Skip to content

Commit 5a998cc

Browse files
author
Jenkins CI
committed
Merge branch 'branches/rudder/8.3' into branches/rudder/9.0
2 parents 132f8b6 + 20752f4 commit 5a998cc

File tree

7 files changed

+1106
-0
lines changed

7 files changed

+1106
-0
lines changed

maintained-techniques

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ systemSettings/networking/firewall/1.0
3737
systemSettings/process/servicesManagement/3.0
3838
systemSettings/process/services/1.1
3939
systemSettings/remoteAccess/sshConfiguration/5.0
40+
systemSettings/remoteAccess/sshConfiguration/5.1
4041
systemSettings/remoteAccess/sshKeyDistribution/4.0
4142
systemSettings/security/fileAlterationMonitoring/2.2
4243
systemSettings/systemManagement/cronManagement/3.2

techniques/systemSettings/remoteAccess/sshConfiguration/5.1/bodies.st

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# SPDX-License-Identifier: GPL-3.0-or-later
2+
# SPDX-FileCopyrightText: 2025 Normation SAS
3+
4+
#
5+
# Configure the port numbers/listen addresses in the OpenSSH configuration file
6+
# The first argument is the name of parameter in the config file, second is the values (either a string or a slist)
7+
#
8+
bundle edit_line rudder_openssh_server_parameters_configuration(parameter_name, values)
9+
{
10+
vars:
11+
"entries" slist => maplist("${parameter_name} ${this}", "values");
12+
13+
delete_lines:
14+
"${parameter_name}.*"
15+
delete_select => ncf_delete_if_not_in_list("@{this.entries}");
16+
17+
insert_lines:
18+
"${entries}";
19+
}

techniques/systemSettings/remoteAccess/sshConfiguration/5.1/changelog

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-- Jonathan CLARKE <jonathan.clarke@normation.com> Wed Feb 22 18:42:29 2012 +0100
2+
* Version 1.0
3+
** Initial version
4+
-- Matthieu CERDA <matthieu.cerda@normation.com> Thu Dec 20 17:46:24 2012 +0100
5+
* Version 2.0
6+
** Converted the OpenSSH server Technique to the new reporting format
7+
-- Nicolas Charles <nicolas.charles@normation.com> Thu Feb 14 16:01:25 2013 +0100
8+
* Version 3.0
9+
** Improves the uses of conventions in the ssh technique
10+
** Remove unused parameters
11+
-- Matthieu CERDA <matthieu.cerda@normation.com> Wed Sep 10 15:39:37 2014 +0200
12+
* Version 4.0
13+
** Support AIX
14+
** Support systemd
15+
-- Nicolas CHARLES <nicolas.charles@normation.com> Thu Jul 09 10:01:37 2015 +0200
16+
* Version 5.0
17+
** Add possibility to configure Listen Addresses
18+
-- Michel BOUISSOU <michel.bouissou@rudder.io> Thu Jun 06 17:36:00 2025 +0200
19+
* Version 5.1
20+
** Remove deprecated "Use privilege separation" parameter and feature

