cfauth
Configures system access security (users, public keys, SSH daemon and firewall)
Version information
released Feb 11th 2016
This version is compatible with:
- Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >=4.0.0 <5.0.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'codingfuture-cfauth', '0.9.0'
Learn more about managing modules with a PuppetfileDocumentation
codingfuture/cfauth — version 0.9.0 Feb 11th 2016
cfauth
Description
Generic configuration of system security:
- Update SSH config and strip unused features
- Enable only SSHv2 public key authentication
- Enable SSH login only for members of
ssh_access
group - Create special user for admin access
- Setup encrypted admin password
- Setup sudoers
- Configure firewall for SSH access only from whitelisted hosts
Setup
If r10k is used until RK-3 is solved, make sure to have the following lines in Puppetfile:
mod 'puppetlabs/stdlib', '4.11.0'
mod 'codingfuture/cfnetwork'
# make sure you check dependencies of dependencies too.
Implicit resources created
cfnetwork::describe_services:
cfssh:
server: prefix(any2array($cfauth::sshd_ports), 'tcp/')
cfnetwork::service_ports:
'any:cfssh:cfauth':
src: $cfauth::admin_hosts
cfauth
parameters
admin_auth_keys - mandatory required list of allowed SSH public keys in format of suitable for
create_resources(ssh_authorized_key, $admin_auth_keys, { user => $admin_user, type => 'ssh-rsa' })`.admin_user
= 'adminaccess' - setup non-root user for SSH access capable ofsudo
admin_password
= undef - encrypted password forroot
and$admin_user
, if set Note: use the following command for generationmkpasswd -m sha-512
admin_hosts
= undef - passed assrc
paramter tocfnetwork::service_port
sudo_no_password_all
= false - allowsudo
for$admin_user
without password. See below.sudo_no_password_commands
= undef - optional list of commands which are allowed to run without passwordsshd_ports
= '22',sshd_config_template
= 'cfauth/sshd_config.epp',
sudo_no_password_all
purpose
Enabling it is useful for bulk administration of less privileged VMs.
Even if password is required, the following commands can be run without password:
/opt/puppetlabs/puppet/bin/puppet agent --test
- deploy puppet/usr/bin/apt-get update
- update apt repository metadata/usr/bin/apt-get dist-upgrade *
- run system upgrade with optional parameter, like-s -y
(for simulation( and-y
(for install)
Change Log
All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
[0.9.0]
Initial release
Dependencies
- puppetlabs-stdlib (>= 4.11.0)
- codingfuture-cfnetwork (>= 0.9.0)