ConfDroid Puppet Modules - SSH

#sshd #access #puppet #foreman

Introducing confdroid_ssh: Reliable and Hardened SSH Access for Your Rocky 9 Servers

SSH is the primary way we access and manage Linux servers. When SSH stops working, everything else grinds to a halt — troubleshooting becomes painful, and automation pipelines can fail.

To solve this, I created confdroid_ssh, a new Puppet 8 module that ensures the SSH daemon (sshd) is always installed, properly configured, running, and reachable.

The module provides a hardened, consistent SSH setup across your entire infrastructure while making it easy to apply custom security policies.

Why This Module Matters

Guarantees SSH access is always available.
Applies secure defaults for ciphers, MAC algorithms, and other important settings
Manages the main sshd_config safely through drop-in files in /etc/ssh/sshd_config.d/
Handles SELinux contexts automatically (works great together with confdroid_selinux)
Optionally manages firewall rules to keep the SSH port open
Prevents configuration drift and manual overrides that often cause problems

It fits perfectly into the Confdroid collection alongside confdroid_selinux (for global SELinux enforcement) and confdroid_fail2ban (for brute-force protection on SSH).

Key Features

Installs the SSH server packages and required binaries
Manages the sshd service (ensures it is enabled and running)
Supports custom configuration snippets via the confdroid_ssh::custom::custom_config define
Automatically applies correct SELinux contexts
Optionally opens the SSH port in the firewall (iptables/nftables)
Designed for Rocky 9 (and other RHEL 9-based systems)

Example: Adding Custom Configuration

You can easily add your own secure settings without touching the main config file:

confdroid_ssh::custom::custom_config { '30-my-hardening':
  config_name    => '30-my-hardening',
  config_content => [
    'PasswordAuthentication no',
    'PermitRootLogin no',
    'MaxAuthTries 3',
  ],
}

This creates a cleanly managed file /etc/ssh/sshd_config.d/30-my-hardening.conf, overriding default settings from the main configuration file.

How It Fits in the Confdroid Ecosystem

confdroid_ssh works hand-in-hand with the rest of the collection:

confdroid_selinux ensures the global SELinux mode is set correctly
confdroid_fail2ban protects SSH against brute-force attacks All other modules benefit from reliable SSH access for management and deployment.

Important Notes

Warning: This module overwrites SSH configuration. Do not use it right on systems that have heavy manual SSH customizations. Always test first in a non-production environment, and move your manual configuration into the module via the provided define see example. It is likely best practice to use small snippets depending on various conditions only when they apply. Not every Linux system follows the same pattern depending on the applications it hosts.
The module follows the Confdroid “ENC-first” philosophy — configure everything comfortably through Foreman smart class parameters.

You can find the full module, source code, parameter reference, and documentation here: https://sourcecode.confdroid.com/confdroid/confdroid_ssh

Final Thoughts

With confdroid_ssh, you no longer have to worry about SSH breaking after updates or configuration changes. It provides a solid, hardened, and fully automated foundation for secure remote access across your Rocky 9 fleet.

Combined with confdroid_selinux and confdroid_fail2ban, it forms a strong security layer that keeps your servers accessible to you — but not to attackers.
Have you ever lost SSH access due to a misconfiguration or update? How do you currently manage SSH hardening across your servers? Share your experiences or questions in the comments — I’d love to hear them!

Did you find this post helpful? You can support me.