blob: 8254184be94de48c32443f3663b67c6ce92570f2 [file] [log] [blame]
OlgaGusarenko8155e1a2018-06-19 15:35:42 +03001=====
2Usage
3=====
Filip Pytlouna6d4a782015-10-06 16:28:32 +02004
OlgaGusarenko8155e1a2018-06-19 15:35:42 +03005OpenSSH is a free version of the SSH connectivity tools that technical users
6of the Internet rely on. The passwords of Telnet, remote login (rlogin), and
7File Transfer Protocol (FTP) users are transmitted across the Internet
8unencrypted. OpenSSH encrypts all traffic, including passwords, to effectively
9eliminate eavesdropping, connection hijacking, and other attacks. Additionally,
10OpenSSH provides secure tunneling capabilities and several authentication
11methods, and supports all SSH protocol versions.
Filip Pytlouna6d4a782015-10-06 16:28:32 +020012
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030013This file provides the sample pillars configurations for different use cases.
Filip Pytlouna6d4a782015-10-06 16:28:32 +020014
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030015**OpenSSH client**
Filip Pytlouna6d4a782015-10-06 16:28:32 +020016
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030017* The OpenSSH client configuration with a shared private key:
Filip Pytlouna6d4a782015-10-06 16:28:32 +020018
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030019 .. code-block:: yaml
Filip Pytlouna6d4a782015-10-06 16:28:32 +020020
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030021 openssh:
22 client:
23 enabled: true
24 use_dns: False
25 user:
26 root:
27 enabled: true
28 private_key:
29 type: rsa
30 key: ${_param:root_private_key}
31 user: ${linux:system:user:root}
Filip Pytlouna6d4a782015-10-06 16:28:32 +020032
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030033* The OpenSSH client configuration with an individual private key and known
34 host:
Filip Pytlouna6d4a782015-10-06 16:28:32 +020035
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030036 .. code-block:: yaml
Filip Pytlouna6d4a782015-10-06 16:28:32 +020037
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030038 openssh:
39 client:
40 enabled: true
41 user:
42 root:
43 enabled: true
44 user: ${linux:system:user:root}
45 known_hosts:
46 - name: repo.domain.com
47 type: rsa
48 fingerprint: dd:fa:e8:68:b1:ea:ea:a0:63:f1:5a:55:48:e1:7e:37
49 fingerprint_hash_type: sha256|md5
Filip Pytlouna6d4a782015-10-06 16:28:32 +020050
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030051* The OpenSSH client configuration with keep alive settings:
Petr Michalec244a6422017-08-10 09:43:53 +020052
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030053 .. code-block:: yaml
Petr Michalec244a6422017-08-10 09:43:53 +020054
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030055 openssh:
56 client:
57 alive:
58 interval: 600
59 count: 3
Petr Michalec244a6422017-08-10 09:43:53 +020060
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030061**OpenSSH server**
Filip Pytlouna6d4a782015-10-06 16:28:32 +020062
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030063* The OpenSSH server simple configuration:
Filip Pytlouna6d4a782015-10-06 16:28:32 +020064
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030065 .. code-block:: yaml
Filip Pytlouna6d4a782015-10-06 16:28:32 +020066
67 openssh:
68 server:
69 enabled: true
70 permit_root_login: true
71 public_key_auth: true
72 password_auth: true
73 host_auth: true
74 banner: Welcome to server!
Jiri Konecny2a274232016-02-16 15:49:35 +010075 bind:
76 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +010077 port: 22
Filip Pytlouna6d4a782015-10-06 16:28:32 +020078
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030079* The OpenSSH server configuration with auth keys for users:
Filip Pytlouna6d4a782015-10-06 16:28:32 +020080
OlgaGusarenko8155e1a2018-06-19 15:35:42 +030081 .. code-block:: yaml
Filip Pytlouna6d4a782015-10-06 16:28:32 +020082
83 openssh:
84 server:
85 enabled: true
Jiri Konecny2a274232016-02-16 15:49:35 +010086 bind:
87 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +010088 port: 22
Filip Pytlouna6d4a782015-10-06 16:28:32 +020089 ...
90 user:
91 newt:
92 enabled: true
93 user: ${linux:system:user:newt}
94 public_keys:
95 - ${public_keys:newt}
96 root:
97 enabled: true
Filip Pytloun2d3c8032016-03-11 16:40:20 +010098 purge: true
Filip Pytlouna6d4a782015-10-06 16:28:32 +020099 user: ${linux:system:user:root}
100 public_keys:
101 - ${public_keys:newt}
102
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300103 .. note:: Setting the ``purge`` parameter to ``true`` ensures that the exact
104 ``authorized_keys`` contents will be filled explicitly from the model and
105 undefined keys will be removed.
