puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #94 from ghoneycutt/add_sshd_listen_address

Browse Source 
Add sshd listen address
This commit is contained in:
Garrett Honeycutt 2014-10-27 20:01:32 -04:00
commit 1f3d467aea
4 changed files with 89 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -160,6 +160,12 @@ sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris.
- *Default*: 'USE_DEFAULTS' - *Default*: 'USE_DEFAULTS'
sshd_listen_address
-------------------
String or Array to specify address(es) for which sshd will bind. Corresponds to ListenAddress in sshd_config.
- *Default*: undef
sshd_config_port sshd_config_port
--------------------------- ---------------------------
String to specify listen port for sshd. Port option in sshd_config. String to specify listen port for sshd. Port option in sshd_config.

5
manifests/init.pp
View File

@ -65,6 +65,7 @@ class ssh (
$sshd_gssapicleanupcredentials = 'USE_DEFAULTS', $sshd_gssapicleanupcredentials = 'USE_DEFAULTS',
$sshd_acceptenv = 'USE_DEFAULTS', $sshd_acceptenv = 'USE_DEFAULTS',
$sshd_config_hostkey = 'USE_DEFAULTS', $sshd_config_hostkey = 'USE_DEFAULTS',
$sshd_listen_address = undef,
$service_ensure = 'running', $service_ensure = 'running',
$service_name = 'USE_DEFAULTS', $service_name = 'USE_DEFAULTS',
$service_enable = 'true', $service_enable = 'true',
@ -348,6 +349,10 @@ class ssh (
$sshd_config_hostkey_real = $sshd_config_hostkey $sshd_config_hostkey_real = $sshd_config_hostkey
} }
if $sshd_listen_address {
validate_array($sshd_listen_address)
}
if $service_hasstatus == 'USE_DEFAULTS' { if $service_hasstatus == 'USE_DEFAULTS' {
$service_hasstatus_real = $default_service_hasstatus $service_hasstatus_real = $default_service_hasstatus
} else { } else {

71
spec/classes/init_spec.rb
View File

@ -81,6 +81,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should contain_file('sshd_config').without_content(/^\s*ListenAddress/) }
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange no$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange no$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
@ -211,6 +212,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*ListenAddress/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -312,6 +314,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*ListenAddress/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -412,6 +415,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*ListenAddress/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -519,6 +523,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*ListenAddress/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -626,6 +631,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*ListenAddress/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -733,6 +739,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*ListenAddress/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -882,6 +889,9 @@ describe 'ssh' do
:sshd_config_allowgroups => [ 'ssh', :sshd_config_allowgroups => [ 'ssh',
'security', 'security',
], ],
:sshd_listen_address => [ '192.168.1.1',
'2001:db8::dead:f00d',
],
} }
end end
@ -931,6 +941,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^\s*DenyGroups nossh wheel$/) } it { should contain_file('sshd_config').with_content(/^\s*DenyGroups nossh wheel$/) }
it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) } it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) }
it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) } it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
it { it {
should contain_file('sshd_banner').with({ should contain_file('sshd_banner').with({
@ -945,6 +956,66 @@ describe 'ssh' do
} }
end end
describe 'sshd_listen_address param' do
context 'when set to an array' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:root_home => '/root',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let (:params) {{'sshd_listen_address' => ['192.168.1.1','2001:db8::dead:f00d'] }}
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
end
context 'when set to a string' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:root_home => '/root',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let (:params) {{'sshd_listen_address' => ['192.168.1.1'] }}
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1$/) }
end
context 'when not set' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:root_home => '/root',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should_not contain_file('sshd_config').with_content(/^\s*ListenAddress/) }
end
context 'when set to an invalid type (not string or array)' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:root_home => '/root',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let (:params) {{'sshd_listen_address' => true }}
it 'should fail' do
expect { subject }.to raise_error(Puppet::Error)
end
end
end
describe 'sshd_loglevel param' do describe 'sshd_loglevel param' do
context 'when set to an invalid value' do context 'when set to an invalid value' do
let :facts do let :facts do

9
templates/sshd_config.erb
View File

@ -18,8 +18,13 @@ Port <%= @sshd_config_port %>
#Protocol 2,1 #Protocol 2,1
Protocol 2 Protocol 2
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 <% if @sshd_listen_address.class == Array -%>
#ListenAddress :: <% @sshd_listen_address.each do |val| -%>
ListenAddress <%= val %>
<% end -%>
<% elsif @sshd_listen_address.class == String -%>
ListenAddress <%= @sshd_listen_address %>
<% end -%>
# HostKey for protocol version 1 # HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_key