add howto for sshd config - removed some old files

2024-07-24 12:15:20 +02:00
parent c6c79dd996
commit cd0072ebec
4 changed files with 46 additions and 100 deletions
--- a/_toc.yml
+++ b/_toc.yml
@@ -64,6 +64,7 @@ chapters:
          - file: admin-guide/configuration/metrics_telegraf
          - file: admin-guide/configuration/ntp_server
          - file: admin-guide/configuration/nfs_server
+          - file: admin-guide/configuration/sshd_configuration
          - file: admin-guide/configuration/sftp_server
          - file: admin-guide/configuration/ssh_host_hopping
          - file: admin-guide/configuration/citrix_vda
--- a/admin-guide/configuration/sshd_configuration.md
+++ b/admin-guide/configuration/sshd_configuration.md
@@ -0,0 +1,45 @@
+# SSH Server Configuration (sshd)
+
+
+## Extra Configuration
+Custom configration to the sshd config file can be added via the `ssh_server::extra_config` key. The config will be added at the end of the `/etc/ssh/sshd_config` file.
+
+### Force Command
+
+To configure a force command use:
+```yaml
+# add force command
+ssh_server::extra_config:
+  'Force command for non root users': |
+    Match User *,!root
+        ForceCommand /usr/bin/kpasswd
+
+```
+
+## Login Banner
+A login banner can be configured as follows:
+
+```yaml
+# custom banner message on ssh login-prompt
+
+ssh_server::banner_file: '/etc/sshgw/sshd_message'
+
+files::files:
+  /etc/sshgw/sshd_message:
+    mode: '0644'
+    owner: 'root'
+    content: | 
+      ----
+
+                                  PAUL SCHERRER INSTITUTE
+                                      ________________
+                                    |  __  |  ____|  |
+                                    |  ____|____  |  |
+                                    |_|    |______|__|
+
+      ----
+
+```
+
+## SFTP Server
+How to enable/disable and configure a sftp server please refer to [sftp_server](sftp_server).
--- a/admin-guide/puppet/profiles/ssh_client.rst
+++ b/admin-guide/puppet/profiles/ssh_client.rst
@@ -1,37 +0,0 @@
-``profile::ssh_client``
-=======================
-
-This profile configures '/etc/ssh/ssh_known_hosts' :manpage:`sshd(8)`.
-PSI CA key is added to the 'ssh_known_hosts', in this manner we allow
-PSI servers to SSH to this host.
-
-
-Parameters
----------
-
-======================  ========  =============================================
-**Name**                **Type**  **Default**
----------------------  --------  ---------------------------------------------
-canonicalize_hostname   bool      hiera('ssh_client::canonicalize_hostname')
-forward_x11             bool      hiera('ssh_client::forward_x11')
-try_host_trust          bool      hiera('ssh_client::try_host_trust', false)
-======================  ========  =============================================
-
-
-``canonicalize_hostname``
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Determines whether or not hostnames are canonicalized for ``psi.ch``. See
-:manpage:`ssh_config(5)` for details.
-
-
-``foward_x11``
-~~~~~~~~~~~~~~
-
-Determines whether ``ForwardX11`` and ``ForwardX11Trusted`` should be enabled.
-
-
-``try_host_trust``
-~~~~~~~~~~~~~~~~~~
-
-Determines whether the ssh client attemps to authenticate using `HostbasedAuthentication``
--- a/admin-guide/puppet/profiles/ssh_server.rst
+++ b/admin-guide/puppet/profiles/ssh_server.rst
@@ -1,63 +0,0 @@
-``profile::ssh_server``
-=======================
-
-This profile configures :manpage:`sshd(8)`.
-
-
-Parameters
----------
-
-====================  ========  =============================================
-**Name**              **Type**  **Default**
--------------------  --------  ---------------------------------------------
-enable_public_key     bool      hiera('ssh_server::enable_public_key', true)
-enable_gssapi         bool      hiera('ssh_server::enable_gssapi')
-permit_root_login     string    hiera('ssh_server::permit_root_login')
-trusted_user_ca_keys  list      hiera('ssh_server::trusted_user_ca_keys', [])
-user_ca_keys          hash      hiera('ssh_server::user_ca_keys', {})
-banner_file           string    hiera('ssh_server::banner_file', undef),
-aliases               list      hiera_array('ssh_server::aliases', []),
-====================  ========  =============================================
-
-``enable_public_key``
-~~~~~~~~~~~~~~~~~~~~~
-
-A boolean determining whether public key authentication is enabled or not for normal users.
-
-Note that ``root`` is still allowed to connect using public key authentication. Here you may block root login with ``ssh_server::permit_root_login`` or restrict from where to allow root login (see bastion hosts ``aaa::bastions`` and ``aaa::use_bastions``).
-
-
-``enable_gssapi``
-~~~~~~~~~~~~~~~~~
-
-A boolean determining whether GSSAPI authentication is enabled or not.
-
-
-``permit_root_login``
-~~~~~~~~~~~~~~~~~~~~~
-
-Sets ``PermitRootLogin`` in the sshd configuration file.
-
-
-``trusted_user_ca_keys``
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-An array containing the user CA keys that will be accepted (as understood by the
-``TrustedUserCAKeys`` directive in :manpage:`sshd_config(5)`).
-
-
-``user_ca_keys``
-~~~~~~~~~~~~~~~~
-
-A hash containing the actual keys to be referenced by `trusted_user_ca_keys`_.
-
-``banner_file``
-~~~~~~~~~~~~~~~
-
-Where to find a custom banner file on the system.
-
-``aliases``
-~~~~~~~~~~~
-
-Adds alternative names/aliases under which this system can be reached too to the principal list of the SSH server host key certificate.
-