Ask Your Question

How to use Augeas to add DenyUsers line to sshd_config

asked 2013-11-22 11:39:02 -0600

Red Cricket gravatar image


I want to add the line ...


... to my /etc/ssh/sshd_config. So I put these lines in a puppet module:

    augeas { "sshd_config":
                    context => "/files/etc/ssh/sshd_config"
            ,       changes => [ "set DenyUsers" ]
            ,       notify => Service["sshd"]

    service { "sshd":
                    name => "sshd"
            ,       require => Augeas["sshd_config"]
            ,       enable => true
            ,       ensure => running

... but when I run puppet on my agent I get this error:

# puppet agent --test
Error: /Stage[main]/Mymodule/Augeas[sshd_config]: Could not evaluate: Save failed with return code false, see debug
Notice: /Stage[main]/Mymodule/Service[sshd]: Dependency Augeas[sshd_config] has failures: true
Warning: /Stage[main]/Mymodule ...
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2013-11-22 12:33:56 -0600

domcleal gravatar image

updated 2013-11-23 07:17:06 -0600

This probably needs to use a numbered (seq) entry:

augeas { "sshd_config":
  context => "/files/etc/ssh/sshd_config",
  changes => [ "set DenyUsers/1" ],
  notify  => Service["sshd"],

However I'd strongly recommend you just use the augeasproviders module as it handles this and a number of edge cases that this snippet won't.

sshd_config { "DenyUsers":
  ensure => present,
  value  => [""],

More sshd_config examples on

edit flag offensive delete link more

answered 2015-03-26 05:34:06 -0600

stripybadger gravatar image

I know this question has an answer, but it didn't do what I needed and google kept bringing me back here, so I want to post what I did for the benefit of other googlers. I think my alternative is still valid, though the other answer is definitely neater.

domcleal's answer works if you've got the full list of all the users you want to deny access to, because the sshd_config type essentially controls the entire field.

In my case I wanted this snippet as part of a define that would be called multiple times for different users, so I wanted it to 'add' a user, and not remove any that were already there. I ended up with this, hope it helps someone:

augeas { "sshd_config-DenyUsers-${username}":
    context => "/files/etc/ssh/sshd_config",
    # add the username to the end of the DenyUsers list (/01 will always add a new node in augeas)
    changes => [ "set DenyUsers/01 ${username}" ],
    # check if the username already exists in the list - don't want to add a duplicate
    onlyif => "match DenyUsers/*[. = '${username}'] size == 0",
    # restart sshd
    notify  => Service["sshd"]
edit flag offensive delete link more


Another option would be to add a `array_append ` parameter to the `sshd_config ` type, like we have for the `shellvar` type already.

Raphink gravatar imageRaphink ( 2015-03-29 07:51:58 -0600 )edit

The 01 trick was helpful for us. Thank you!

Timo gravatar imageTimo ( 2016-10-10 08:30:21 -0600 )edit

For the record, an `array_append` parameter was added to `sshd_config` recently.

Raphink gravatar imageRaphink ( 2018-10-18 02:43:57 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2013-11-22 11:39:02 -0600

Seen: 4,419 times

Last updated: Mar 26 '15