puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #56 from mlehner616/develop

Browse Source 
Added ClientAliveCountMax config parameter
This commit is contained in:
Garrett Honeycutt 2014-04-02 11:08:23 +02:00
commit 09b2e7723e
4 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -242,6 +242,22 @@ This option applies to protocol version 2 only.
- *Default*: '0' - *Default*: '0'
sshd_client_alive_count_max
--------------------------
ClientAliveCountMax in sshd_config.
Sets the number of client alive messages (see below) which may be sent without sshd(8)
receiving any messages back from the client. If this threshold is reached while client alive
messages are being sent, sshd will disconnect the client, terminating the session. It is
important to note that the use of client alive messages is very different from TCPKeepAlive
(below). The client alive messages are sent through the encrypted channel and therefore will
not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client
alive mechanism is valuable when the client or server depend on knowing when a connection has
become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15,
and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected
after approximately 45 seconds. This option applies to protocol version 2 only.
- *Default*: '3'
keys keys
---- ----
Hash of keys for user's ~/.ssh/authorized_keys Hash of keys for user's ~/.ssh/authorized_keys

2
manifests/init.pp
View File

@ -42,6 +42,7 @@ class ssh (
$sshd_allow_tcp_forwarding = 'yes', $sshd_allow_tcp_forwarding = 'yes',
$sshd_x11_forwarding = 'yes', $sshd_x11_forwarding = 'yes',
$sshd_use_pam = 'USE_DEFAULTS', $sshd_use_pam = 'USE_DEFAULTS',
$sshd_client_alive_count_max = '3',
$sshd_client_alive_interval = '0', $sshd_client_alive_interval = '0',
$sshd_gssapiauthentication = 'yes', $sshd_gssapiauthentication = 'yes',
$sshd_gssapikeyexchange = 'USE_DEFAULTS', $sshd_gssapikeyexchange = 'USE_DEFAULTS',
@ -323,6 +324,7 @@ class ssh (
validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
} }
if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") }
if $sshd_config_banner != 'none' { if $sshd_config_banner != 'none' {
validate_absolute_path($sshd_config_banner) validate_absolute_path($sshd_config_banner)

25
spec/classes/init_spec.rb
View File

@ -70,6 +70,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
@ -448,6 +449,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
@ -542,6 +544,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
@ -636,6 +639,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
@ -748,6 +752,7 @@ describe 'ssh' do
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
:sshd_use_pam => 'no', :sshd_use_pam => 'no',
:sshd_client_alive_interval => '242', :sshd_client_alive_interval => '242',
:sshd_client_alive_count_max => '0',
} }
end end
@ -779,6 +784,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
@ -993,6 +999,25 @@ describe 'ssh' do
end end
end end
context 'with sshd_client_alive_count_max set to invalid value on valid osfamily' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{ :sshd_client_alive_count_max => 'invalid' }
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^ssh::sshd_client_alive_count_max must be an integer and is set to <invalid>\./)
end
end
context 'with sshd_config_banner set to invalid value on valid osfamily' do context 'with sshd_config_banner set to invalid value on valid osfamily' do
let(:params) { { :sshd_config_banner => 'invalid/path' } } let(:params) { { :sshd_config_banner => 'invalid/path' } }
let(:facts) do let(:facts) do

2
templates/sshd_config.erb
View File

@ -130,7 +130,7 @@ PrintMotd <%= @sshd_config_print_motd %>
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
ClientAliveInterval <%= @sshd_client_alive_interval %> ClientAliveInterval <%= @sshd_client_alive_interval %>
#ClientAliveCountMax 3 ClientAliveCountMax <%= @sshd_client_alive_count_max %>
#ShowPatchLevel no #ShowPatchLevel no
<% if @sshd_config_use_dns_real != nil -%> <% if @sshd_config_use_dns_real != nil -%>
#UseDNS yes #UseDNS yes