The "ssh_client_version_full" and "ssh_server_version_full" facts are both determined using 'sshd -V 2>&1'. I would think that the client version should be determined using 'ssh -V 2>&1'. Not sure if there's a reason for using 'sshd -V 2>&1' for both facts, but I wanted to report this anyway.

I would like to know your reasons for naming it .gemfile

replace => false in server/config.pp obviously causes the agent not to copy the file over after editing.

I know this is probably the safe way to go BUT is unexpected behavior and it should be documented. Also maybe the class should be extended to restart the server if "replace => false" it's not used.

In theory it would be good enough if the config file was sent on the first run but since it will almost always be in place from the start the file would never get sent over?!

With storeconfigs enabled and keys in puppetdb, ssh::knownhosts collects them and writes to /etc/ssh/ssh_known_hosts. But if a node is then deactivated, its entry is not removed from ssh_known_hosts. If that file is truncated, it can be remade without the removed node, but it seems like it should be possible to have node deactivation result in the removal of the key from ssh_known_hosts.

This will cause them to be changed according to for instance apt-pinning. With just 'present', any version will satisfy the dependency in puppet.

Augeas uses a sequence to manage this resource. Adding multiple users with puppet-ssh can be achieved:

ssh::server::configline { 'AllowUsers/1': value => 'user1' }
ssh::server::configline { 'AllowUsers/2': value => 'user2@host' }

However, your rules check each if these for equality individually.
since 'AllowUsers user1' does not equal 'AllowUsers 'user1 user2@host', the new value becomes 'AllowUsers user1 user2@host user1' Every puppet run will add new entries to the AllowUsers line.

Am I misusing puppet-ssh with AllowUsers or is this a bug?

Because Augeas is case sensitive it fails to modify existing config entries such as:

listenaddress 0.0.0.0

When you wanted to use Puppet to replace it with ListenAddress 10.1.1.1.

This is a limitation of Augeas and may require using templates or some other mechanism.

Not sure this is the best of all possible ways. It would keep the data out of the manifest, though.

I'm trying to use match_block as shown in the example. But get an internal server error:
Error 400 on SERVER: Invalid tag '::ssh::server::match_block'

  ::ssh::server::match_block { 'sftpusers':
    type                       => 'Group',
    options                    => {
      'ChrootDirectory'        => "/var/sftp/",
      'ForceCommand'           => 'internal-sftp',
      'AllowTcpForwarding'     => 'no',
      'X11Forwarding'          => 'no',
    }
  }

Am I using it incorrectly? The debug output for puppet agent -t --debug doesn't show any additional info.

Can you add an example of recording the data using a yaml-backed hiera setup? I'm having a hard time getting my head around how I'd do that.

Hi.
We are having problems with the 2.6.0 release:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Could not find data item ssh::server_options in any Hiera data file and no default supplied at /etc/puppetlabs/puppet/thirdparty_modules/ssh/manifests/init.pp:9:27

We are not supplying server_options through hiera, we are using the server_options argument

Best Regards Olof Hellqvist

 class { 'ssh::server':
    storeconfigs_enabled => false,
    options => {
      'PasswordAuthentication' => 'no',
      'Port'                   => [22,65432],
    },
  }

Results in:

notice: /Stage[main]/Ssh::Server::Config/File[/etc/ssh/sshd_config]/content: 
--- /etc/ssh/sshd_config    2014-04-17 11:32:16.768188177 +0100
+++ /tmp/puppet-file20140417-9314-kgmf64-0  2014-04-17 11:35:01.376416998 +0100
@@ -1,5 +1,5 @@
 # File is managed by Puppet
-Port 22
+Port 2265432

As the default will change from false to true, the current puppet version (3.7.3) issues a warning if it is not explicitly stated.

When trying to include this module without any hiera options, I get the following error:

Error: Evaluation Error: Error while evaluating a Function Call, create_resources(): second argument must be a hash at /etc/puppet/modules/ssh/manifests/init.pp:46:3

The reason is that in init.pp, $fin_users_client_options is a string, not a hash. This kind of problem was mentioned in this commit: cb626fd

Hi,

On 32bits sles server, the path to the sftp-server is /usr/lib/ssh/sftp-server and not /usr/lib64/ssh/sftp-server

I guess this could be auto detected

the operatingsystem fact is OpenSuSE not Suse

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, uncaught throw :undefined_variable in thread 0x213a2 at /etc/puppetlabs/puppet/modules/ssh/manifests/hostkeys.pp:2:18 on node

Any thoughts on this?

