From 8408d599bab1d2c94c7746e3a83a6aed6179b741 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Thu, 11 Jun 2020 18:33:20 +0100 Subject: [PATCH 01/12] Add Ubuntu 20.04 support --- README.md | 1 + manifests/init.pp | 27 +++++ metadata.json | 3 +- spec/classes/init_spec.rb | 13 +++ spec/fixtures/ssh_config_ubuntu2004 | 61 ++++++++++++ spec/fixtures/sshd_config_ubuntu2004 | 143 +++++++++++++++++++++++++++ 6 files changed, 247 insertions(+), 1 deletion(-) create mode 100644 spec/fixtures/ssh_config_ubuntu2004 create mode 100644 spec/fixtures/sshd_config_ubuntu2004 diff --git a/README.md b/README.md index d2b934d..bf4c30d 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ for the exact matrix of supported Puppet and ruby versions. * Ubuntu 14.04 LTS * Ubuntu 16.04 LTS * Ubuntu 18.04 LTS + * Ubuntu 20.04 LTS * Solaris 9 * Solaris 10 * Solaris 11 diff --git a/manifests/init.pp b/manifests/init.pp index 66788b9..8ab2bbd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -253,6 +253,33 @@ class ssh ( $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' } + '20.04': { + $default_sshd_config_hostkey = [ + '/etc/ssh/ssh_host_rsa_key', + '/etc/ssh/ssh_host_dsa_key', + '/etc/ssh/ssh_host_ecdsa_key', + '/etc/ssh/ssh_host_ed25519_key', + ] + $default_ssh_config_hash_known_hosts = 'yes' + $default_sshd_config_xauth_location = undef + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_ssh_sendenv = true + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_sshd_config_mode = '0600' + $default_sshd_config_use_dns = 'yes' + $default_sshd_use_pam = 'yes' + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_gssapicleanupcredentials = 'yes' + $default_sshd_acceptenv = true + $default_service_hasstatus = true + $default_sshd_config_serverkeybits = '1024' + $default_sshd_addressfamily = 'any' + $default_sshd_config_tcp_keepalive = 'yes' + $default_sshd_config_permittunnel = 'no' + } /^9.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', diff --git a/metadata.json b/metadata.json index 407ce43..979b754 100644 --- a/metadata.json +++ b/metadata.json @@ -84,7 +84,8 @@ "12.04", "14.04", "16.04", - "18.04" + "18.04", + "20.04" ] } ], diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 3b1ebf1..d6c2c1c 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -259,6 +259,19 @@ describe 'ssh' do :sshd_config_fixture => 'sshd_config_ubuntu1804', :ssh_config_fixture => 'ssh_config_ubuntu1804', }, + 'Ubuntu-2004' => { + :architecture => 'x86_64', + :osfamily => 'Debian', + :operatingsystemrelease => '20.04', + :ssh_version => 'OpenSSH_7.6p1', + :ssh_version_numeric => '7.6', + :ssh_packages => ['openssh-server', 'openssh-client'], + :sshd_config_mode => '0600', + :sshd_service_name => 'ssh', + :sshd_service_hasstatus => true, + :sshd_config_fixture => 'sshd_config_ubuntu2004', + :ssh_config_fixture => 'ssh_config_ubuntu2004', + }, } osfamily_matrix.each do |os, facts| diff --git a/spec/fixtures/ssh_config_ubuntu2004 b/spec/fixtures/ssh_config_ubuntu2004 new file mode 100644 index 0000000..d13cc55 --- /dev/null +++ b/spec/fixtures/ssh_config_ubuntu2004 @@ -0,0 +1,61 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes + PasswordAuthentication yes + PubkeyAuthentication yes +# HostbasedAuthentication no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity + IdentityFile ~/.ssh/id_rsa + IdentityFile ~/.ssh/id_dsa +# Port 22 + Protocol 2 +# Cipher 3des +# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# HashKnownHosts no + HashKnownHosts yes + GlobalKnownHostsFile /etc/ssh/ssh_known_hosts +Host * +# GSSAPIAuthentication yes + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes + UseRoaming no +# Send locale-related environment variables + SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL diff --git a/spec/fixtures/sshd_config_ubuntu2004 b/spec/fixtures/sshd_config_ubuntu2004 new file mode 100644 index 0000000..af936a1 --- /dev/null +++ b/spec/fixtures/sshd_config_ubuntu2004 @@ -0,0 +1,143 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +Port 22 +#Protocol 2,1 +Protocol 2 +#AddressFamily any +AddressFamily any + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 +ServerKeyBits 1024 +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTH +#LogLevel INFO +LogLevel INFO + +# Authentication: + +#LoginGraceTime 120 +LoginGraceTime 120 +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 + +#RSAAuthentication yes +#PubkeyAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowTcpForwarding yes +AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +X11UseLocalhost yes +#PrintMotd yes +PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +ClientAliveInterval 0 +ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#MaxSessions 10 + +#PermitTunnel no +PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none +Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + From 2c12faac070c6afa47aa7111d7b8e31f7f614882 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Thu, 11 Jun 2020 20:49:23 +0100 Subject: [PATCH 02/12] fix typo --- manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/init.pp b/manifests/init.pp index f26009c..faaa838 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -278,6 +278,7 @@ class ssh ( $default_sshd_config_serverkeybits = '1024' $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' + } /^10.