puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add ability to specify MACs option in ssh_config and sshd_config

Browse Source
This commit is contained in:
Garrett Honeycutt 2014-05-28 14:53:39 -04:00
parent dbf2d6c138
commit 230023ef5a
5 changed files with 90 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -101,6 +101,12 @@ Array of ciphers to be used with the Ciphers option in ssh_config.
- *Default*: undef
ssh_config_macs
---------------
Array of ciphers to be used with the MACs option in ssh_config.
- *Default*: undef
ssh_sendenv
-------------
Boolean to enable SendEnv options for specifying environment variables. Default is set to true on Linux.
@ -288,6 +294,12 @@ Array of ciphers for the Ciphers setting in sshd_config.
- *Default*: undef
sshd_config_macs
----------------
Array of macs for the MACs setting in sshd_config.
- *Default*: undef
keys
----
Hash of keys for user's ~/.ssh/authorized_keys

10
manifests/init.pp
View File

@ -21,6 +21,7 @@ class ssh (
$ssh_config_server_alive_interval = undef,
$ssh_config_sendenv_xmodifiers = false,
$ssh_config_ciphers = undef,
$ssh_config_macs = undef,
$ssh_sendenv = 'USE_DEFAULTS',
$sshd_config_path = '/etc/ssh/sshd_config',
$sshd_config_owner = 'root',
@ -37,6 +38,7 @@ class ssh (
$sshd_config_serverkeybits = 'USE_DEFAULTS',
$sshd_config_banner = 'none',
$sshd_config_ciphers = undef,
$sshd_config_macs = undef,
$sshd_banner_content = undef,
$sshd_banner_owner = 'root',
$sshd_banner_group = 'root',
@ -337,6 +339,14 @@ class ssh (
validate_array($sshd_config_ciphers)
}
if $ssh_config_macs != undef {
validate_array($ssh_config_macs)
}
if $sshd_config_macs != undef {
validate_array($sshd_config_macs)
}
if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
}

62
spec/classes/init_spec.rb
View File

@ -40,6 +40,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -82,6 +83,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it {
should contain_service('sshd_service').with({
@ -164,6 +166,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it {
should contain_file('sshd_config').with({
@ -194,6 +197,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it {
should contain_service('sshd_service').with({
@ -258,6 +262,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it {
should contain_file('sshd_config').with({
@ -288,6 +293,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it {
should contain_service('sshd_service').with({
@ -351,6 +357,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it {
should contain_file('sshd_config').with({
@ -381,6 +388,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it {
should contain_service('sshd_service').with({
@ -443,6 +451,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it {
should contain_file('sshd_config').with({
@ -481,6 +490,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it {
should contain_service('sshd_service').with({
@ -543,6 +553,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it {
should contain_file('sshd_config').with({
@ -581,6 +592,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it {
should contain_service('sshd_service').with({
@ -643,6 +655,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it {
should contain_file('sshd_config').with({
@ -681,6 +694,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it {
should contain_service('sshd_service').with({
@ -743,6 +757,9 @@ describe 'ssh' do
'aes192-cbc',
'aes256-cbc',
],
:ssh_config_macs => [ 'hmac-md5-etm@openssh.com',
'hmac-sha1-etm@openssh.com',
],
}
end
@ -768,6 +785,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) }
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
end
context 'with params used in sshd_config set on valid osfamily' do
@ -808,6 +826,9 @@ describe 'ssh' do
'aes192-cbc',
'aes256-cbc',
],
:sshd_config_macs => [ 'hmac-md5-etm@openssh.com',
'hmac-sha1-etm@openssh.com',
],
}
end
@ -850,6 +871,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
it {
should contain_file('sshd_banner').with({
@ -925,6 +947,26 @@ describe 'ssh' do
end
end
[true,'invalid'].each do |macs|
context "with ssh_config_macs set to invalid value #{macs}" do
let(:params) { { :ssh_config_macs => macs } }
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do
let :facts do
{
@ -964,6 +1006,26 @@ describe 'ssh' do
end
end
[true,'invalid'].each do |macs|
context "with sshd_config_macs set to invalid value #{macs}" do
let(:params) { { :sshd_config_macs => macs } }
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
context 'with sshd_config_port not being a valid number' do
let :facts do
{

3
templates/ssh_config.erb
View File

@ -77,3 +77,6 @@ Host *
SendEnv XMODIFIERS
<% end -%>
<% end -%>
<% if @ssh_config_macs -%>
MACs <%= @ssh_config_macs.join(',') %>
<% end -%>

3
templates/sshd_config.erb
View File

@ -162,3 +162,6 @@ Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>
<% if @sshd_config_ciphers -%>
Ciphers <%= @sshd_config_ciphers.join(',') %>
<% end -%>
<% if @sshd_config_macs -%>
MACs <%= @sshd_config_macs.join(',') %>
<% end -%>