Merge pull request #258 from ghoneycutt/allow_agent_forwarding

Add support for AllowAgentForwarding option in sshd_config
2017-12-10 20:58:10 -05:00 · 2017-12-10 20:58:10 -05:00 · 113a86f4bf
commit 113a86f4bf
parent 7b8adfb451 2ca1bdfcca
4 changed files with 38 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -621,6 +621,13 @@ See `sshd_config(5)` for more details

 - *Default*: undefined

+sshd_config_allowagentforwarding
+--------------------------------
+AllowAgentForwarding option in sshd_config. Specifies if ssh-agent(1)
+forwarding is permitted. Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
 config_entries
 --------------
 Hash of config entries for a specific user's ~/.ssh/config. Please check the docs for ssd::config_entry for a list and details of the parameters usable here.
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -119,6 +119,7 @@ class ssh (
  $sshd_config_hostcertificate            = undef,
  $sshd_config_trustedusercakeys          = undef,
  $sshd_config_authorized_principals_file = undef,
+  $sshd_config_allowagentforwarding       = undef,
 ) {

  case $::osfamily {
@ -866,6 +867,10 @@ class ssh (
    validate_string($sshd_config_authorized_principals_file_real)
  }

+  if $sshd_config_allowagentforwarding != undef {
+    validate_re($sshd_config_allowagentforwarding, '^(yes|no)$', "ssh::sshd_config_allowagentforwarding may be either 'yes' or 'no' and is set to <${sshd_config_allowagentforwarding}>.")
+  }
+
  package { $packages_real:
    ensure    => installed,
    source    => $ssh_package_source_real,
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@ -470,6 +470,7 @@ describe 'ssh' do
        :sshd_config_tcp_keepalive            => 'yes',
  :sshd_config_use_privilege_separation => 'no',
        :sshd_config_permittunnel             => 'no',
+        :sshd_config_allowagentforwarding     => 'no',
      }
    end

@ -1269,6 +1270,26 @@ describe 'sshd_config_print_last_log param' do
    end
  end

+  describe 'with sshd_config_allowagentforwarding' do
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        let(:params) { { 'sshd_config_allowagentforwarding' => value } }
+
+        it { should contain_file('sshd_config').with_content(/^AllowAgentForwarding #{value}$/) }
+      end
+    end
+
+    context 'set to invalid value on valid osfamily' do
+      let(:params) { { :sshd_config_allowagentforwarding => 'invalid' } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_allowagentforwarding may be either \'yes\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+

  context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
    let(:params) { { :sshd_config_strictmodes => 'invalid' } }
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@ -220,6 +220,10 @@ ChrootDirectory <%= @sshd_config_chrootdirectory %>
 <% if @sshd_config_forcecommand -%>
 ForceCommand <%= @sshd_config_forcecommand %>
 <% end -%>
+<% if @sshd_config_allowagentforwarding != nil -%>
+#AllowAgentForwarding yes
+AllowAgentForwarding <%= @sshd_config_allowagentforwarding %>
+<% end -%>

 # no default banner path
 #Banner none