From 6b18748076be96f19c7afc76a5ce9f9c723a2cd8 Mon Sep 17 00:00:00 2001
From: Ron Aughenbaugh <mojibake-umd@users.noreply.github.com>
Date: Mon, 2 Jun 2025 08:19:29 -0400
Subject: [PATCH] parameterize the host_priv_key_mode

---
 REFERENCE.md                 | 7 +++++++
 data/common.yaml             | 1 +
 manifests/server.pp          | 4 ++++
 manifests/server/host_key.pp | 4 ++--
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index b51c3544..7b2b2958 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -540,6 +540,7 @@ The following parameters are available in the `ssh::server` class:
 * [`sshd_binary`](#-ssh--server--sshd_binary)
 * [`sshd_config_mode`](#-ssh--server--sshd_config_mode)
 * [`host_priv_key_group`](#-ssh--server--host_priv_key_group)
+* [`host_priv_key_mode`](#-ssh--server--host_priv_key_mode)
 * [`default_options`](#-ssh--server--default_options)
 * [`ensure`](#-ssh--server--ensure)
 * [`include_dir`](#-ssh--server--include_dir)
@@ -592,6 +593,12 @@ Data type: `Integer`
 
 Name of the group for the private host key
 
+##### <a name="-ssh--server--host_priv_key_mode"></a>`host_priv_key_mode`
+
+Data type: `Stdlib::Filemode`
+
+Mode of the private host key
+
 ##### <a name="-ssh--server--default_options"></a>`default_options`
 
 Data type: `Hash`
diff --git a/data/common.yaml b/data/common.yaml
index 2c9556a4..ba7d6d8c 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -22,6 +22,7 @@ ssh::client::ssh_config: '/etc/ssh/ssh_config'
 ssh::server::service_name: 'svc:/network/ssh:default'
 ssh::sftp_server_path: 'internal-sftp'
 ssh::server::host_priv_key_group: 0
+ssh::server::host_priv_key_mode: '0600'
 ssh::validate_sshd_file             : false
 ssh::collect_enabled                : true   # Collect sshkey resources
 ssh::server::issue_net              : '/etc/issue.net'
diff --git a/manifests/server.pp b/manifests/server.pp
index d598c1c1..4a09b523 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -26,6 +26,9 @@
 # @param host_priv_key_group
 #   Name of the group for the private host key
 #
+# @param host_priv_key_mode
+#   Mode of the private host key
+#
 # @param default_options
 #   Default options to set, will be merged with options parameter
 #
@@ -78,6 +81,7 @@
   Stdlib::Absolutepath           $sshd_binary,
   Stdlib::Filemode               $sshd_config_mode,
   Integer                        $host_priv_key_group,
+  Stdlib::Filemode               $host_priv_key_mode,
   Hash                           $default_options,
   Enum[present,absent,latest]    $ensure                 = present,
   Optional[Stdlib::Absolutepath] $include_dir            = undef,
diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp
index ca3e1057..4a881bfa 100644
--- a/manifests/server/host_key.pp
+++ b/manifests/server/host_key.pp
@@ -100,7 +100,7 @@
       ensure    => $ensure,
       owner     => 0,
       group     => $ssh::server::host_priv_key_group,
-      mode      => '0600',
+      mode      => $ssh::server::host_priv_key_mode,
       path      => "${ssh::server::sshd_dir}/${name}",
       source    => $manage_priv_key_source,
       content   => $manage_priv_key_content,
@@ -121,7 +121,7 @@
       ensure    => $ensure,
       owner     => 0,
       group     => $ssh::server::host_priv_key_group,
-      mode      => '0600',
+      mode      => $ssh::server::host_priv_key_mode,
       path      => "${ssh::server::sshd_dir}/${name}",
       show_diff => false,
       notify    => Class['ssh::server::service'],