From 95f2babbeaf9e16db535c7ebee5967dfe9dc75ca Mon Sep 17 00:00:00 2001
From: Klas Arvidsson <klas.arvidsson@liu.se>
Date: Mon, 13 Jan 2020 12:09:31 +0100
Subject: [PATCH] testing draft: sftp for exam files

---
 files/sshd_config | 137 ++++++++++++++++++++++++++++++++++++++++++++++
 manifests/init.pp |   1 +
 manifests/sftp.pp |  58 ++++++++++++++++++++
 3 files changed, 196 insertions(+)
 create mode 100644 files/sshd_config
 create mode 100644 manifests/sftp.pp

diff --git a/files/sshd_config b/files/sshd_config
new file mode 100644
index 0000000..040bfc8
--- /dev/null
+++ b/files/sshd_config
@@ -0,0 +1,137 @@
+#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+
+#Port 22
+#AddressFamily any
+
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile	.ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+PubkeyAuthentication yes
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication yes
+
+# Kerberos options
+KerberosAuthentication no
+KerberosOrLocalPasswd no
+KerberosTicketCleanup no
+
+# GSSAPI options
+GSSAPICleanupCredentials no
+#GSSAPIAuthentication no
+#GSSAPIStrictAcceptorCheck no
+#GSSAPIKeyExchange no
+#GSSAPIStoreCredentialsOnRekey no
+
+
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# Do not use DNS to resolv connections. To be able to log IP for a connection,
+# especially a failed one. Requested by Ulrik 2019-05-27 /Mika
+UseDNS no
+
+# no default banner path
+#Banner none
+
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+
+
+
+
+# # Nota bene: Puppet managed file, all local changes will be reverted.
+# Local variables:
+# mode: view
+# End:
diff --git a/manifests/init.pp b/manifests/init.pp
index b3b0b77..615f995 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,4 +1,5 @@
 class aes {
+  include aes::sftp
   include aes::aes_sw
   include aes::opendsa
   include aes::squid_filter
diff --git a/manifests/sftp.pp b/manifests/sftp.pp
new file mode 100644
index 0000000..66f884b
--- /dev/null
+++ b/manifests/sftp.pp
@@ -0,0 +1,58 @@
+class aes::sftp {
+
+  # package {
+  #   [
+  #     'openssh-server-7',
+  #   ]:
+  #     ensure  => installed,
+  # }
+
+  group { "liuitdrs" :
+    ensure => present,
+    allowdupe => false,
+    auth_membership => false,
+  }
+
+  file { '/srv/liuitdrs' :
+    ensure => directory,
+    mode   => '0750',
+    owner  => root,
+    group  => liuitdrs,
+  }
+
+  file { '/srv/liuitdrs/year' :
+    ensure => directory,
+    mode   => '0770',
+    owner  => root,
+    group  => liuitdrs,
+  }
+
+  file { '/srv/liuitdrs/.ssh' :
+    ensure => directory,
+    mode   => '0700',
+    owner  => root,
+    group  => liuitdrs,
+  }
+
+  # useradd -d /srv/liuitdrs -g liuitdrs -s /sbin/nologin USER
+  user { 'jondy94':
+    comment => 'Jon Dybeck',
+    shell   => '/sbin/nologin',
+    home    => '/srv/liuitdrs',
+    groups  => liuitdrs,
+  }
+
+  # but this file is already managed by puppet
+  file { "/etc/ssh/sshd_config":
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode => '0644',
+    source => "puppet:///modules/${module_name}/sshd_config",
+   }
+
+  # service { "sshd" : 
+  #   ensure => "running",
+  # }
+
+}
-- 
GitLab