diff --git a/REFERENCE.md b/REFERENCE.md
index b51c3544..77c59382 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -10,9 +10,8 @@
* [`ssh`](#ssh): This class manages ssh client and server
* [`ssh::client`](#ssh--client): This class add ssh client management
-* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys
-* [`ssh::knownhosts`](#ssh--knownhosts): This class manages knownhosts if collection is enabled.
-* [`ssh::server`](#ssh--server): This class managed ssh server
+* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys. It is intended to be called from `ssh::server`.
+* [`ssh::server`](#ssh--server): This class manages the ssh server and related resources, including host keys.
#### Private Classes
@@ -337,6 +336,7 @@ The following parameters are available in the `ssh::client` class:
* [`options_absent`](#-ssh--client--options_absent)
* [`default_options`](#-ssh--client--default_options)
* [`match_block`](#-ssh--client--match_block)
+* [`storeconfigs_group`](#-ssh--client--storeconfigs_group)
##### `ssh_config`
@@ -406,9 +406,17 @@ Add ssh match_block (with concat)
Default value: `{}`
+##### `storeconfigs_group`
+
+Data type: `Optional[String[1]]`
+
+Define the hostkeys tag to filter with
+
+Default value: `undef`
+
### `ssh::hostkeys`
-This class manages hostkeys
+This class manages hostkeys. It is intended to be called from `ssh::server`.
#### Parameters
@@ -429,7 +437,7 @@ Data type: `Boolean`
Whether ip addresses should be added as aliases
-Default value: `true`
+Default value: `$ssh::server::export_ipaddresses`
##### `storeconfigs_group`
@@ -437,7 +445,7 @@ Data type: `Optional[String[1]]`
Tag hostkeys with this group to allow segregation
-Default value: `undef`
+Default value: `$ssh::server::storeconfigs_group`
##### `extra_aliases`
@@ -445,7 +453,7 @@ Data type: `Array`
Additional aliases to set for host keys
-Default value: `[]`
+Default value: `$ssh::server::extra_aliases`
##### `exclude_interfaces`
@@ -453,7 +461,7 @@ Data type: `Array`
List of interfaces to exclude
-Default value: `[]`
+Default value: `$ssh::server::exclude_interfaces`
##### `exclude_interfaces_re`
@@ -461,7 +469,7 @@ Data type: `Array`
List of regular expressions to exclude interfaces
-Default value: `[]`
+Default value: `$ssh::server::exclude_interfaces_re`
##### `exclude_ipaddresses`
@@ -469,7 +477,7 @@ Data type: `Array`
List of ip addresses to exclude
-Default value: `[]`
+Default value: `$ssh::server::exclude_ipaddresses`
##### `use_trusted_facts`
@@ -477,7 +485,7 @@ Data type: `Boolean`
Whether to use trusted or normal facts
-Default value: `false`
+Default value: `$ssh::server::use_trusted_facts`
##### `tags`
@@ -485,38 +493,11 @@ Data type: `Optional[Array[String[1]]]`
Array of custom tags
-Default value: `undef`
-
-### `ssh::knownhosts`
-
-This class manages knownhosts if collection is enabled.
-
-#### Parameters
-
-The following parameters are available in the `ssh::knownhosts` class:
-
-* [`collect_enabled`](#-ssh--knownhosts--collect_enabled)
-* [`storeconfigs_group`](#-ssh--knownhosts--storeconfigs_group)
-
-##### `collect_enabled`
-
-Data type: `Boolean`
-
-Enable collection
-
-Default value: `$ssh::knownhosts::collect_enabled`
-
-##### `storeconfigs_group`
-
-Data type: `Optional[String[1]]`
-
-Define the hostkeys group storage
-
-Default value: `undef`
+Default value: `$ssh::server::tags`
### `ssh::server`
-This class managed ssh server
+This class manages the ssh server and related resources, including host keys.