techniques/systemSettings/remoteAccess/sshConfiguration/5.1/config.st

Lines changed: 232 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,232 @@
1+
# SPDX-License-Identifier: GPL-3.0-or-later
2+
# SPDX-FileCopyrightText: 2025 Normation SAS
3+
4+
#####################################################################################
5+
# This Technique installs and configures OpenSSH. See metadata.xml for more details.
6+
#####################################################################################
7+
8+
bundle agent rudder_openssh_server
9+
{
10+
vars:
11+
"rudder_openssh_server_service_name"
12+
string => "OpenSSH server";
13+
14+
# Prefix for all the defined classes
15+
"rudder_class_prefix"
16+
string => "rudder_openssh_server";
17+
18+
# This is the file to edit
19+
"rudder_openssh_server_config[sshd_config_file]"
20+
string => "&OPENSSH_SERVER_CONFFILE&";
21+
22+
"rudder_openssh_server_config[sshd_config_ports]"
23+
slist => {&OPENSSH_SERVER_PORTS: { "&it&" };separator=", "&};
24+
25+
"rudder_openssh_server_config[sshd_config_addresses]"
26+
slist => {&OPENSSH_SERVER_ADDRESSES: { "&it&" };separator=", "&};
27+
28+
# This is the reporting information to be added
29+
"rudder_openssh_server_config[report]"
30+
string => "&TRACKINGKEY&";
31+
32+
# Variable that holds if we want to edit ports
33+
"rudder_openssh_server_config[edit_ports]"
34+
string => "&OPENSSH_SERVER_PORTSEDIT&";
35+
36+
# Variable that holds if we want to edit listening addresses
37+
"rudder_openssh_server_config[edit_addresses]"
38+
string => "&OPENSSH_SERVER_ADDRESSESEDIT&";
39+
40+
# Class specific parameters
41+
rudder_openssh_server_address_family_edit::
42+
"rudder_openssh_server_config[config][AddressFamily]"
43+
string => "&OPENSSH_SERVER_ADDRESSFAMILY&";
44+
45+
rudder_openssh_server_protocol_edit::
46+
"rudder_openssh_server_config[config][Protocol]"
47+
string => "&OPENSSH_SERVER_PROTOCOL&";
48+
49+
rudder_openssh_server_max_sessions_edit::
50+
"rudder_openssh_server_config[config][MaxSessions]"
51+
string => "&OPENSSH_SERVER_MAXSESSIONS&";
52+
53+
rudder_openssh_server_challenge_response_authentication_edit::
54+
"rudder_openssh_server_config[config][ChallengeResponseAuthentication]"
55+
string => "&OPENSSH_SERVER_CHALLENGERESPONSEAUTHENTICATION&";
56+
57+
rudder_openssh_server_password_authentication_edit::
58+
"rudder_openssh_server_config[config][PasswordAuthentication]"
59+
string => "&OPENSSH_SERVER_PASSWORDAUTHENTICATION&";
60+
61+
rudder_openssh_server_pubkey_authentication_edit::
62+
"rudder_openssh_server_config[config][PubkeyAuthentication]"
63+
string => "&OPENSSH_SERVER_PUBKEYAUTHENTICATION&";
64+
65+
rudder_openssh_server_permit_empty_passwords_edit::
66+
"rudder_openssh_server_config[config][PermitEmptyPasswords]"
67+
string => "&OPENSSH_SERVER_PERMITEMPTYPASSWORDS&";
68+
69+
rudder_openssh_server_permit_root_login_edit::
70+
"rudder_openssh_server_config[config][PermitRootLogin]"
71+
string => "&OPENSSH_SERVER_PERMITROOTLOGIN&";
72+
73+
rudder_openssh_server_max_auth_tries_edit::
74+
"rudder_openssh_server_config[config][MaxAuthTries]"
75+
string => "&OPENSSH_SERVER_MAXAUTHTRIES&";
76+
77+
rudder_openssh_server_login_grace_time_edit::
78+
"rudder_openssh_server_config[config][LoginGraceTime]"
79+
string => "&OPENSSH_SERVER_LOGINGRACETIME&";
80+
81+
rudder_openssh_server_strict_modes_edit::
82+
"rudder_openssh_server_config[config][StrictModes]"
83+
string => "&OPENSSH_SERVER_STRICTMODES&";
84+
85+
rudder_openssh_server_allow_agent_forwarding_edit::
86+
"rudder_openssh_server_config[config][AllowAgentForwarding]"
87+
string => "&OPENSSH_SERVER_ALLOWAGENTFORWARDING&";
88+
89+
rudder_openssh_server_allow_tcp_forwarding_edit::
90+
"rudder_openssh_server_config[config][AllowTcpForwarding]"
91+
string => "&OPENSSH_SERVER_ALLOWTCPFORWARDING&";
92+
93+
rudder_openssh_server_permit_tunnel_edit::
94+
"rudder_openssh_server_config[config][PermitTunnel]"
95+
string => "&OPENSSH_SERVER_PERMITTUNNEL&";
96+
97+
rudder_openssh_server_permit_user_environment_edit::
98+
"rudder_openssh_server_config[config][PermitUserEnvironment]"
99+
string => "&OPENSSH_SERVER_PERMITUSERENVIRONMENT&";
100+
101+
rudder_openssh_server_x11_forwarding_edit::
102+
"rudder_openssh_server_config[config][X11Forwarding]"
103+
string => "&OPENSSH_SERVER_X11FORWARDING&";
104+
105+
rudder_openssh_server_print_lastlog_edit::
106+
"rudder_openssh_server_config[config][PrintLastLog]"
107+
string => "&OPENSSH_SERVER_PRINTLASTLOG&";
108+
109+
rudder_openssh_server_printmotd_edit::
110+
"rudder_openssh_server_config[config][PrintMotd]"
111+
string => "&OPENSSH_SERVER_PRINTMOTD&";
112+
113+
rudder_openssh_server_tcp_keepalive_edit::
114+
"rudder_openssh_server_config[config][TCPKeepAlive]"
115+
string => "&OPENSSH_SERVER_TCPKEEPALIVE&";