When using this module with the latest version of puppetlabs-concat the File/Service relationship fails.

File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]

as the File resource doesn't exist. The new concat module doesn't create a File resource by the looks of things anymore. With some very loose testing I've found that

1. Removing the File ~> Service relationship chains seems fine, as the Class ~> Class relationships between the 'ssh::server::config' and 'ssh::server::service' are defined.
2. Changing the File ~> Service relationship to Concat ~> Service works fine as the relationship is now with the public module name rather than the internal File resource.

I'm not completely sure which method would be the best.

The module does not map booleans from YAML/JSON to the value what the ssh/sshd accepts. For example, PrintMotd is a boolean config option, can be true or false, however, if you provide true (e.g. foreman converts all unquoted yes / no to boolean values true / false), the module generates wrong config code (true instead of yes) what sshd does not understand and fails to start.

The workaround is easy: in foreman you should always quote 'yes' / 'no' values to ensure it will be written correctly, however the module should know this mapping, especially because the OpenSSH currently not uses any config option where true or false makes sense.

The HostKey option for sshd_config can be specified multiple times. Currently, it is not possible to add multiple HostKey statements to the config, because additional Options are stored in a Hash.

One possible Solution would be to allow HostKey to be an array which expands to multiple HostKey-Statements. How do you feel about this approach?

I'm using this (successfully) in a vagrant environment without puppetdb, but of course I get

Warning: You cannot collect without storeconfigs being set on line 9 in file /tmp/vagrant-puppet-1/modules-0/ssh/manifests/hostkeys.pp

I understand the purpose of managing the hostkeys, but don't particularly want to use puppetdb or storeconfigs. I don't see an option to turn off this behavior. Am I missing something?

Receiving custom fact errors on puppet 4

Error: Facter: error while resolving custom fact "ssh_client_version_full": undefined method `lines' for nil:NilClass
Error: Facter: error while resolving custom fact "ssh_client_version_major": undefined method `gsub' for nil:NilClass
Error: Facter: error while resolving custom fact "ssh_client_version_release": undefined method `gsub' for nil:NilClass
Error: Facter: error while resolving custom fact "ssh_server_version_full": undefined method `lines' for nil:NilClass
Error: Facter: error while resolving custom fact "ssh_server_version_major": undefined method `gsub' for nil:NilClass
Error: Facter: error while resolving custom fact "ssh_server_version_release": undefined method `gsub' for nil:NilClass

I have a "multi-tennant" puppet server where each customer has their own puppet environment. I know that I can always set storeconfigs_enabled => false, but I would like the hosts to "send" their host keys, but only retrieve host keys from the same puppet environment. Does this make any sense? I honestly think it would be a fairly easy change, but if there is no desire for it, maybe I will just disable the storeconfigs option.

v2.3.1 seems to have a (fatal) problem with sshd_config.erb (or what's being input to it). A casual glance didn't explain it to me.

Error: Failed to parse template ssh/sshd_config.erb:
  Filepath: /tmp/vagrant-puppet-1/modules-0/ssh/templates/sshd_config.erb
  Line: 3
  Detail: undefined method `<=>' for false:FalseClass
 at /tmp/vagrant-puppet-1/modules-0/ssh/manifests/server/config.pp:7 on node xxx

The travis build is failing, and it looks like it has been failing for a while. Does that mean this module is dead?

When you define "File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]" .. i am getting error

Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource 'File[/etc/ssh/sshd_config]' for relationship on 'Service[sshd]'

this happened after i added concat module i guess .. i think we need "Concat[$ssh::params::sshd_config]"

when specifying Port and ListenAddress for sshd_config, options are sorted and ListenAddress will be in the file before Ports.

This is wrong, sshd needs Ports in config first:
"Starting sshd: /etc/ssh/sshd_config line 7: ports must be specified before ListenAddress."

I'm getting the same issue as #26, however I am using ruby 1.9.3.

