| Filip Pytloun | a6d4a78 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1 | ======= |
| 2 | OpenSSH |
| 3 | ======= |
| 4 | |
| 5 | OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. |
| 6 | |
| 7 | Sample pillar |
| 8 | ============= |
| 9 | |
| 10 | OpenSSH client |
| 11 | -------------- |
| 12 | |
| 13 | OpenSSH client with shared private key |
| 14 | |
| 15 | .. code-block:: yaml |
| 16 | |
| 17 | openssh: |
| 18 | client: |
| 19 | enabled: true |
| 20 | user: |
| 21 | root: |
| 22 | enabled: true |
| 23 | private_key: ${private_keys:vaio.newt.cz} |
| 24 | user: ${linux:system:user:root} |
| 25 | |
| 26 | OpenSSH client with individual private key and known host |
| 27 | |
| 28 | .. code-block:: yaml |
| 29 | |
| 30 | openssh: |
| 31 | client: |
| 32 | enabled: true |
| 33 | user: |
| 34 | root: |
| 35 | enabled: true |
| 36 | user: ${linux:system:user:root} |
| 37 | known_hosts: |
| 38 | - name: repo.domain.com |
| 39 | type: rsa |
| 40 | fingerprint: dd:fa:e8:68:b1:ea:ea:a0:63:f1:5a:55:48:e1:7e:37 |
| 41 | |
| 42 | OpenSSH server |
| 43 | -------------- |
| 44 | |
| 45 | OpenSSH server with configuration parameters |
| 46 | |
| 47 | .. code-block:: yaml |
| 48 | |
| 49 | openssh: |
| 50 | server: |
| 51 | enabled: true |
| 52 | permit_root_login: true |
| 53 | public_key_auth: true |
| 54 | password_auth: true |
| 55 | host_auth: true |
| 56 | banner: Welcome to server! |
| Jiri Konecny | 2a27423 | 2016-02-16 15:49:35 +0100 | [diff] [blame] | 57 | bind: |
| 58 | address: 0.0.0.0 |
| Jiri Konecny | df55053 | 2016-02-17 11:48:47 +0100 | [diff] [blame] | 59 | port: 22 |
| Filip Pytloun | a6d4a78 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 60 | |
| Filip Pytloun | 2d3c803 | 2016-03-11 16:40:20 +0100 | [diff] [blame] | 61 | OpenSSH server with auth keys for users. |
| 62 | Parameter ``purge`` will ensure exact authorized_keys contents co undefined |
| 63 | keys will be removed. |
| Filip Pytloun | a6d4a78 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 64 | |
| 65 | .. code-block:: yaml |
| 66 | |
| 67 | openssh: |
| 68 | server: |
| 69 | enabled: true |
| Jiri Konecny | 2a27423 | 2016-02-16 15:49:35 +0100 | [diff] [blame] | 70 | bind: |
| 71 | address: 0.0.0.0 |
| Jiri Konecny | df55053 | 2016-02-17 11:48:47 +0100 | [diff] [blame] | 72 | port: 22 |
| Filip Pytloun | a6d4a78 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 73 | ... |
| 74 | user: |
| 75 | newt: |
| 76 | enabled: true |
| 77 | user: ${linux:system:user:newt} |
| 78 | public_keys: |
| 79 | - ${public_keys:newt} |
| 80 | root: |
| 81 | enabled: true |
| Filip Pytloun | 2d3c803 | 2016-03-11 16:40:20 +0100 | [diff] [blame] | 82 | purge: true |
| Filip Pytloun | a6d4a78 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 83 | user: ${linux:system:user:root} |
| 84 | public_keys: |
| 85 | - ${public_keys:newt} |
| 86 | |
| Filip Pytloun | a12db4a | 2016-12-02 13:21:02 +0100 | [diff] [blame] | 87 | You can also bind openssh on multiple addresses and ports: |
| 88 | |
| 89 | .. code-block:: yaml |
| 90 | |
| 91 | openssh: |
| 92 | server: |
| 93 | enabled: true |
| 94 | binds: |
| 95 | - address: 127.0.0.1 |
| 96 | port: 22 |
| 97 | - address: 192.168.1.1 |
| 98 | port: 2222 |
| 99 | |
| Filip Pytloun | daf8f98 | 2015-12-16 11:55:34 +0100 | [diff] [blame] | 100 | OpenSSH server for use with FreeIPA |
| 101 | |
| 102 | .. code-block:: yaml |
| 103 | |
| 104 | openssh: |
| 105 | server: |
| 106 | enabled: true |
| Jiri Konecny | 2a27423 | 2016-02-16 15:49:35 +0100 | [diff] [blame] | 107 | bind: |
| 108 | address: 0.0.0.0 |
| Jiri Konecny | df55053 | 2016-02-17 11:48:47 +0100 | [diff] [blame] | 109 | port: 22 |
| Filip Pytloun | daf8f98 | 2015-12-16 11:55:34 +0100 | [diff] [blame] | 110 | public_key_auth: true |
| 111 | authorized_keys_command: |
| 112 | command: /usr/bin/sss_ssh_authorizedkeys |
| 113 | user: nobody |
| 114 | |
| Filip Pytloun | a6d4a78 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 115 | Read more |
| 116 | ========= |
| 117 | |
| 118 | * http://www.openssh.org/manual.html |
| 119 | * https://help.ubuntu.com/community/SSH/OpenSSH/Configuring |
| 120 | * http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html |
| 121 | * http://www.zeitoun.net/articles/ssh-through-http-proxy/start |
| Filip Pytloun | 0e13906 | 2017-02-02 13:02:03 +0100 | [diff] [blame^] | 122 | |
| 123 | Documentation and Bugs |
| 124 | ====================== |
| 125 | |
| 126 | To learn how to install and update salt-formulas, consult the documentation |
| 127 | available online at: |
| 128 | |
| 129 | http://salt-formulas.readthedocs.io/ |
| 130 | |
| 131 | In the unfortunate event that bugs are discovered, they should be reported to |
| 132 | the appropriate issue tracker. Use Github issue tracker for specific salt |
| 133 | formula: |
| 134 | |
| 135 | https://github.com/salt-formulas/salt-formula-openssh/issues |
| 136 | |
| 137 | For feature requests, bug reports or blueprints affecting entire ecosystem, |
| 138 | use Launchpad salt-formulas project: |
| 139 | |
| 140 | https://launchpad.net/salt-formulas |
| 141 | |
| 142 | You can also join salt-formulas-users team and subscribe to mailing list: |
| 143 | |
| 144 | https://launchpad.net/~salt-formulas-users |
| 145 | |
| 146 | Developers wishing to work on the salt-formulas projects should always base |
| 147 | their work on master branch and submit pull request against specific formula. |
| 148 | |
| 149 | https://github.com/salt-formulas/salt-formula-openssh |
| 150 | |
| 151 | Any questions or feedback is always welcome so feel free to join our IRC |
| 152 | channel: |
| 153 | |
| 154 | #salt-formulas @ irc.freenode.net |