{"id":17462864,"url":"https://github.com/mralias/ssh","last_synced_at":"2025-07-27T20:43:44.994Z","repository":{"id":80417549,"uuid":"35695681","full_name":"MrAlias/ssh","owner":"MrAlias","description":"Puppet module that manages and configures the OpenSSH service and package.","archived":false,"fork":false,"pushed_at":"2015-06-01T17:18:31.000Z","size":164,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-28T06:41:22.318Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Puppet","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MrAlias.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-15T20:41:03.000Z","updated_at":"2015-05-18T19:18:27.000Z","dependencies_parsed_at":"2023-02-24T18:15:19.884Z","dependency_job_id":null,"html_url":"https://github.com/MrAlias/ssh","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MrAlias/ssh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MrAlias","download_url":"https://codeload.github.com/MrAlias/ssh/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fssh/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267420652,"owners_count":24084411,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-27T02:00:11.917Z","response_time":82,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-18T09:10:10.458Z","updated_at":"2025-07-27T20:43:44.973Z","avatar_url":"https://github.com/MrAlias.png","language":"Puppet","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ssh\n\n#### Table of Contents\n\n1. [Overview](#overview)\n2. [Module Description](#module-description)\n3. [Setup](#setup)\n    * [What ssh affects](#what-ssh-affects)\n    * [Setup requirements](#setup-requirements)\n    * [Beginning with ssh](#beginning-with-ssh)\n4. [Reference](#reference)\n    * [Private Classes](#private-classes)\n    * [Public Classes](#private-classes)\n5. [Limitations](#limitations)\n\n## Overview\n\nProvides a hiera customizable Puppet module to manage the OpenSSH service.\n\n## Module Description\n\nThis module manages the OpenSSH server and clients with the `ssh::server` and `ssh::client` classes.  This includes the management of need configuration files and the OpenSSH service itself.\n\n## Setup\n\n### What ssh affects\n\n* OpenSSH packages.\n* The OpenSSH server service.\n* The OpenSSH server configuration files.\n* Via the puppetlabs-firewall module this module can affect the system firewall.\n\n### Setup Requirements\n\nThe modules classes are built with hiera assumed to be its back end.  This means that hiera will need to be correctly setup on versions of Puppet \u003c= 2, and should be fine by default for Puppet \u003e= 3.0\n\n### Beginning with ssh\n\n#### Setting up an SSH server\n\nTo get started with a bare-bones SSH server:\n\n```puppet\nclass { 'ssh::server': }\n```\n\n#### Setting up an SSH client\n\nMaking sure to have a functional SSH client is simply achieved with the following:\n\n```puppet\nclass { 'ssh::client': }\n```\n\n## Reference\n\n### Private Classes\n\n#### ssh\n\nThe main ssh class is not meant to be called directly.  Rather it acts as a basis for the client and server classes.\n\n##### `ssh::base_packages`\n\nArray of all the distribution specific universally required packages.\n\n### Public Classes\n\n#### ssh::client\n\n##### `ssh::client::package_name`\n\nIf a package name other then the default distribution one is need to be installed, you can specify it here.\n\n##### `ssh::client::manage_firewall`\n\nBy default `ssh::client` will manage needed firewall rule using the puppetlabs-firewall module.  Change this to false if this is not the desired behavior.\n\n#### ssh::server\n\n##### `ssh::server::package_name`\n\nIf a package name other then the default distribution one is need to be installed, you can specify it here.\n\n##### `ssh::server::sshd_config`\n\nAbsolute file path for the SSH server configuration.\n\nDefaults to */etc/ssh/sshd_config*\n\n##### `ssh::server::service_name`\n\nName of the OpenSSH server service.\n\n##### `ssh::server::port`\n\nPort the OpenSSH server listens on.\n\nDefaults to `22`.\n\n##### `ssh::server::listen_address`\n\nAddress the OpenSSH server listens on.\n\nDefaults to `'0.0.0.0'`.\n\n##### `ssh::server::protocol`\n\nSSH protocol to use.\n\nDefaults to `2`.\n\n##### `ssh::server::host_keys`\n\nArray of file paths for the host authentication keys.\n\n##### `ssh::server::use_privilege_separation`\n\nSpecifies whether the OpenSSH server separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes.\n\nValid values are: `'yes'`, `'no'`, and `'sandbox'`. If set to `'sandbox'` then the pre-authentication unprivileged process is subject to additional restrictions.\n\n##### `ssh::server::key_regeneration_interval`\n\nIn protocol version 1, the server key is automatically regenerated after this many seconds.\n\nDefaults to `3600`.\n\n##### `ssh::server::server_key_bits`\n\nDefines the number of bits in the protocol version 1 server key.\n\nDefaults to 768.\n\n##### `ssh::server::syslog_facility`\n\nGives the facility code that is used when logging messages.\n\nValid values are: `'DAEMON'`, `'USER'`, `'AUTH'`, `'LOCAL0'`, `'LOCAL1'`, `'LOCAL2'`, `'LOCAL3'`, `'LOCAL4'`, `'LOCAL5'`, `'LOCAL6'`, `'LOCAL7'`.\n\nDefaults to `'AUTH'`.