From 05704d72804b5d70266f49494baac4bf1ff6257a Mon Sep 17 00:00:00 2001 From: nbentoumi Date: Tue, 20 May 2014 21:24:09 -0400 Subject: [PATCH] Add ServerKeyBits parameter --- README.md | 6 ++++++ manifests/init.pp | 14 ++++++++++++++ spec/classes/init_spec.rb | 28 ++++++++++++++++++++++++++++ templates/sshd_config.erb | 4 +++- 4 files changed, 51 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bdd9cc7..e07d1ec 100644 --- a/README.md +++ b/README.md @@ -173,6 +173,12 @@ Specifies whether sshd should check file modes and ownership of the user's files - *Default*: undef +sshd_config_serverkeybits +---------------------------- +Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024 except for Solaris default value is 768. + +- *Default*: '1024' except for Solaris which is '768' + sshd_config_banner ------------------ Banner option in sshd_config. diff --git a/manifests/init.pp b/manifests/init.pp index 194b4a4..174740a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,6 +33,7 @@ class ssh ( $sshd_config_use_dns = 'USE_DEFAULTS', $sshd_config_authkey_location = undef, $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', $sshd_config_banner = 'none', $sshd_banner_content = undef, $sshd_banner_owner = 'root', @@ -84,6 +85,7 @@ class ssh ( $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true + $default_sshd_config_serverkeybits = '1024' } 'Suse': { $default_packages = 'openssh' @@ -102,6 +104,7 @@ class ssh ( $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true + $default_sshd_config_serverkeybits = '1024' case $::architecture { 'x86_64': { $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' @@ -133,6 +136,7 @@ class ssh ( $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true $default_service_hasstatus = true + $default_sshd_config_serverkeybits = '1024' } 'Solaris': { $default_packages = ['SUNWsshcu', @@ -154,6 +158,7 @@ class ssh ( $default_sshd_pamauthenticationviakbdint = 'yes' $default_sshd_gssapicleanupcredentials = undef $default_sshd_acceptenv = false + $default_sshd_config_serverkeybits = '768' case $::kernelrelease { '5.10','5.11': { $default_service_name = 'ssh' @@ -237,6 +242,12 @@ class ssh ( $sshd_use_pam_real = $sshd_use_pam } + if $sshd_config_serverkeybits == 'USE_DEFAULTS' { + $sshd_config_serverkeybits_real = $default_sshd_config_serverkeybits + } else { + $sshd_config_serverkeybits_real = $sshd_config_serverkeybits + } + if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' { $ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted } else { @@ -326,6 +337,9 @@ class ssh ( if $sshd_use_pam_real != undef { validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") } + if $sshd_config_serverkeybits_real != undef { + if is_integer($sshd_config_serverkeybits_real) == false { fail("ssh::sshd_config_serverkeybits must be an integer and is set to <${sshd_config_serverkeybits}>.") } + } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 2dd1fea..0a9dcb4 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -70,6 +70,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } @@ -188,6 +189,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_service('sshd_service').with({ @@ -279,6 +281,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_service('sshd_service').with({ @@ -369,6 +372,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_service('sshd_service').with({ @@ -457,6 +461,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } @@ -554,6 +559,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } @@ -651,6 +657,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } @@ -766,6 +773,7 @@ describe 'ssh' do :sshd_x11_forwarding => 'no', :sshd_use_pam => 'no', :sshd_client_alive_interval => '242', + :sshd_config_serverkeybits => '1024', :sshd_client_alive_count_max => '0', :sshd_config_authkey_location => '.ssh/authorized_keys', :sshd_config_strictmodes => 'yes', @@ -800,6 +808,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } + it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } @@ -997,7 +1006,26 @@ describe 'ssh' do }.to raise_error(Puppet::Error,/^ssh::sshd_use_pam may be either \'yes\' or \'no\' and is set to \./) end end + + context 'with sshd_config_serverkeybits set to invalid value on valid osfamily' do + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + let :params do + { :sshd_config_serverkeybits => 'invalid' } + end + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^ssh::sshd_config_serverkeybits must be an integer and is set to \./) + end + end + context 'with sshd_client_alive_interval set to invalid value on valid osfamily' do let :facts do { diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 0bc1817..a643840 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -30,7 +30,9 @@ HostKey /etc/ssh/ssh_host_rsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 - +<% if @sshd_config_serverkeybits_real != nil -%> +ServerKeyBits <%= @sshd_config_serverkeybits_real %> +<% end -%> # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH