puppet-ssh
puppet-ssh copied to clipboard
saz
SFTP fails for non-root users on AIX.
On AIX setting sshd_config to 0600 causes non-root users to not be able to use sftp. On AIX the sshd_config file should use 0644.
https://www.ibm.com/support/pages/ibm-aix-regular-users-can-ssh-aix-sftp-fails
@saz My fork contains changes to revert to the older stdlib and wouldn't be good to merge. This is the change needed to fix AIX: puppet-ssh/manifests/server/config.pp:
# @summary
# Managed ssh server configuration
#
# @api private
#
class ssh::server::config {
assert_private()
$options = $ssh::server::merged_options
case $ssh::server::validate_sshd_file {
true: {
$sshd_validate_cmd = '/usr/sbin/sshd -tf %'
}
default: {
$sshd_validate_cmd = undef
}
}
case $facts['os']['family'] {
'AIX': {
$sshd_config_mode='0644'
}
default: {
$sshd_config_mode='0600'
}
}
if $ssh::server::use_augeas {
$options.each |String $k, Hash $v| {
sshd_config { $k:
* => $v,
}
}
} else {
concat { $ssh::server::sshd_config:
ensure => present,
owner => 0,
group => 0,
mode => $sshd_config_mode,
validate_cmd => $sshd_validate_cmd,
notify => Service[$ssh::server::service_name],
}
concat::fragment { 'global config':
target => $ssh::server::sshd_config,
content => template("${module_name}/sshd_config.erb"),
order => '00',
}
}
if $ssh::server::use_issue_net {
file { $ssh::server::issue_net:
ensure => file,
owner => 0,
group => 0,
mode => $sshd_config_mode,
content => template("${module_name}/issue.net.erb"),
notify => Service[$ssh::server::service_name],
}
concat::fragment { 'banner file':
target => $ssh::server::sshd_config,
content => "Banner ${ssh::server::issue_net}\n",
order => '01',
}
}
}
@ccombs-trustamerica I've created https://github.com/saz/puppet-ssh/pull/383 which should resolve this issue. Can you give it a try?