp /usr/libexec/sftp-server + +RedHat: + openssh: + server: openssh-server + client: openssh-clients + service: sshd + dig_pkg: bind-utils + sshd_config: + Subsystem: sftp /usr/libexec/openssh/sftp-server + +Solaris: + openssh: + service: network/ssh + sshd_config_group: root + ssh_config_group: root + dig_pkg: bind + sshd_binary: /usr/lib/ssh/sshd + sshd_config: + Subsystem: sftp internal-sftp + +Suse: + openssh: + server: openssh + client: openssh + service: sshd + dig_pkg: bind-utils + sshd_config: + Subsystem: sftp /usr/lib/ssh/sftp-server diff --git a/openssh/osfingermap.yaml b/openssh/osfingermap.yaml new file mode 100644 index 00000000..b14bb953 --- /dev/null +++ b/openssh/osfingermap.yaml @@ -0,0 +1,4 @@ +Ubuntu-18.04: {} +CentOS-6: + openssh: + host_key_algos: ecdsa,rsa diff --git a/openssh/osmap.yaml b/openssh/osmap.yaml new file mode 100644 index 00000000..335f6d3e --- /dev/null +++ b/openssh/osmap.yaml @@ -0,0 +1 @@ +FreeBSD: {}