diff --git a/README.md b/README.md index aef2f57..f278c7e 100644 --- a/README.md +++ b/README.md @@ -453,6 +453,18 @@ network goes down or the client host crashes. This avoids infinitely hanging se - *Default*: 'yes' +sshd_config_permittunnel +----------------------- +PermitTunnel in sshd_config. +Specifies whether tun(4) device forwarding is allowed. The argument must be +'yes', 'point-to-point' (layer 3), 'ethernet' (layer 2), or 'no'. +Specifying 'yes' permits both 'point-to-point' and 'ethernet'. The +default is 'no'. +Independent of this setting, the permissions of the selected tun(4) device must +allow access to the user. + +- *Default*: 'no' + sshd_config_ciphers ------------------- Array of ciphers for the Ciphers setting in sshd_config. diff --git a/manifests/init.pp b/manifests/init.pp index bf3fc6a..1b1210f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -110,6 +110,7 @@ class ssh ( $manage_root_ssh_config = false, $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $sshd_config_tcp_keepalive = 'yes', + $sshd_config_permittunnel = 'no', ) { case $::osfamily { @@ -781,6 +782,9 @@ class ssh ( } validate_re($sshd_config_tcp_keepalive, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes' or 'no' and is set to <${sshd_config_tcp_keepalive}>.") + + validate_re($sshd_config_permittunnel, '^(yes|no|point-to-point|ethernet)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet' or 'no' and is set to <${sshd_config_permittunnel}>.") + package { $packages_real: ensure => installed, source => $ssh_package_source_real, diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 5d1a66e..bb28fe4 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -452,6 +452,7 @@ describe 'ssh' do '2001:db8::dead:f00d', ], :sshd_config_tcp_keepalive => 'yes', + :sshd_config_permittunnel => 'no', } end @@ -520,6 +521,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) } it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) } it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) } + it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) } it { should contain_file('sshd_banner').with({ @@ -968,6 +970,26 @@ describe 'ssh' do end end + describe 'sshd_config_permittunnel param' do + ['yes','point-to-point','ethernet','no'].each do |value| + context "set to #{value}" do + let (:params) { { :sshd_config_permittunnel => value } } + + it { should contain_file('sshd_config').with_content(/^PermitTunnel #{value}$/) } + end + end + + context 'when set to an invalid value' do + let (:params) { { :sshd_config_permittunnel => 'invalid' } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::sshd_config_permittunnel may be either \'yes\', \'point-to-point\', \'ethernet\' or \'no\' and is set to \./) + end + end + end + context 'with manage_root_ssh_config set to invalid value on valid osfamily' do let(:params) { { :manage_root_ssh_config => 'invalid' } } diff --git a/spec/fixtures/sshd_config_debian b/spec/fixtures/sshd_config_debian index b0d9d02..a162e91 100644 --- a/spec/fixtures/sshd_config_debian +++ b/spec/fixtures/sshd_config_debian @@ -128,6 +128,7 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no +PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/spec/fixtures/sshd_config_rhel b/spec/fixtures/sshd_config_rhel index 7f4e7bd..8b5c3de 100644 --- a/spec/fixtures/sshd_config_rhel +++ b/spec/fixtures/sshd_config_rhel @@ -128,6 +128,7 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no +PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/spec/fixtures/sshd_config_sles_12_x86_64 b/spec/fixtures/sshd_config_sles_12_x86_64 index 2d27b90..f1a3f5a 100644 --- a/spec/fixtures/sshd_config_sles_12_x86_64 +++ b/spec/fixtures/sshd_config_sles_12_x86_64 @@ -128,6 +128,7 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no +PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/spec/fixtures/sshd_config_solaris b/spec/fixtures/sshd_config_solaris index c4f0a25..d9c4b60 100644 --- a/spec/fixtures/sshd_config_solaris +++ b/spec/fixtures/sshd_config_solaris @@ -115,6 +115,7 @@ ClientAliveCountMax 3 #MaxSessions 10 #PermitTunnel no +PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/spec/fixtures/sshd_config_suse_i386 b/spec/fixtures/sshd_config_suse_i386 index 2d27b90..f1a3f5a 100644 --- a/spec/fixtures/sshd_config_suse_i386 +++ b/spec/fixtures/sshd_config_suse_i386 @@ -128,6 +128,7 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no +PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/spec/fixtures/sshd_config_suse_x86_64 b/spec/fixtures/sshd_config_suse_x86_64 index b9092aa..79cef83 100644 --- a/spec/fixtures/sshd_config_suse_x86_64 +++ b/spec/fixtures/sshd_config_suse_x86_64 @@ -128,6 +128,7 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no +PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/spec/fixtures/sshd_config_ubuntu1604 b/spec/fixtures/sshd_config_ubuntu1604 index 7d7ad87..af936a1 100644 --- a/spec/fixtures/sshd_config_ubuntu1604 +++ b/spec/fixtures/sshd_config_ubuntu1604 @@ -131,6 +131,7 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no +PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 9481601..89752a1 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -195,6 +195,7 @@ MaxSessions <%= @sshd_config_maxsessions %> <% end -%> #PermitTunnel no +PermitTunnel <%= @sshd_config_permittunnel %> <% if @sshd_config_chrootdirectory -%> ChrootDirectory <%= @sshd_config_chrootdirectory %> <% else -%>