testing draft: sftp for exam files

95f2babb · Klas Arvidsson · 0c80c98c · 95f2babb · 95f2babb · 95f2babb
Commit 95f2babb authored 5 years ago by Klas Arvidsson
--- a/files/sshd_config
+++ b/files/sshd_config
+#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+# Authentication:
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile	.ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+PubkeyAuthentication yes
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication yes
+# Kerberos options
+KerberosAuthentication no
+KerberosOrLocalPasswd no
+KerberosTicketCleanup no
+# GSSAPI options
+GSSAPICleanupCredentials no
+#GSSAPIAuthentication no
+#GSSAPIStrictAcceptorCheck no
+#GSSAPIKeyExchange no
+#GSSAPIStoreCredentialsOnRekey no
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+# Do not use DNS to resolv connections. To be able to log IP for a connection,
+# especially a failed one. Requested by Ulrik 2019-05-27 /Mika
+UseDNS no
+# no default banner path
+#Banner none
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+# # Nota bene: Puppet managed file, all local changes will be reverted.
+# Local variables:
+# mode: view
+# End:
--- a/manifests/init.pp
+++ b/manifests/init.pp
 class aes {
+  include aes::sftp
  include aes::aes_sw
  include aes::opendsa
  include aes::squid_filter

--- a/manifests/sftp.pp
+++ b/manifests/sftp.pp
+class aes::sftp {
+  # package {
+  #   [
+  #     'openssh-server-7',
+  #   ]:
+  #     ensure  => installed,
+  # }
+  group { "liuitdrs" :
+    ensure => present,
+    allowdupe => false,
+    auth_membership => false,
+  }
+  file { '/srv/liuitdrs' :
+    ensure => directory,
+    mode   => '0750',
+    owner  => root,
+    group  => liuitdrs,
+  }
+  file { '/srv/liuitdrs/year' :
+    ensure => directory,
+    mode   => '0770',
+    owner  => root,
+    group  => liuitdrs,
+  }
+  file { '/srv/liuitdrs/.ssh' :
+    ensure => directory,
+    mode   => '0700',
+    owner  => root,
+    group  => liuitdrs,
+  }
+  # useradd -d /srv/liuitdrs -g liuitdrs -s /sbin/nologin USER
+  user { 'jondy94':
+    comment => 'Jon Dybeck',
+    shell   => '/sbin/nologin',
+    home    => '/srv/liuitdrs',
+    groups  => liuitdrs,
+  }
+  # but this file is already managed by puppet
+  file { "/etc/ssh/sshd_config":
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode => '0644',
+    source => "puppet:///modules/${module_name}/sshd_config",
+   }
+  # service { "sshd" : 
+  #   ensure => "running",
+  # }
+}