\n\n##### `ssh::server::log_level`\n\nSpecifies the verbosity level that is used when logging messages.\n\nValid values are: `'QUIET'`, `'FATAL'`, `'ERROR'`, `'INFO'`, `'VERBOSE'`, `'DEBUG'`, `'DEBUG1'`, `'DEBUG2'`, `'DEBUG3'`.\n\n##### `ssh::server::login_grace_time`\n\nThe server disconnects after this time if the user has not successfully logged in.\n\nDefaults to `120`.\n\n##### `ssh::server::permit_root_login`\n\nSpecifies whether root can log in.\n\nValid values are: `'yes'`, `'without-password'`, `'forced-commands-only'`, `'no'`.\n\nDefaults to `'no'`.\n\n##### `ssh::server::strict_modes`\n\nSpecifies whether the OpenSSH service should check file modes and ownership of the user's files and home directory before accepting login.\n\nDefaults to `true`.\n\n##### `ssh::server::rsa_authentication`\n\nSpecifies whether pure RSA authentication is allowed.\n\nDefaults to `true`.\n\n##### `ssh::server::pubkey_authentication`\n\nSpecifies whether public key authentication is allowed.\n\nDefaults to `true`.\n\n##### `ssh::server::authorized_keys_file`\n\nSpecifies the file that contains the public keys that can be used for user authentication.\n\nDefaults to `'%h/.ssh/authorized_keys'`.\n\n##### `ssh::server::ignore_rhosts`\n\nSpecifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.\n\nDefaults to `true`.\n\n##### `ssh::server::rhosts_RSA_authentication`\n\nSpecifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed.\n\nDefaults to `false`.\n\n##### `ssh::server::hostbased_authentication`\n\nSpecifies whether rhosts or */etc/hosts.equiv* authentication together with successful public key client host authentication is allowed.\n\nDefaults to `false`.\n\n##### `ssh::server::ignore_user_known_hosts`\n\nSpecifies whether the OpenSSH server should ignore the user's *~/.ssh/known_hosts* during RhostsRSAAuthentication or HostbasedAuthentication.\n\nDefaults to `false`.\n\n##### `ssh::server::permit_empty_passwords`\n\nWhen password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.\n\nDefaults to `false`.\n\n##### `ssh::server::challenge_response_authentication`\n\nSpecifies whether challenge-response authentication is allowed.\n\nDefaults to `false`.\n\n##### `ssh::server::password_authentication`\n\nSpecifies whether password authentication is allowed.\n\nDefaults to `false`.\n\n##### `ssh::server::kerberos_authentication`\n\nSpecifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. \n\nDefaults to `false`.\n\n##### `ssh::server::kerberos_get_AFS_token`\n\nIf AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory.\n\nDefaults to `false`.\n\n##### `ssh::server::kerberos_or_local_passwd`\n\nIf password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as */etc/passwd*.\n\nDefaults to `true`.\n\n##### `ssh::server::kerberos_ticket_cleanup`\n\nSpecifies whether to automatically destroy the user's ticket cache file on logout.\n\nDefaults to `true`.\n\n##### `ssh::server::gssapi_authentication`\n\nSpecifies whether user authentication based on GSSAPI is allowed.\n\nDefaults to `false`.\n\n##### `ssh::server::gssapi_cleanup_credentials`\n\nSpecifies whether to automatically destroy the user's credentials cache on logout.\n\nDefaults to `true`.\n\n##### `ssh::server::x11_forwarding`\n\nSpecifies whether X11 forwarding is permitted.\n\nDefaults to `false`.\n\n##### `ssh::server::x11_display_offset`\n\nSpecifies the first display number available for OpenSSH server's X11 forwarding.\n\nDefaults to `undef`.\n\n##### `ssh::server::print_motd`\n\nSpecifies whether the OpenSSH server should print */etc/motd* when a user logs in interactively.\n\nDefaults to `false`.\n\n##### `ssh::server::print_last_log`\n\nSpecifies whether the OpenSSH server should print the date and time of the last user login when a user logs in interactively.\n\nDefaults to `true`.\n\n##### `ssh::server::tcp_keep_alive`\n\nSpecifies whether the system should send TCP keepalive messages to the other side.\n\nDefaults to `true`.\n\n##### `ssh::server::use_login`\n\nSpecifies whether the login service is used for interactive login sessions.\n\nDefaults to `false`.\n\n##### `ssh::server::max_startups`\n\nSpecifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Random early drop can be enabled by specifying the three colon separated values \"start:rate:full\".\n\nDefaults to `'10:30:60'`.\n\n##### `ssh::server::banner`\n\nThe contents of the specified file are sent to the remote user before authentication is allowed.\n\nDefaults to `'/etc/issue.net'`.\n\n##### `ssh::server::accept_env`\n\nSpecifies what environment variables sent by the client will be copied into the session's environ.\n\nDefaults to `['LANG', 'LC_*']`.\n\n##### `ssh::server::use_PAM`\n\nEnables the Pluggable Authentication Module interface.\n\nDefaults to `true`.\n\n##### `ssh::server::manage_firewall`\n\nSpecifies if OpenSSH server specific firewall rules should be managed.\n\nDefaults to `true`.\n\n## Limitations\n\nThis module requires Puppet \u003e= 3.0\n\nThis module has only been tested on Debian and RedHat based systems.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmralias%2Fssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmralias%2Fssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmralias%2Fssh/lists"}