#### Examples
@@ -555,6 +536,14 @@ The following parameters are available in the `ssh::server` class:
* [`use_issue_net`](#-ssh--server--use_issue_net)
* [`sshd_environments_file`](#-ssh--server--sshd_environments_file)
* [`server_package_name`](#-ssh--server--server_package_name)
+* [`export_ipaddresses`](#-ssh--server--export_ipaddresses)
+* [`storeconfigs_group`](#-ssh--server--storeconfigs_group)
+* [`extra_aliases`](#-ssh--server--extra_aliases)
+* [`exclude_interfaces`](#-ssh--server--exclude_interfaces)
+* [`exclude_interfaces_re`](#-ssh--server--exclude_interfaces_re)
+* [`exclude_ipaddresses`](#-ssh--server--exclude_ipaddresses)
+* [`use_trusted_facts`](#-ssh--server--use_trusted_facts)
+* [`tags`](#-ssh--server--tags)
##### `service_name`
@@ -710,6 +699,70 @@ Name of the server package to install
Default value: `undef`
+##### `export_ipaddresses`
+
+Data type: `Boolean`
+
+Whether IP addresses should be added as aliases for host keys
+
+Default value: `true`
+
+##### `storeconfigs_group`
+
+Data type: `Optional[String[1]]`
+
+Tag host keys with this group to allow segregation
+
+Default value: `undef`
+
+##### `extra_aliases`
+
+Data type: `Array`
+
+Additional aliases to set for host keys
+
+Default value: `[]`
+
+##### `exclude_interfaces`
+
+Data type: `Array`
+
+List of interfaces to exclude when collecting IPs for host keys
+
+Default value: `[]`
+
+##### `exclude_interfaces_re`
+
+Data type: `Array`
+
+List of regular expressions to exclude interfaces
+
+Default value: `[]`
+
+##### `exclude_ipaddresses`
+
+Data type: `Array`
+
+List of IP addresses to exclude from host key aliases
+
+Default value: `[]`
+
+##### `use_trusted_facts`
+
+Data type: `Boolean`
+
+Whether to use trusted facts instead of legacy facts
+
+Default value: `false`
+
+##### `tags`
+
+Data type: `Optional[Array[String[1]]]`
+
+Array of custom tags to apply to exported host keys
+
+Default value: `undef`
+
## Defined types
### `ssh::client::config::user`
diff --git a/data/common.yaml b/data/common.yaml
index 2c9556a4..fb168c64 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -23,9 +23,7 @@ ssh::server::service_name: 'svc:/network/ssh:default'
ssh::sftp_server_path: 'internal-sftp'
ssh::server::host_priv_key_group: 0
ssh::validate_sshd_file : false
-ssh::collect_enabled : true # Collect sshkey resources
ssh::server::issue_net : '/etc/issue.net'
-ssh::knownhosts::collect_enabled : true
ssh::server::default_options:
ChallengeResponseAuthentication: 'no'
diff --git a/manifests/client.pp b/manifests/client.pp
index dd450646..e29f9ce9 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -35,6 +35,9 @@
# @param match_block
# Add ssh match_block (with concat)
#
+# @param storeconfigs_group
+# Define the hostkeys tag to filter with
+#
class ssh::client (
Stdlib::Absolutepath $ssh_config,
Hash $default_options,
@@ -45,6 +48,7 @@
Boolean $use_augeas = false,
Array $options_absent = [],
Hash $match_block = {},
+ Optional[String[1]] $storeconfigs_group = undef,
) {
if $use_augeas {
$merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config })
@@ -55,14 +59,16 @@
contain ssh::client::install
contain ssh::client::config
- # Provide option to *not* use storeconfigs/puppetdb, which means not managing
- # hostkeys and knownhosts
+ # Provide option to *not* use storeconfigs/puppetdb, which means not collecting host keys into knownhosts
if ($storeconfigs_enabled) {
- contain ssh::knownhosts
-
Class['ssh::client::install']
-> Class['ssh::client::config']
- -> Class['ssh::knownhosts']
+
+ if $storeconfigs_group {
+ Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>>
+ } else {
+ Sshkey <<| |>>
+ }
} else {
Class['ssh::client::install']
-> Class['ssh::client::config']
diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp
index 5839c1b8..cedef4c4 100644
--- a/manifests/hostkeys.pp
+++ b/manifests/hostkeys.pp
@@ -1,5 +1,5 @@
# @summary
-# This class manages hostkeys
+# This class manages hostkeys. It is intended to be called from `ssh::server`.
