diff --git a/REFERENCE.md b/REFERENCE.md
index 4644646e..53c7fef3 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -337,6 +337,8 @@ The following parameters are available in the `ssh::client` class:
* [`options_absent`](#-ssh--client--options_absent)
* [`default_options`](#-ssh--client--default_options)
* [`match_block`](#-ssh--client--match_block)
+* [`config_user`](#-ssh--client--config_user)
+* [`config_group`](#-ssh--client--config_group)
##### `ssh_config`
@@ -406,6 +408,18 @@ Add ssh match_block (with concat)
Default value: `{}`
+##### `config_user`
+
+Data type: `Variant[Integer, String[1]]`
+
+Numeric id or name of the user for the config file
+
+##### `config_group`
+
+Data type: `Variant[Integer, String[1]]`
+
+Numeric id or name of the group for the config file
+
### `ssh::hostkeys`
This class manages hostkeys
@@ -548,8 +562,11 @@ The following parameters are available in the `ssh::server` class:
* [`sshd_dir`](#-ssh--server--sshd_dir)
* [`sshd_binary`](#-ssh--server--sshd_binary)
* [`sshd_config_mode`](#-ssh--server--sshd_config_mode)
+* [`host_priv_key_user`](#-ssh--server--host_priv_key_user)
* [`host_priv_key_group`](#-ssh--server--host_priv_key_group)
* [`host_priv_key_mode`](#-ssh--server--host_priv_key_mode)
+* [`config_user`](#-ssh--server--config_user)
+* [`config_group`](#-ssh--server--config_group)
* [`default_options`](#-ssh--server--default_options)
* [`ensure`](#-ssh--server--ensure)
* [`include_dir`](#-ssh--server--include_dir)
@@ -596,11 +613,17 @@ Data type: `Stdlib::Filemode`
Mode to set on the sshd config file
+##### `host_priv_key_user`
+
+Data type: `Variant[Integer, String[1]]`
+
+Numeric id or name of the user for the private host key
+
##### `host_priv_key_group`
-Data type: `Integer`
+Data type: `Variant[Integer, String[1]]`
-Name of the group for the private host key
+Numeric id or name of the group for the private host key
##### `host_priv_key_mode`
@@ -608,6 +631,18 @@ Data type: `Stdlib::Filemode`
Mode of the private host key
+##### `config_user`
+
+Data type: `Variant[Integer, String[1]]`
+
+Numeric id or name of the user for the sshd config file
+
+##### `config_group`
+
+Data type: `Variant[Integer, String[1]]`
+
+Numeric id or name of the group for the sshd config file
+
##### `default_options`
Data type: `Hash`
diff --git a/data/common.yaml b/data/common.yaml
index 16223f07..cfc822e6 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -21,6 +21,11 @@ ssh::server::sshd_config_mode: '0600'
ssh::client::ssh_config: '/etc/ssh/ssh_config'
ssh::server::service_name: 'svc:/network/ssh:default'
ssh::sftp_server_path: 'internal-sftp'
+ssh::client::config_user: 0
+ssh::client::config_group: 0
+ssh::server::config_user: 0
+ssh::server::config_group: 0
+ssh::server::host_priv_key_user: 0
ssh::server::host_priv_key_group: 0
ssh::server::host_priv_key_mode: '0600'
ssh::validate_sshd_file : false
diff --git a/manifests/client.pp b/manifests/client.pp
index dd450646..73e4fc2c 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -35,16 +35,23 @@
# @param match_block
# Add ssh match_block (with concat)
#
+# @param config_user
+# Numeric id or name of the user for the config file
+# @param config_group
+# Numeric id or name of the group for the config file
+#
class ssh::client (
- Stdlib::Absolutepath $ssh_config,
- Hash $default_options,
- Optional[String[1]] $client_package_name = undef,
- String $ensure = present,
- Boolean $storeconfigs_enabled = true,
- Hash $options = {},
- Boolean $use_augeas = false,
- Array $options_absent = [],
- Hash $match_block = {},
+ Stdlib::Absolutepath $ssh_config,
+ Hash $default_options,
+ Variant[Integer, String[1]] $config_user,
+ Variant[Integer, String[1]] $config_group,
+ Optional[String[1]] $client_package_name = undef,
+ String $ensure = present,
+ Boolean $storeconfigs_enabled = true,
+ Hash $options = {},
+ Boolean $use_augeas = false,
+ Array $options_absent = [],
+ Hash $match_block = {},
) {
if $use_augeas {
$merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config })
diff --git a/manifests/client/config.pp b/manifests/client/config.pp
index 40c3ca2e..2547add7 100644
--- a/manifests/client/config.pp
+++ b/manifests/client/config.pp
@@ -18,8 +18,8 @@
} else {
concat { $ssh::client::ssh_config:
ensure => present,
- owner => 0,
- group => 0,
+ owner => $ssh::client::config_user,
+ group => $ssh::client::config_group,
mode => '0644',
}
diff --git a/manifests/server.pp b/manifests/server.pp