116+
117+
rudder_openssh_server_log_level_edit::
118+
"rudder_openssh_server_config[config][LogLevel]"
119+
string => "&OPENSSH_SERVER_LOGLEVEL&";
120+
121+
rudder_openssh_server_syslog_facility_edit::
122+
"rudder_openssh_server_config[config][SyslogFacility]"
123+
string => "&OPENSSH_SERVER_SYSLOGFACILITY&";
124+
125+
classes:
126+
# AddressFamily edition ?
127+
"rudder_openssh_server_address_family_edit"
128+
not => strcmp("&OPENSSH_SERVER_ADDRESSFAMILY&","dontchange");
129+
130+
# Protocol edition ?
131+
"rudder_openssh_server_protocol_edit"
132+
not => strcmp("&OPENSSH_SERVER_PROTOCOL&","dontchange");
133+
134+
# MaxSessions edition ?
135+
"rudder_openssh_server_max_sessions_edit"
136+
not => strcmp("&OPENSSH_SERVER_MAXSESSIONS&","dontchange");
137+
138+
# ChallengeResponseAuthentication edition ?
139+
"rudder_openssh_server_challenge_response_authentication_edit"
140+
not => strcmp("&OPENSSH_SERVER_CHALLENGERESPONSEAUTHENTICATION&","dontchange");
141+
142+
# PasswordAuthentication edition ?
143+
"rudder_openssh_server_password_authentication_edit"
144+
not => strcmp("&OPENSSH_SERVER_PASSWORDAUTHENTICATION&","dontchange");
145+
146+
# PubkeyAuthentication edition ?
147+
"rudder_openssh_server_pubkey_authentication_edit"
148+
not => strcmp("&OPENSSH_SERVER_PUBKEYAUTHENTICATION&","dontchange");
149+
150+
# PermitEmptyPasswords edition ?
151+
"rudder_openssh_server_permit_empty_passwords_edit"
152+
not => strcmp("&OPENSSH_SERVER_PERMITEMPTYPASSWORDS&","dontchange");
153+
154+
# PermitRootLogin edition ?
155+
"rudder_openssh_server_permit_root_login_edit"
156+
not => strcmp("&OPENSSH_SERVER_PERMITROOTLOGIN&","dontchange");
157+
158+
# MaxAuthTries edition ?
159+
"rudder_openssh_server_max_auth_tries_edit"
160+
not => strcmp("&OPENSSH_SERVER_MAXAUTHTRIES&","dontchange");
161+
162+
# LoginGraceTime edition ?
163+
"rudder_openssh_server_login_grace_time_edit"
164+
not => strcmp("&OPENSSH_SERVER_LOGINGRACETIME&","dontchange");
165+
166+
# StrictModes edition ?
167+
"rudder_openssh_server_strict_modes_edit"
168+
not => strcmp("&OPENSSH_SERVER_STRICTMODES&","dontchange");
169+
170+
# AllowAgentForwarding edition ?
171+
"rudder_openssh_server_allow_agent_forwarding_edit"
172+
not => strcmp("&OPENSSH_SERVER_ALLOWAGENTFORWARDING&","dontchange");
173+
174+
# AllowTcpForwarding edition ?
175+
"rudder_openssh_server_allow_tcp_forwarding_edit"
176+
not => strcmp("&OPENSSH_SERVER_ALLOWTCPFORWARDING&","dontchange");
177+
178+
# PermitTunnel edition ?
179+
"rudder_openssh_server_permit_tunnel_edit"
180+
not => strcmp("&OPENSSH_SERVER_PERMITTUNNEL&","dontchange");
181+
182+
# PermitUserEnvironment edition ?
183+
"rudder_openssh_server_permit_user_environment_edit"
184+
not => strcmp("&OPENSSH_SERVER_PERMITUSERENVIRONMENT&","dontchange");
185+
186+
# X11Forwarding edition ?
187+
"rudder_openssh_server_x11_forwarding_edit"
188+
not => strcmp("&OPENSSH_SERVER_X11FORWARDING&","dontchange");
189+
190+
# PrintLastLog edition ?
191+
"rudder_openssh_server_print_lastlog_edit"
192+
not => strcmp("&OPENSSH_SERVER_PRINTLASTLOG&","dontchange");
193+
194+
# PrintMotd edition ?
195+
"rudder_openssh_server_printmotd_edit"
196+
not => strcmp("&OPENSSH_SERVER_PRINTMOTD&","dontchange");
197+
198+
# TCPKeepAlive edition ?
199+
"rudder_openssh_server_tcp_keepalive_edit"
200+
not => strcmp("&OPENSSH_SERVER_TCPKEEPALIVE&","dontchange");
201+
202+
# LogLevel edition ?
203+
"rudder_openssh_server_log_level_edit"
204+
not => strcmp("&OPENSSH_SERVER_LOGLEVEL&","dontchange");
205+
206+
# SyslogFacility edition ?
207+
"rudder_openssh_server_syslog_facility_edit"
208+
not => strcmp("&OPENSSH_SERVER_SYSLOGFACILITY&","dontchange");
209+
210+
# Defines a class to describe we are at the second iteration
211+
# When iteration_2 is defined, it means all the variable are defined
212+
"iteration_2"
213+
expression => "iteration_1";
214+
215+
"iteration_1"
216+
expression => "any";
217+
218+
219+
methods:
220+
# Note:
221+
# The reporting is made on separate bundles to abstract the complexity
222+
# inherent to the normal ordering.
223+
"any" usebundle => rudder_openssh_server_installation("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
224+
"any" usebundle => rudder_openssh_server_installation_reporting("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
225+
"any" usebundle => rudder_openssh_server_check_ssh_installation();
226+
"any" usebundle => rudder_openssh_server_check_ssh_installation_reporting("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
227+
228+
229+
iteration_2::
230+
"any" usebundle => rudder_openssh_server_configuration("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
231+
"any" usebundle => rudder_openssh_server_configuration_reporting("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
232+
}

