Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / openssh / 7f50705221c7fed939acfcda0f5b384d81563365 / . / README.rst
blob: a3625c735c44f7564321eecdb00e7873a83f0ec5 [file] [log] [blame]
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]1=======
2OpenSSH
3=======
4
5OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
6
7Sample pillar
8=============
9
10OpenSSH client
11--------------
12
13OpenSSH client with shared private key
14
15.. code-block:: yaml
16
17 openssh:
18 client:
19 enabled: true
20 user:
21 root:
22 enabled: true
Jiri Broulikd33c8dd2017-04-27 17:18:26 +0200[diff] [blame]23 private_key:
24 type: rsa
25 key: ${_param:root_private_key}
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]26 user: ${linux:system:user:root}
27
28OpenSSH client with individual private key and known host
29
30.. code-block:: yaml
31
32 openssh:
33 client:
34 enabled: true
35 user:
36 root:
37 enabled: true
38 user: ${linux:system:user:root}
39 known_hosts:
40 - name: repo.domain.com
41 type: rsa
42 fingerprint: dd:fa:e8:68:b1:ea:ea:a0:63:f1:5a:55:48:e1:7e:37
Tomas Kamm0b2b61d2017-10-12 11:28:32 +0200[diff] [blame]43 fingerprint_hash_type: sha256|md5
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]44
Petr Michalec244a6422017-08-10 09:43:53 +0200[diff] [blame]45Configure keep alive settings:
46
47.. code-block:: yaml
48
49 openssh:
50 client:
51 alive:
52 interval: 600
53 count: 3
54
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]55OpenSSH server
56--------------
57
58OpenSSH server with configuration parameters
59
60.. code-block:: yaml
61
62 openssh:
63 server:
64 enabled: true
65 permit_root_login: true
66 public_key_auth: true
67 password_auth: true
68 host_auth: true
69 banner: Welcome to server!
Jiri Konecny2a274232016-02-16 15:49:35 +0100[diff] [blame]70 bind:
71 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +0100[diff] [blame]72 port: 22
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]73
Filip Pytloun2d3c8032016-03-11 16:40:20 +0100[diff] [blame]74OpenSSH server with auth keys for users.
75Parameter ``purge`` will ensure exact authorized_keys contents co undefined
76keys will be removed.
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]77
78.. code-block:: yaml
79
80 openssh:
81 server:
82 enabled: true
Jiri Konecny2a274232016-02-16 15:49:35 +0100[diff] [blame]83 bind:
84 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +0100[diff] [blame]85 port: 22
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]86 ...
87 user:
88 newt:
89 enabled: true
90 user: ${linux:system:user:newt}
91 public_keys:
92 - ${public_keys:newt}
93 root:
94 enabled: true
Filip Pytloun2d3c8032016-03-11 16:40:20 +0100[diff] [blame]95 purge: true
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]96 user: ${linux:system:user:root}
97 public_keys:
98 - ${public_keys:newt}
99
Filip Pytlouna12db4a2016-12-02 13:21:02 +0100[diff] [blame]100You can also bind openssh on multiple addresses and ports:
101
102.. code-block:: yaml
103
104 openssh:
105 server:
106 enabled: true
107 binds:
108 - address: 127.0.0.1
109 port: 22
110 - address: 192.168.1.1
111 port: 2222
112
Filip Pytloundaf8f982015-12-16 11:55:34 +0100[diff] [blame]113OpenSSH server for use with FreeIPA
114
115.. code-block:: yaml
116
117 openssh:
118 server:
119 enabled: true
Jiri Konecny2a274232016-02-16 15:49:35 +0100[diff] [blame]120 bind:
121 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +0100[diff] [blame]122 port: 22
Filip Pytloundaf8f982015-12-16 11:55:34 +0100[diff] [blame]123 public_key_auth: true
124 authorized_keys_command:
125 command: /usr/bin/sss_ssh_authorizedkeys
126 user: nobody
127
Petr Michalec244a6422017-08-10 09:43:53 +0200[diff] [blame]128Configure keep alive settings:
129
130.. code-block:: yaml
131
132 openssh:
133 server:
134 alive:
135 keep: yes
136 interval: 600
137 count: 3
138 #
139 # will give you an timeout of 30 minutes (600 sec x 3)
140
Marek Celoud7f507052017-11-06 15:50:23 +0100[diff] [blame^]141Enable DSA legacy keys:
142
143.. code-block:: yaml
144
145 openssh:
146 server:
147 dss_enabled: true
148
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200[diff] [blame]149Read more
150=========
151
152* http://www.openssh.org/manual.html
153* https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
154* http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
155* http://www.zeitoun.net/articles/ssh-through-http-proxy/start
Filip Pytloun0e139062017-02-02 13:02:03 +0100[diff] [blame]156
157Documentation and Bugs
158======================
159
160To learn how to install and update salt-formulas, consult the documentation
161available online at:
162
163 http://salt-formulas.readthedocs.io/
164
165In the unfortunate event that bugs are discovered, they should be reported to
166the appropriate issue tracker. Use Github issue tracker for specific salt
167formula:
168
169 https://github.com/salt-formulas/salt-formula-openssh/issues
170
171For feature requests, bug reports or blueprints affecting entire ecosystem,
172use Launchpad salt-formulas project:
173
174 https://launchpad.net/salt-formulas
175
176You can also join salt-formulas-users team and subscribe to mailing list:
177
178 https://launchpad.net/~salt-formulas-users
179
180Developers wishing to work on the salt-formulas projects should always base
181their work on master branch and submit pull request against specific formula.
182
183 https://github.com/salt-formulas/salt-formula-openssh
184
185Any questions or feedback is always welcome so feel free to join our IRC
186channel:
187
188 #salt-formulas @ irc.freenode.net