I've managed to replicate this issue and think I have one of the causes. In hiera if I leave the ports as integers instead of strings this error appears-

Error:

  server_options:
    Port:
      - 22

No error:

  server_options:
    Port:
      - '22'

You may want to make a note of this.

Would you be open to a PR that would integrate with the puppetlabs/firewall module? For example inclusion of the firewall type in a manifest to ensure the port sshd is running on is open.

I'm getting the above error when I try to use this module - I'm trying it out in test against puppet 4.x so this might just boil down to 'don't do that', but I thought I'd submit anyway in case it's unrelated.

It seems to make no difference whether or not openssh-server is installed or /etc/ssh/sshd_config exists - if that helps?

Hi there,

I got following errors when applying the module on a Debian Wheezy machine:

Error 400 on SERVER: Invalid parameter allow_virtual at 
/etc/puppet/modules/ssh/manifests/server/install.pp:8

Error 400 on SERVER: Invalid parameter allow_virtual at 
/etc/puppet/modules/ssh/manifests/client/install.pp:7

When I comment both parameters in install.pp it seems to work fine. I can't find these parameters anywhere else in the module. What am I doing wrong here?

I'm getting the error Could not find command '/var/lib/puppet/concat/bin/concatfragments.rb' , when using puppet module saz-ssh v2.8.1 and running a noop.

All my modules are:

puppet module list

/etc/puppet/modules
├── puppetlabs-concat (v1.2.3)
├── puppetlabs-ntp (v4.0.0)
├── puppetlabs-stdlib (v4.6.0)
└── saz-ssh (v2.8.1)

Some facts from my fresh installation:

facter os puppetversion

os => {"name"=>"Ubuntu", "release"=>{"major"=>"12.04", "full"=>"12.04"}, "lsb"=>{"distrelease"=>"12.04", "distcodename"=>"precise", "majdistrelease"=>"12.04", "distdescription"=>"Ubuntu 12.04", "distid"=>"Ubuntu"}, "family"=>"Debian"}
puppetversion => 3.8.1

My site.pp:

include ::ssh::server

Error:

puppet agent --test --noop

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for ema
Info: Applying configuration version '1436379851'
Notice: /Stage[main]/Concat::Setup/File[/var/lib/puppet/concat]/ensure: current_value absent, should be directory (noop)
Notice: /Stage[main]/Concat::Setup/File[/var/lib/puppet/concat/bin]/ensure: current_value absent, should be directory (noop)
Notice: /Stage[main]/Concat::Setup/File[/var/lib/puppet/concat/bin/concatfragments.rb]/ensure: current_value absent, should be file (noop)
Notice: Class[Concat::Setup]: Would have triggered 'refresh' from 3 events
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config]/ensure: current_value absent, should be directory (noop)
Info: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config]: Scheduling refresh of Exec[concat/etc/ssh/sshd_config]
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config/fragments.concat.out]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config/fragments]/ensure: current_value absent, should be directory (noop)
Info: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config/fragments]: Scheduling refresh of Exec[concat/etc/ssh/sshd_config]
Notice: /Stage[main]/Ssh::Server::Config/Concat::Fragment[global config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config/fragments/00_global config]/ensure: current_value absent, should be file (noop)
Info: /Stage[main]/Ssh::Server::Config/Concat::Fragment[global config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config/fragments/00_global config]: Scheduling refresh of Exec[concat/etc/ssh/sshd_config]
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/var/lib/puppet/concat/etc_ssh_sshd_config/fragments.concat]/ensure: current_value absent, should be present (noop)
Error: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/Exec[concat/etc/ssh/sshd_config]: Could not evaluate: Could not find command '/var/lib/puppet/concat/bin/concatfragments.rb'
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/Exec[concat/etc/ssh/sshd_config]: Would have triggered 'refresh' from 3 events
Notice: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/etc/ssh/sshd_config]: Dependency Exec[concat/etc/ssh/sshd_config] has failures: true
Warning: /Stage[main]/Ssh::Server::Config/Concat[/etc/ssh/sshd_config]/File[/etc/ssh/sshd_config]: Skipping because of failed dependencies
Notice: Concat[/etc/ssh/sshd_config]: Would have triggered 'refresh' from 5 events
Info: Concat[/etc/ssh/sshd_config]: Scheduling refresh of Service[ssh]
Notice: Concat::Fragment[global config]: Would have triggered 'refresh' from 1 events
Notice: Class[Ssh::Server::Config]: Would have triggered 'refresh' from 2 events
Info: Class[Ssh::Server::Config]: Scheduling refresh of Class[Ssh::Server::Service]
Notice: Class[Ssh::Server::Service]: Would have triggered 'refresh' from 1 events
Info: Class[Ssh::Server::Service]: Scheduling refresh of Service[ssh]
Notice: /Stage[main]/Ssh::Server::Service/Service[ssh]: Dependency Exec[concat/etc/ssh/sshd_config] has failures: true
Warning: /Stage[main]/Ssh::Server::Service/Service[ssh]: Skipping because of failed dependencies
Notice: /Stage[main]/Ssh::Server::Service/Service[ssh]: Would have triggered 'refresh' from 2 events
Notice: Class[Ssh::Server::Service]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Ssh::Server/Anchor[ssh::server::end]: Dependency Exec[concat/etc/ssh/sshd_config] has failures: true
Warning: /Stage[main]/Ssh::Server/Anchor[ssh::server::end]: Skipping because of failed dependencies
Notice: Stage[main]: Would have triggered 'refresh' from 3 events
Notice: Finished catalog run in 0.34 seconds

