blob: f3921af609fdc4f1c4b7196aa9f91396b74372cd [file] [log] [blame]
Filip Pytlouna6d4a782015-10-06 16:28:32 +02001=======
2OpenSSH
3=======
4
5OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
6
7Sample pillar
8=============
9
10OpenSSH client
11--------------
12
13OpenSSH client with shared private key
14
15.. code-block:: yaml
16
17 openssh:
18 client:
19 enabled: true
Dmitry Stremkouski1c691e42017-11-17 19:10:17 +030020 use_dns: False
Filip Pytlouna6d4a782015-10-06 16:28:32 +020021 user:
22 root:
23 enabled: true
Jiri Broulikd33c8dd2017-04-27 17:18:26 +020024 private_key:
25 type: rsa
26 key: ${_param:root_private_key}
Filip Pytlouna6d4a782015-10-06 16:28:32 +020027 user: ${linux:system:user:root}
28
29OpenSSH client with individual private key and known host
30
31.. code-block:: yaml
32
33 openssh:
34 client:
35 enabled: true
36 user:
37 root:
38 enabled: true
39 user: ${linux:system:user:root}
40 known_hosts:
41 - name: repo.domain.com
42 type: rsa
43 fingerprint: dd:fa:e8:68:b1:ea:ea:a0:63:f1:5a:55:48:e1:7e:37
Tomas Kamm0b2b61d2017-10-12 11:28:32 +020044 fingerprint_hash_type: sha256|md5
Filip Pytlouna6d4a782015-10-06 16:28:32 +020045
Petr Michalec244a6422017-08-10 09:43:53 +020046Configure keep alive settings:
47
48.. code-block:: yaml
49
50 openssh:
51 client:
52 alive:
53 interval: 600
54 count: 3
55
Filip Pytlouna6d4a782015-10-06 16:28:32 +020056OpenSSH server
57--------------
58
59OpenSSH server with configuration parameters
60
61.. code-block:: yaml
62
63 openssh:
64 server:
65 enabled: true
66 permit_root_login: true
67 public_key_auth: true
68 password_auth: true
69 host_auth: true
70 banner: Welcome to server!
Jiri Konecny2a274232016-02-16 15:49:35 +010071 bind:
72 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +010073 port: 22
Filip Pytlouna6d4a782015-10-06 16:28:32 +020074
Filip Pytloun2d3c8032016-03-11 16:40:20 +010075OpenSSH server with auth keys for users.
76Parameter ``purge`` will ensure exact authorized_keys contents co undefined
77keys will be removed.
Filip Pytlouna6d4a782015-10-06 16:28:32 +020078
79.. code-block:: yaml
80
81 openssh:
82 server:
83 enabled: true
Jiri Konecny2a274232016-02-16 15:49:35 +010084 bind:
85 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +010086 port: 22
Filip Pytlouna6d4a782015-10-06 16:28:32 +020087 ...
88 user:
89 newt:
90 enabled: true
91 user: ${linux:system:user:newt}
92 public_keys:
93 - ${public_keys:newt}
94 root:
95 enabled: true
Filip Pytloun2d3c8032016-03-11 16:40:20 +010096 purge: true
Filip Pytlouna6d4a782015-10-06 16:28:32 +020097 user: ${linux:system:user:root}
98 public_keys:
99 - ${public_keys:newt}
100
Filip Pytlouna12db4a2016-12-02 13:21:02 +0100101You can also bind openssh on multiple addresses and ports:
102
103.. code-block:: yaml
104
105 openssh:
106 server:
107 enabled: true
108 binds:
109 - address: 127.0.0.1
110 port: 22
111 - address: 192.168.1.1
112 port: 2222
113
Filip Pytloundaf8f982015-12-16 11:55:34 +0100114OpenSSH server for use with FreeIPA
115
116.. code-block:: yaml
117
118 openssh:
119 server:
120 enabled: true
Jiri Konecny2a274232016-02-16 15:49:35 +0100121 bind:
122 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +0100123 port: 22
Filip Pytloundaf8f982015-12-16 11:55:34 +0100124 public_key_auth: true
125 authorized_keys_command:
126 command: /usr/bin/sss_ssh_authorizedkeys
127 user: nobody
128
Petr Michalec244a6422017-08-10 09:43:53 +0200129Configure keep alive settings:
130
131.. code-block:: yaml
132
133 openssh:
134 server:
135 alive:
136 keep: yes
137 interval: 600
138 count: 3
139 #
140 # will give you an timeout of 30 minutes (600 sec x 3)
141
Marek Celoud7f507052017-11-06 15:50:23 +0100142Enable DSA legacy keys:
143
144.. code-block:: yaml
145
146 openssh:
147 server:
148 dss_enabled: true
149
Dmitry Teselkine9420e72018-04-03 13:49:39 +0300150CIS Compliance
151==============
152
153There is a number of configuration options that make openssh service compliant with
154CIS Benchmark. Those options could be found under metadata/service/server/cis,
155and are not enabled by default. For each CIS item a comprehencive description
156is provided with pillar data.
157
158More about CIS Benchmark could be found online at:
159
160 https://www.cisecurity.org/cis-benchmarks/
161
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200162Read more
163=========
164
165* http://www.openssh.org/manual.html
166* https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
167* http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
168* http://www.zeitoun.net/articles/ssh-through-http-proxy/start
Filip Pytloun0e139062017-02-02 13:02:03 +0100169
170Documentation and Bugs
171======================
172
173To learn how to install and update salt-formulas, consult the documentation
174available online at:
175
176 http://salt-formulas.readthedocs.io/
177
178In the unfortunate event that bugs are discovered, they should be reported to
179the appropriate issue tracker. Use Github issue tracker for specific salt
180formula:
181
182 https://github.com/salt-formulas/salt-formula-openssh/issues
183
184For feature requests, bug reports or blueprints affecting entire ecosystem,
185use Launchpad salt-formulas project:
186
187 https://launchpad.net/salt-formulas
188
189You can also join salt-formulas-users team and subscribe to mailing list:
190
191 https://launchpad.net/~salt-formulas-users
192
193Developers wishing to work on the salt-formulas projects should always base
194their work on master branch and submit pull request against specific formula.
195
196 https://github.com/salt-formulas/salt-formula-openssh
197
198Any questions or feedback is always welcome so feel free to join our IRC
199channel:
200
201 #salt-formulas @ irc.freenode.net