puppet: Ensure a particular sshd_config instead of appending a line to its contents

(imported from commit 4e745e23afe0cf8e6dd117cdeb6d6ec3a14ef24b)
2013-02-07 18:46:49 -05:00 · 2013-02-07 18:46:49 -05:00 · fb5e5519d9
parent da95bb2988
commit fb5e5519d9
2 changed files with 92 additions and 8 deletions
--- a/servers/puppet/modules/humbug/files/sshd_config
+++ b/servers/puppet/modules/humbug/files/sshd_config
@ -0,0 +1,88 @@
 # Package generated configuration file
 # See the sshd_config(5) manpage for details
 # What ports, IPs and protocols we listen for
 Port 22
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
 ServerKeyBits 768
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
 # Authentication:
 LoginGraceTime 120
 PermitRootLogin without-password
 StrictModes yes
 RSAAuthentication yes
 PubkeyAuthentication yes
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Change to no to disable tunnelled clear text passwords
 #PasswordAuthentication yes
 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 X11Forwarding yes
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
 #UseLogin no
 #MaxStartups 10:30:60
 #Banner /etc/issue.net
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 UseDNS no
 PasswordAuthentication no
--- a/servers/puppet/modules/humbug/manifests/base.pp
+++ b/servers/puppet/modules/humbug/manifests/base.pp
@ -97,14 +97,10 @@ class humbug::base {
  file { '/etc/ssh/sshd_config':
    require    => Package['openssh-server'],
    ensure     => file,
-  }
+    source     => 'puppet:///modules/humbug/sshd_config',
-
+    owner      => 'root',
-  # TODO: we should really just have a known sshd_config file
+    group      => 'root',
-  common::line { 'no_password_auth':
+    mode       => 644,
    file       => '/etc/ssh/sshd_config',
    line       => 'PasswordAuthentication no',
    subscribe  => File['/etc/ssh/sshd_config'],
    notify     => Service['ssh'],
  }
  service { 'ssh':