#
# @param export_ipaddresses
# Whether ip addresses should be added as aliases
@@ -26,25 +26,25 @@
# Array of custom tags
#
class ssh::hostkeys (
- Boolean $export_ipaddresses = true,
- Optional[String[1]] $storeconfigs_group = undef,
- Array $extra_aliases = [],
- Array $exclude_interfaces = [],
- Array $exclude_interfaces_re = [],
- Array $exclude_ipaddresses = [],
- Boolean $use_trusted_facts = false,
- Optional[Array[String[1]]] $tags = undef,
+ Boolean $export_ipaddresses = $ssh::server::export_ipaddresses,
+ Optional[String[1]] $storeconfigs_group = $ssh::server::storeconfigs_group,
+ Array $extra_aliases = $ssh::server::extra_aliases,
+ Array $exclude_interfaces = $ssh::server::exclude_interfaces,
+ Array $exclude_interfaces_re = $ssh::server::exclude_interfaces_re,
+ Array $exclude_ipaddresses = $ssh::server::exclude_ipaddresses,
+ Boolean $use_trusted_facts = $ssh::server::use_trusted_facts,
+ Optional[Array[String[1]]] $tags = $ssh::server::tags,
) {
if $use_trusted_facts {
$fqdn_real = $trusted['certname']
$hostname_real = $trusted['hostname']
} else {
- # stick to legacy facts for older versions of facter
+ # stick to normal facts
$fqdn_real = $facts['networking']['fqdn']
$hostname_real = $facts['networking']['hostname']
}
- if $export_ipaddresses == true {
+ if $export_ipaddresses {
$ipaddresses = ssh::ipaddresses($exclude_interfaces, $exclude_interfaces_re)
$ipaddresses_real = $ipaddresses - $exclude_ipaddresses
$host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real])))
@@ -63,12 +63,10 @@
}
['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| {
- # can be removed as soon as we drop support for puppet 4
- # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22
- if $key_type == 'ecdsa' {
- $key_type_real = 'ecdsa-sha2-nistp256'
- } else {
- $key_type_real = $key_type
+ # adjustment for ecdsa using a diff file name from key type
+ $key_type_real = $key_type ? {
+ 'ecdsa' => 'ecdsa-sha2-nistp256',
+ default => $key_type,
}
if $key_type in $facts['ssh'] {
diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp
deleted file mode 100644
index 3cd113e1..00000000
--- a/manifests/knownhosts.pp
+++ /dev/null
@@ -1,21 +0,0 @@
-# @summary
-# This class manages knownhosts if collection is enabled.
-#
-# @param collect_enabled
-# Enable collection
-#
-# @param storeconfigs_group
-# Define the hostkeys group storage
-#
-class ssh::knownhosts (
- Boolean $collect_enabled = $ssh::knownhosts::collect_enabled,
- Optional[String[1]] $storeconfigs_group = undef,
-) {
- if ($collect_enabled) {
- if $storeconfigs_group {
- Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>>
- } else {
- Sshkey <<| |>>
- }
- }
-}
diff --git a/manifests/server.pp b/manifests/server.pp
index d598c1c1..afbf0c94 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,5 +1,5 @@
# @summary
-# This class managed ssh server
+# This class manages the ssh server and related resources, including host keys.
#
# @example Puppet usage
# class { 'ssh::server':
@@ -71,6 +71,30 @@
# @param server_package_name
# Name of the server package to install
#
+# @param export_ipaddresses
+# Whether IP addresses should be added as aliases for host keys
+#
+# @param storeconfigs_group
+# Tag host keys with this group to allow segregation
+#
+# @param extra_aliases
+# Additional aliases to set for host keys
+#
+# @param exclude_interfaces
+# List of interfaces to exclude when collecting IPs for host keys
+#
+# @param exclude_interfaces_re
+# List of regular expressions to exclude interfaces
+#
+# @param exclude_ipaddresses
+# List of IP addresses to exclude from host key aliases
+#
+# @param use_trusted_facts
+# Whether to use trusted facts instead of legacy facts
+#
+# @param tags
+# Array of custom tags to apply to exported host keys
+#
class ssh::server (
String[1] $service_name,
Stdlib::Absolutepath $sshd_config,
@@ -93,6 +117,15 @@
Boolean $use_issue_net = false,
Optional[Stdlib::Absolutepath] $sshd_environments_file = undef,
Optional[String[1]] $server_package_name = undef,
+ # Host key management (used by ssh::hostkeys)
+ Boolean $export_ipaddresses = true,
+ Optional[String[1]] $storeconfigs_group = undef,
+ Array $extra_aliases = [],
+ Array $exclude_interfaces = [],
+ Array $exclude_interfaces_re = [],
+ Array $exclude_ipaddresses = [],
+ Boolean $use_trusted_facts = false,
+ Optional[Array[String[1]]] $tags = undef,
) {
if $use_augeas {
$merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config })
@@ -104,17 +137,14 @@
contain ssh::server::config
contain ssh::server::service
- # Provide option to *not* use storeconfigs/puppetdb, which means not managing
- # hostkeys and knownhosts
- if ($storeconfigs_enabled) {
+ # Provide option to *not* use storeconfigs/puppetdb, which means not exporting hostkeys
+ if $storeconfigs_enabled {
contain ssh::hostkeys
- contain ssh::knownhosts
Class['ssh::server::install']
-> Class['ssh::server::config']
~> Class['ssh::server::service']
-> Class['ssh::hostkeys']
- -> Class['ssh::knownhosts']
} else {
Class['ssh::server::install']
-> Class['ssh::server::config']