techniques/systemSettings/remoteAccess/sshConfiguration/5.1/installation.st

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# SPDX-License-Identifier: GPL-3.0-or-later
2+
# SPDX-FileCopyrightText: 2021 Normation SAS
3+
4+
###############################################################
5+
# Installs SSH, and checks whether it is started on boot or not.
6+
###############################################################
7+
8+
bundle agent rudder_openssh_server_installation(class_prefix, service_name, params)
9+
{
10+
vars:
11+
linux.!SuSE::
12+
"rudder_openssh_server_package_name"
13+
string => "openssh-server";
14+
SuSE::
15+
"rudder_openssh_server_package_name"
16+
string => "openssh";
17+
18+
any::
19+
"c_rudder_openssh_server_package_name" string => canonify("${rudder_openssh_server_package_name}");
20+
21+
methods:
22+
linux::
23+
"any" usebundle => package_present("${rudder_openssh_server_package_name}", "", "", "");
24+
}
25+
26+
bundle agent rudder_openssh_server_installation_reporting(class_prefix, service_name, params)
27+
{
28+
methods:
29+
"any" usebundle => rudder_common_reports_generic("${service_name}", "package_present_${rudder_openssh_server_installation.c_rudder_openssh_server_package_name}", "${${params}[report]}", "SSH installation", "None", "The ${service_name} package installation");
30+
31+
!linux::
32+
"any" usebundle => rudder_common_report("${service_name}", "result_success", "${${params}[report]}", "SSH installation", "None", "Support to check if ${service_name} is installed not available on this platform");
33+
34+
}
35+
36+
# This bundle is common because it defines a class that we reuse in the configuration part,
37+
# when configuring the service, to not configure the service if the binary is not there
38+
bundle common rudder_openssh_server_check_ssh_installation
39+
{
40+
classes:
41+
# Security : if not there, SSH too, so do not bother anymore
42+
# I cannot use the class_prefix in the class definition, because it is a bundle common
43+
# and for some reason, CFEngine complains about it not being canonified
44+
"rudder_openssh_server_binary_present"
45+
expression => fileexists("/usr/sbin/sshd");
46+
}
47+
48+
bundle agent rudder_openssh_server_check_ssh_installation_reporting(class_prefix, service_name, params)
49+
{
50+
methods:
51+
# Make a report about the lack of proper sshd binary
52+
"any"
53+
usebundle => rudder_common_report("${service_name}", "result_error", "${${params}[report]}", "SSH installation", "None", "The ${service_name} is not installed, although it should have been"),
54+
ifvarclass => "!${class_prefix}_binary_present";
55+
}
56+

0 commit comments

Comments
 (0)