saz-ssh, hiera and options

Laci D

unread,

May 1, 2023, 5:08:16 PM5/1/23

to Puppet Users

Hi,

I'm using saz-ssh to configure sshd_config, options are stored in Hiera. I didn't find the way how to implement "Match user/group", for example:

Match group *, !not_that_group

'ForceCommand' => 'internal-sftp',

I did see the example but when I add that to my manifests/profiles/ssh.pp then Puppet is complaining and I'm not seeing how to configure it using Hiera.

Any ideas?

Martin Alfke

unread,

May 2, 2023, 3:51:20 AM5/2/23

to puppet...@googlegroups.com

Hi,

Ssh::server class has a parameter called “match_block” which calls a defined type:

https://github.com/saz/puppet-ssh/blob/master/manifests/server/match_block.pp

The defined type uses a template:

https://github.com/saz/puppet-ssh/blob/master/templates/sshd_match_block.erb

A hiera example is in the docs:

https://forge.puppet.com/modules/saz/ssh/readme#hiera-example

Hth,

Martin

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0f953ebb-ee44-481b-81da-639ade904c8bn%40googlegroups.com.

Laci D

unread,

May 2, 2023, 11:29:45 AM5/2/23

to Puppet Users

Thank you Martin, adding the following example to my nodes/myserversfqdn.yaml did it for me.

ssh::server::match_block:
'*,!that_other_group':
type: group
options:
ForceCommand: '/usr/bin/kpasswd'

I have another question, how can I specify different values in Hiera for different operating systems?

For example AuthorizedKeysCommand needs a different value in Linux and FreeBSD?

Martin Alfke

unread,

May 2, 2023, 2:04:16 PM5/2/23

to puppet...@googlegroups.com

The main ssh class has the parameter server_options:

# @param options

# Dynamic hash for openssh server option

ssh::server_options:

AuthorizedKeysCommand: ‘/path/to/command’

If you are using ssh::server class, the parameter ssh::server::options must be used.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7ea988f3-c68d-45f7-a7f8-cf37929a09fcn%40googlegroups.com.

Laci D

unread,

May 7, 2023, 7:33:38 PM5/7/23

to Puppet Users

This works if I configure it for each individual server. Thank you!

I was wondering if there is a way to have a different path for AuthorizedKeysCommand based on the operating system rather than every single server?

I think an alternative could be in the manifest file something like:

case $::operatingsystem {
'freebsd': {

somehow define AuthorizedKeysCommand: ‘/path/to/freebsd-command’

}

'ubuntu': {

somehow define AuthorizedKeysCommand: ‘/path/to/ubuntu-command’

}

A Manzer

unread,

May 8, 2023, 7:48:20 AM5/8/23

to Puppet Users

You can easily do that with an Operating System-specific layer to your hiera. Add something like `os/$facts['osfamily'].yaml` to your hiera.yaml. Then, you can have a FreeBSD.yaml, and a Debian.yaml in your hiera data. (Ubuntu is part of the Debian OS Family.)

Put the proper parameter block in each yaml file and the module will automatically pull them in on the right hosts.

(Make sure you double check my hiera string there. I'm on mobile and don't have access to my Puppet environment at the moment.)

Reply all

Reply to author

Forward