Could not use this module as metadata.json did not compile... issues are the dependency clause had a look but I could not see the issue. Worth adding in the metadata lint too.

It appears that the onlyif => "get ${name}" line forssh::server::configlinefails when the property being managed is an array (eg,AllowUsersorAllowGroups`) because it does not perform a correct comparison.

Consecutive applies with no changes to match block options will result in a reordering of the keys in the template because they aren't sorted. Sorting keys before iterating will make sure only true changes get applied.

This is more of a question, rather than an issue, but what is the <<| |>> and how does it work? I found it in knownhosts.pp whilst debugging an issue I'm having with SSH keys in a new environment I created. I can't seem to find the mystical space ship thing (<<| |>>) documented anywhere. I'm stumped.

I generally appreciate the idea behind it, but
I think the merge 3b2b2fb broke my ssh setup.

In my hierarchy, I have ssh::server_options defined, but no ssh::server::options.

in init.pp, these options are taken and passed to the server.pp. However, there, the selector, doesn't work. (It also doesn't work in init.pp, but there it's not recognized ;)

I wrote little test manifest:

class test {
$blah = hiera_hash('something', undef)

$blubb = $blah ? {
undef => "yalla",
default => "foo bar",
}

notify {"$blubb":}

}

Which spits out:
Notice: Compiled catalog for galen.l00-bugdead-prods.de in environment production in 1.98 seconds
Info: Applying configuration version '1431328078'
Notice: foo bar
Notice: /Stage[main]/Test/Notify[foo bar]/message: defined 'message' as 'foo bar'
Notice: Finished catalog run in 0.90 seconds

so the selectors used in the ssh module always fall back to the default.
Don't know what's wrong, if it is not possible to define 'undef' as default value?

This happens for me on OpenBSD with puppet-3.7.4p2, and ruby21-hiera-1.3.4

my current workaround is to use ssh::client::options and ssh::server::options in my Hiera hierarchy.

Don't know really how to work around it, i.e. A fallback value should be specified, as hiera_hash would bail out if it cannot find anything. Changing the default value to an empty hash {}, I haven't tried it, but I think the selectors would not like this. Don't know if it would be possible to have a string as default value, i.e. "Nothing Found", that then should work with the selector at least.

Sebastian

When adding your module to my own configuration I appear to get the following error:

Error: Could not apply complete catalog: Found 1 dependency cycle:
(Anchor[ssh::server::end] => Class[Ssh::Server] => Service[sshd] => Class[Ssh::Server::Service] => Anchor[ssh::server::end])
Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz

I have not been able to track down the cause of the problem.
Running Puppet 3.6.2

Using it in this way:

class { 'ssh::server':
  storeconfigs_enabled => false,
  options => {
    'PasswordAuthentication' => 'no',
    'PermitRootLogin'        => 'yes',
    'Port'                   => 1233,
  },
  notify => Service['sshd']
}

If you need more information just let me know

Being new to Puppet.. I could not get the ssh module to deploy to a node without installing puppetlabs-concat on the master.
Both hosts are Ubuntu 14.04.2
Puppet versions are; node 3.7.4, master 3.7.5

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type concat at /etc/puppet/modules/ssh/manifests/server/config.pp:9 on node pn-test.playground.uno
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

I'd love to be able to mange per-line entries in ssh_config. I started toying with copying over your defined type with augeas for clients and ran into a few issues. I won't have time to get back to it, but I thought I'd open an issue in case you get time.