index 123cf3da..3e040a80 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -23,12 +23,21 @@
# @param sshd_config_mode
# Mode to set on the sshd config file
#
+# @param host_priv_key_user
+# Numeric id or name of the user for the private host key
+#
# @param host_priv_key_group
-# Name of the group for the private host key
+# Numeric id or name of the group for the private host key
#
# @param host_priv_key_mode
# Mode of the private host key
#
+# @param config_user
+# Numeric id or name of the user for the sshd config file
+#
+# @param config_group
+# Numeric id or name of the group for the sshd config file
+#
# @param default_options
# Default options to set, will be merged with options parameter
#
@@ -80,8 +89,11 @@
Stdlib::Absolutepath $sshd_dir,
Stdlib::Absolutepath $sshd_binary,
Stdlib::Filemode $sshd_config_mode,
- Integer $host_priv_key_group,
+ Variant[Integer, String[1]] $host_priv_key_user,
+ Variant[Integer, String[1]] $host_priv_key_group,
Stdlib::Filemode $host_priv_key_mode,
+ Variant[Integer, String[1]] $config_user,
+ Variant[Integer, String[1]] $config_group,
Hash $default_options,
String $ensure = present,
Optional[Stdlib::Absolutepath] $include_dir = undef,
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
index 2c78b5eb..ee6c0e9c 100644
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@@ -34,8 +34,8 @@
} else {
concat { $ssh::server::sshd_config:
ensure => present,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => $ssh::server::sshd_config_mode,
validate_cmd => $sshd_validate_cmd,
notify => Service[$ssh::server::service_name],
@@ -51,8 +51,8 @@
if $ssh::server::include_dir {
file { $ssh::server::include_dir:
ensure => directory,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => $ssh::server::include_dir_mode,
purge => $ssh::server::include_dir_purge,
recurse => $ssh::server::include_dir_purge,
@@ -68,8 +68,8 @@
if $ssh::server::use_issue_net {
file { $ssh::server::issue_net:
ensure => file,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => $ssh::server::sshd_config_mode,
content => template("${module_name}/issue.net.erb"),
notify => Service[$ssh::server::service_name],
diff --git a/manifests/server/config_file.pp b/manifests/server/config_file.pp
index c122e2f4..69970c24 100644
--- a/manifests/server/config_file.pp
+++ b/manifests/server/config_file.pp
@@ -31,8 +31,8 @@
concat { $path:
ensure => present,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => $mode,
validate_cmd => $sshd_validate_cmd,
notify => Service[$ssh::server::service_name],
diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp
index 4a881bfa..309bc6ed 100644
--- a/manifests/server/host_key.pp
+++ b/manifests/server/host_key.pp
@@ -87,8 +87,8 @@
if $ensure == 'present' {
file { "${name}_pub":
ensure => $ensure,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => '0644',
path => "${ssh::server::sshd_dir}/${name}.pub",
source => $manage_pub_key_source,
@@ -98,7 +98,7 @@
file { "${name}_priv":
ensure => $ensure,
- owner => 0,
+ owner => $ssh::server::host_priv_key_user,
group => $ssh::server::host_priv_key_group,
mode => $ssh::server::host_priv_key_mode,
path => "${ssh::server::sshd_dir}/${name}",
@@ -110,8 +110,8 @@
} else {
file { "${name}_pub":
ensure => $ensure,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => '0644',
path => "${ssh::server::sshd_dir}/${name}.pub",
notify => Class['ssh::server::service'],
@@ -119,7 +119,7 @@
file { "${name}_priv":
ensure => $ensure,
- owner => 0,
+ owner => $ssh::server::host_priv_key_user,
group => $ssh::server::host_priv_key_group,
mode => $ssh::server::host_priv_key_mode,
path => "${ssh::server::sshd_dir}/${name}",
@@ -132,8 +132,8 @@
if $ensure == 'present' {
file { "${name}_cert":
ensure => $ensure,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => '0644',
path => "${ssh::server::sshd_dir}/${name}-cert.pub",
source => $manage_cert_source,
@@ -143,8 +143,8 @@
} else {
file { "${name}_cert":
ensure => $ensure,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => '0644',
path => "${ssh::server::sshd_dir}/${name}-cert.pub",
notify => Class['ssh::server::service'],
diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp
index f366aab1..51dced39 100644
--- a/manifests/server/instances.pp
+++ b/manifests/server/instances.pp
@@ -55,8 +55,8 @@
concat { $sshd_instance_config_file:
ensure => $ensure,
- owner => 0,
- group => 0,
+ owner => $ssh::server::config_user,
+ group => $ssh::server::config_group,
mode => '0600',
validate_cmd => $validate_cmd,
notify => Service["${title}.service"],