From cd0072ebeca90aba8c3e3c9ad5246febb0a0f254 Mon Sep 17 00:00:00 2001 From: ebner Date: Wed, 24 Jul 2024 12:15:20 +0200 Subject: [PATCH] add howto for sshd config - removed some old files --- _toc.yml | 1 + .../configuration/sshd_configuration.md | 45 +++++++++++++ admin-guide/puppet/profiles/ssh_client.rst | 37 ----------- admin-guide/puppet/profiles/ssh_server.rst | 63 ------------------- 4 files changed, 46 insertions(+), 100 deletions(-) create mode 100644 admin-guide/configuration/sshd_configuration.md delete mode 100644 admin-guide/puppet/profiles/ssh_client.rst delete mode 100644 admin-guide/puppet/profiles/ssh_server.rst diff --git a/_toc.yml b/_toc.yml index 94c26231..0eaf9026 100644 --- a/_toc.yml +++ b/_toc.yml @@ -64,6 +64,7 @@ chapters: - file: admin-guide/configuration/metrics_telegraf - file: admin-guide/configuration/ntp_server - file: admin-guide/configuration/nfs_server + - file: admin-guide/configuration/sshd_configuration - file: admin-guide/configuration/sftp_server - file: admin-guide/configuration/ssh_host_hopping - file: admin-guide/configuration/citrix_vda diff --git a/admin-guide/configuration/sshd_configuration.md b/admin-guide/configuration/sshd_configuration.md new file mode 100644 index 00000000..12ae3c8e --- /dev/null +++ b/admin-guide/configuration/sshd_configuration.md @@ -0,0 +1,45 @@ +# SSH Server Configuration (sshd) + + +## Extra Configuration +Custom configration to the sshd config file can be added via the `ssh_server::extra_config` key. The config will be added at the end of the `/etc/ssh/sshd_config` file. + +### Force Command + +To configure a force command use: +```yaml +# add force command +ssh_server::extra_config: + 'Force command for non root users': | + Match User *,!root + ForceCommand /usr/bin/kpasswd + +``` + +## Login Banner +A login banner can be configured as follows: + +```yaml +# custom banner message on ssh login-prompt + +ssh_server::banner_file: '/etc/sshgw/sshd_message' + +files::files: + /etc/sshgw/sshd_message: + mode: '0644' + owner: 'root' + content: | + ---- + + PAUL SCHERRER INSTITUTE + ________________ + | __ | ____| | + | ____|____ | | + |_| |______|__| + + ---- + +``` + +## SFTP Server +How to enable/disable and configure a sftp server please refer to [sftp_server](sftp_server). \ No newline at end of file diff --git a/admin-guide/puppet/profiles/ssh_client.rst b/admin-guide/puppet/profiles/ssh_client.rst deleted file mode 100644 index 9586e913..00000000 --- a/admin-guide/puppet/profiles/ssh_client.rst +++ /dev/null @@ -1,37 +0,0 @@ -``profile::ssh_client`` -======================= - -This profile configures '/etc/ssh/ssh_known_hosts' :manpage:`sshd(8)`. -PSI CA key is added to the 'ssh_known_hosts', in this manner we allow -PSI servers to SSH to this host. - - -Parameters ----------- - -====================== ======== ============================================= -**Name** **Type** **Default** ----------------------- -------- --------------------------------------------- -canonicalize_hostname bool hiera('ssh_client::canonicalize_hostname') -forward_x11 bool hiera('ssh_client::forward_x11') -try_host_trust bool hiera('ssh_client::try_host_trust', false) -====================== ======== ============================================= - - -``canonicalize_hostname`` -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Determines whether or not hostnames are canonicalized for ``psi.ch``. See -:manpage:`ssh_config(5)` for details. - - -``foward_x11`` -~~~~~~~~~~~~~~ - -Determines whether ``ForwardX11`` and ``ForwardX11Trusted`` should be enabled. - - -``try_host_trust`` -~~~~~~~~~~~~~~~~~~ - -Determines whether the ssh client attemps to authenticate using `HostbasedAuthentication`` diff --git a/admin-guide/puppet/profiles/ssh_server.rst b/admin-guide/puppet/profiles/ssh_server.rst deleted file mode 100644 index f1291b15..00000000 --- a/admin-guide/puppet/profiles/ssh_server.rst +++ /dev/null @@ -1,63 +0,0 @@ -``profile::ssh_server`` -======================= - -This profile configures :manpage:`sshd(8)`. - - -Parameters ----------- - -==================== ======== ============================================= -**Name** **Type** **Default** --------------------- -------- --------------------------------------------- -enable_public_key bool hiera('ssh_server::enable_public_key', true) -enable_gssapi bool hiera('ssh_server::enable_gssapi') -permit_root_login string hiera('ssh_server::permit_root_login') -trusted_user_ca_keys list hiera('ssh_server::trusted_user_ca_keys', []) -user_ca_keys hash hiera('ssh_server::user_ca_keys', {}) -banner_file string hiera('ssh_server::banner_file', undef), -aliases list hiera_array('ssh_server::aliases', []), -==================== ======== ============================================= - -``enable_public_key`` -~~~~~~~~~~~~~~~~~~~~~ - -A boolean determining whether public key authentication is enabled or not for normal users. - -Note that ``root`` is still allowed to connect using public key authentication. Here you may block root login with ``ssh_server::permit_root_login`` or restrict from where to allow root login (see bastion hosts ``aaa::bastions`` and ``aaa::use_bastions``). - - -``enable_gssapi`` -~~~~~~~~~~~~~~~~~ - -A boolean determining whether GSSAPI authentication is enabled or not. - - -``permit_root_login`` -~~~~~~~~~~~~~~~~~~~~~ - -Sets ``PermitRootLogin`` in the sshd configuration file. - - -``trusted_user_ca_keys`` -~~~~~~~~~~~~~~~~~~~~~~~~ - -An array containing the user CA keys that will be accepted (as understood by the -``TrustedUserCAKeys`` directive in :manpage:`sshd_config(5)`). - - -``user_ca_keys`` -~~~~~~~~~~~~~~~~ - -A hash containing the actual keys to be referenced by `trusted_user_ca_keys`_. - -``banner_file`` -~~~~~~~~~~~~~~~ - -Where to find a custom banner file on the system. - -``aliases`` -~~~~~~~~~~~ - -Adds alternative names/aliases under which this system can be reached too to the principal list of the SSH server host key certificate. -