Looks like the Forge is getting confused with having both metadata.json and Modulefile - suggest removing the latter?

CentOS 7 does not create a DSA key for SSH servers any more. Without the changes in deb2fcc and with storedconfigs enabled, things break. A release containing the fix would be awesome.

I'm getting this error when I run rake spec from my roles/profiles. Is there a missing fact that I need to include? It looked like $::osfamily drove everything in the params.pp.

    Failure/Error: it { should contain_class('roles') }
     Puppet::Error:
       Could not find resource 'File[/etc/ssh/sshd_config]' for relationship on 'Service[sshd]'

Here is my simple spec. I tried including lsbdistdescription, lsbdistid, interfaces, and ipaddress_eth0 because you had them in your spec.

require 'spec_helper'

describe 'roles' do
  context 'supported operating systems' do
    ['RedHat'].each do |osfamily|
      describe "roles class without any parameters on #{osfamily}" do
        let(:hiera_config) { 'spec/fixtures/hiera/hiera.yaml' }
        let(:params) {{ }}
        let(:facts) {{
          :osfamily => osfamily,
          :operatingsystem => osfamily,
          :operatingsystemmajrelease => '6',
          :operatingsystemrelease     => '6.3',
          :lsbdistdescription => 'Red Hat Enterprise Linux Server release 6.6 (Santiago)',
          :lsbdistid => 'RedHatEnterpriseServer',
          :interfaces => 'eth0',
          :ipaddress_eth0 => '192.168.1.1',
          :concat_basedir => '/tmp'
        }}

        it { should compile.with_all_deps }
        it { should contain_class('roles') }
      end
    end
  end
end

At https://github.com/saz/puppet-ssh/blob/master/templates/ssh_config.erb#L15 the .sort breaks one of the 'features' of ssh_config. The options are applied on a first come, first served basis. The scenario I'm thinking of works like this:

Host .
ForwardAgent no
Host *
ForwardAgent yes

I'm trying to add these to my ssh_config and in that specific order. But, the sort makes it so I can't keep them in that order. I got around it by changing my config to be "# 0\nHost ." and "# 1\nHost *", but that's kinda cheesy. Is the .sort necessary or just to keep things pretty?

err: Failed to apply catalog: Parameter type failed on Sshkey[graphite.powernet_ed25519]: Invalid value "ed25519". Valid values are ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521.

this error after i update module with r10k

By default your server class configures a SSH Subsystem (/usr/lib/openssh/sftp-server). How can we not configure a subsystem when the only thing we can do is override the Subsystem value? i.e. an empty 'Subsystem' declaration will result in sshd failing to start.

I modified configline.pp in next maer:
...
case $ensure {
present: {
augeas { "sshd_config_${name}":
changes => "set ${name} ${value}",
onlyif => "get ${name} != ${value}",
}
}
add: {
augeas { "sshd_config_${name}":
changes => [
"ins ${name} after ${name}[last()]",
"set ${name}[last()] ${value}"
],
onlyif => "get ${name}[. = '${value}'] != ${value}",
}
}
absent: {
augeas { "sshd_config_${name}":
changes => "rm ${name}",
onlyif => "get ${name}",
}
}
}
...
Now you can add multiple option:
ssh::server::configline {
'Port' :
ensure => 'add',
value => '5190'
}

Get this when running on a fresh install of puppet 3.8 with both server and client being red hat 6
Any ideas?

I'd like to enable some specific cipher options but they require OpenSSH >= 6.2, which isn't always available. So I'd like to be able to selectively enable these ciphers if the OpenSSH version supports them and OpenSSH server fails hard if you supply unrecognised cipher options.