profile_hostbased_ssh::known_hosts: Manage /etc/ssh/ssh_known_hosts for both source and target nodes in a hostbased authentication scenario.profile_hostbased_ssh::pam_slurm_adopt: Implement use of the pam_slurm_adopt module.profile_hostbased_ssh::shosts_equiv: Manage the shosts.equiv file on the target nodes.profile_hostbased_ssh::source: Configure a source/client to use hostbased authentication.profile_hostbased_ssh::target: Configure a target/server to accept hostbased authentication.
Manage /etc/ssh/ssh_known_hosts for both source and target nodes in a hostbased authentication scenario.
Param data for this class is also used to built shosts.equiv for the target class.
This class is used by the target and source classes, but could also be used in a standalone fashion.
The following parameters are available in the profile_hostbased_ssh::known_hosts class:
Data type: Hash
Hash of the form: <name_for_host_set_1>: domain: "ncsa.illinois.edu" key_type: "ecdsa-sha2-nistp256" # suitable for ssh_known_hosts key: "content of public key that identifies hosts in this set" hosts: # host-IP pairs login1: 141.142.X.Y login2: 141.142.X.Z <name_for_host_set_2>: domain: ... key_type: ... key: "..." hosts: ... ... Leave set to {} to NOT manage shosts.equiv and ssh_known_hosts.
Data type: String
Location of the ssh_known_hosts file (usually /etc/ssh/ssh_known_hosts).
Implement use of the pam_slurm_adopt module.
This module should be included on 'target' hosts that run slurmd.
Includes masking systemd-logind and removing pam_systemd from the PAM stack: https://bugs.schedmd.com/show_bug.cgi?id=3912 https://bugs.schedmd.com/show_bug.cgi?id=5920
include profile_hostbased_ssh::pam_slurm_adoptThe following parameters are available in the profile_hostbased_ssh::pam_slurm_adopt class:
Data type: Hash
Hash of data to pass to augeasproviders_pam.
Data type: Array
Array of services to stop and mask
Manage the shosts.equiv file on the target nodes. Could be used in a standalone fashion (with proper Hiera data) but intended to be used indirectly by including the target class.
include profile_hostbased_ssh::shosts_equivThe following parameters are available in the profile_hostbased_ssh::shosts_equiv class:
Data type: String
Path to shosts.equiv file.
Configure a source/client to use hostbased authentication.
Borrows from ncsa/puppet-sshd
include profile_hostbased_ssh::sourceThe following parameters are available in the profile_hostbased_ssh::source class:
Data type: Hash
Additional ssh_conf params (suitable for ssh_config global config... although it will end up in a "Host *" block anyway)
Data type: Hash
Additional ssh_conf params (suitable for ssh_config match block)
Data type: String
Host pattern to match with 'Host' block. Use an empty string if this should be omitted for some reason.
Configure a target/server to accept hostbased authentication.
Heavily based on profile_allow_ssh_from_bastion. Also borrows from LSST: stdcfg::access
include profile_hostbased_ssh::targetThe following parameters are available in the profile_hostbased_ssh::target class:
Data type: Array[String]
One or more LDAP / UNIX groups that are allowed to login from any of the nodes in sshd_match_nodelist.
Note: This is set to [] by default, but one of groups or
users must be set.
Data type: Hash
Additional sshd_conf params (suitable for sshd_config match block)
Data type: Array[String, 1]
List of hostnames / IPs / CIDRs from which to accept hostbased authentication.
Note: must contain at least 1 item
Data type: Array[String]
One or more LDAP / UNIX users that are allowed to login from any of the nodes in sshd_match_nodelist.
Note: This is set to [] by default, but one of groups or
users must be set.