Filip Pytlouna12db4a2016-12-02 13:21:02 +0100106
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300107* The OpenSSH server configuration that binds OpenSSH on multiple addresses
108 and ports:
109
110 .. code-block:: yaml
Filip Pytlouna12db4a2016-12-02 13:21:02 +0100111
112 openssh:
113 server:
114 enabled: true
115 binds:
116 - address: 127.0.0.1
117 port: 22
118 - address: 192.168.1.1
119 port: 2222
120
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300121* The OpenSSH server with FreeIPA configuration:
Filip Pytloundaf8f982015-12-16 11:55:34 +0100122
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300123 .. code-block:: yaml
Filip Pytloundaf8f982015-12-16 11:55:34 +0100124
125 openssh:
126 server:
127 enabled: true
Jiri Konecny2a274232016-02-16 15:49:35 +0100128 bind:
129 address: 0.0.0.0
Jiri Konecnydf550532016-02-17 11:48:47 +0100130 port: 22
Filip Pytloundaf8f982015-12-16 11:55:34 +0100131 public_key_auth: true
132 authorized_keys_command:
133 command: /usr/bin/sss_ssh_authorizedkeys
134 user: nobody
135
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300136* The OpenSSH server configuration with keep alive settings:
Petr Michalec244a6422017-08-10 09:43:53 +0200137
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300138 .. code-block:: yaml
Petr Michalec244a6422017-08-10 09:43:53 +0200139
140 openssh:
141 server:
142 alive:
143 keep: yes
144 interval: 600
145 count: 3
146 #
147 # will give you an timeout of 30 minutes (600 sec x 3)
148
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300149* The OpenSSH server configuration with the DSA legacy keys enabled:
Marek Celoud7f507052017-11-06 15:50:23 +0100150
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300151 .. code-block:: yaml
Marek Celoud7f507052017-11-06 15:50:23 +0100152
153 openssh:
154 server:
155 dss_enabled: true
156
Dmitry Teselkina6194b52018-08-24 10:56:36 +0300157* OpenSSH server configuration supports AllowUsers, DenyUsers, AllowGroup,
158DenyGroups via allow_users, deny_users, allow_groups, deny_groups keys respectively.
159
160For example, here is how to manage AllowUsers configuration item:
161
162 .. code-block:: yaml
163
164 openssh:
165 server:
166 allow_users:
167 <user_name>:
168 enabled: true
169 <pattern_list_name>:
170 enabled: true
171 pattern: <pattern>
172
173Elements of allow_users are either user names or pattern list names:
174* <user name> goes to configurational file as is.
175* <pattern list name> is not used directly - its main purpose is to provide a
176 meaningfull name for a pattern specified in 'pattern' key. Another advantage
177 is that pattern can be overriden.
178
179<enabled> by default is 'true'.
180
181See PATTERNS in ssh_config(5) for more information on what <pattern> is.
182
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300183**CIS Compliance**
Dmitry Teselkine9420e72018-04-03 13:49:39 +0300184
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300185There is a number of configuration options that make the OpenSSH service
186compliant with CIS Benchmark. These options can be found under
187``metadata/service/server/cis``, and are not enabled by default. For each CIS
188item a comprehensive description is provided with the pillar data.
Dmitry Teselkine9420e72018-04-03 13:49:39 +0300189
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300190See also https://www.cisecurity.org/cis-benchmarks/ for the details abouth
191CIS Benchmark.
Dmitry Teselkine9420e72018-04-03 13:49:39 +0300192
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300193**Read more**
Filip Pytlouna6d4a782015-10-06 16:28:32 +0200194
195* http://www.openssh.org/manual.html
196* https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
197* http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
198* http://www.zeitoun.net/articles/ssh-through-http-proxy/start
Filip Pytloun0e139062017-02-02 13:02:03 +0100199
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300200**Documentation and bugs**
Filip Pytloun0e139062017-02-02 13:02:03 +0100201
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300202* http://salt-formulas.readthedocs.io/
203 Learn how to install and update salt-formulas
Filip Pytloun0e139062017-02-02 13:02:03 +0100204
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300205* https://github.com/salt-formulas/salt-formula-openssh/issues
206 In the unfortunate event that bugs are discovered, report the issue to the
207 appropriate issue tracker. Use the Github issue tracker for a specific salt
208 formula
Filip Pytloun0e139062017-02-02 13:02:03 +0100209
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300210* https://launchpad.net/salt-formulas
211 For feature requests, bug reports, or blueprints affecting the entire
212 ecosystem, use the Launchpad salt-formulas project
Filip Pytloun0e139062017-02-02 13:02:03 +0100213
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300214* https://launchpad.net/~salt-formulas-users
215 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloun0e139062017-02-02 13:02:03 +0100216
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300217* https://github.com/salt-formulas/salt-formula-openssh
218 Develop the salt-formulas projects in the master branch and then submit pull
219 requests against a specific formula
Filip Pytloun0e139062017-02-02 13:02:03 +0100220
OlgaGusarenko8155e1a2018-06-19 15:35:42 +0300221* #salt-formulas @ irc.freenode.net
222 Use this IRC channel in case of any questions or feedback which is always
223 welcome