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', From 7aa838a51ddb1a0c9c8ba33899c0b93af96d9765 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Mon, 6 Jul 2020 20:08:07 +0100 Subject: [PATCH 03/12] Align fixtures with defaults --- manifests/init.pp | 309 +++++++++++++++------------ spec/fixtures/ssh_config_ubuntu2004 | 2 + spec/fixtures/sshd_config_ubuntu2004 | 9 +- templates/ssh_config.erb | 10 +- templates/sshd_config.erb | 10 +- types/include.pp | 5 + 6 files changed, 199 insertions(+), 146 deletions(-) create mode 100644 types/include.pp diff --git a/manifests/init.pp b/manifests/init.pp index faaa838..9909b45 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,125 +3,127 @@ # Manage ssh client and server # class ssh ( - $hiera_merge = false, - $packages = 'USE_DEFAULTS', - $permit_root_login = 'yes', - $purge_keys = true, - $manage_firewall = false, - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $ssh_config_hash_known_hosts = 'USE_DEFAULTS', - $ssh_config_path = '/etc/ssh/ssh_config', - $ssh_config_owner = 'root', - $ssh_config_group = 'root', - $ssh_config_mode = '0644', - $ssh_config_forward_x11 = undef, - $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', - $ssh_config_forward_agent = undef, - $ssh_config_server_alive_interval = undef, - $ssh_config_sendenv_xmodifiers = false, - $ssh_hostbasedauthentication = undef, - $ssh_config_proxy_command = undef, - $ssh_strict_host_key_checking = undef, - $ssh_config_ciphers = undef, - $ssh_config_kexalgorithms = undef, - $ssh_config_macs = undef, - $ssh_config_use_roaming = 'USE_DEFAULTS', - $ssh_config_template = 'ssh/ssh_config.erb', - $ssh_sendenv = 'USE_DEFAULTS', - $ssh_gssapiauthentication = 'yes', - $ssh_gssapidelegatecredentials = undef, - $sshd_config_path = '/etc/ssh/sshd_config', - $sshd_config_owner = 'root', - $sshd_config_group = 'root', - $sshd_config_loglevel = 'INFO', - $sshd_config_mode = 'USE_DEFAULTS', - $sshd_config_permitemptypasswords = undef, - $sshd_config_permituserenvironment = undef, - $sshd_config_compression = undef, - $sshd_config_port = '22', - $sshd_config_syslog_facility = 'AUTH', - $sshd_config_template = 'ssh/sshd_config.erb', - $sshd_config_login_grace_time = '120', - $sshd_config_challenge_resp_auth = 'yes', - $sshd_config_print_motd = 'yes', - $sshd_config_print_last_log = undef, - $sshd_config_use_dns = 'USE_DEFAULTS', - $sshd_config_authkey_location = undef, - $sshd_config_strictmodes = undef, - $sshd_config_serverkeybits = 'USE_DEFAULTS', - $sshd_config_banner = 'none', - $sshd_config_ciphers = undef, - $sshd_config_kexalgorithms = undef, - $sshd_config_macs = undef, - $ssh_enable_ssh_keysign = undef, - $sshd_config_allowgroups = [], - $sshd_config_allowusers = [], - $sshd_config_denygroups = [], - $sshd_config_denyusers = [], - $sshd_config_maxauthtries = undef, - $sshd_config_maxstartups = undef, - $sshd_config_maxsessions = undef, - $sshd_config_chrootdirectory = undef, - $sshd_config_forcecommand = undef, - $sshd_config_match = undef, - $sshd_authorized_keys_command = undef, - $sshd_authorized_keys_command_user = undef, - $sshd_banner_content = undef, - $sshd_banner_owner = 'root', - $sshd_banner_group = 'root', - $sshd_banner_mode = '0644', - $sshd_config_xauth_location = 'USE_DEFAULTS', - $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_kerberos_authentication = undef, - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_x11_use_localhost = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_count_max = '3', - $sshd_client_alive_interval = '0', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $sshd_acceptenv = 'USE_DEFAULTS', - $sshd_config_hostkey = 'USE_DEFAULTS', - $sshd_listen_address = undef, - $sshd_hostbasedauthentication = 'no', - $sshd_pubkeyacceptedkeytypes = undef, - $sshd_pubkeyauthentication = 'yes', - $sshd_ignoreuserknownhosts = 'no', - $sshd_ignorerhosts = 'yes', - $sshd_config_authenticationmethods = undef, - $manage_service = true, - $sshd_addressfamily = 'USE_DEFAULTS', - $service_ensure = 'running', - $service_name = 'USE_DEFAULTS', - $service_enable = true, - $service_hasrestart = true, - $service_hasstatus = 'USE_DEFAULTS', - $ssh_key_ensure = 'present', - $ssh_key_import = true, - $ssh_key_type = 'ssh-rsa', - $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', - $ssh_config_global_known_hosts_list = undef, - $ssh_config_global_known_hosts_owner = 'root', - $ssh_config_global_known_hosts_group = 'root', - $ssh_config_global_known_hosts_mode = '0644', - $ssh_config_user_known_hosts_file = undef, - $config_entries = {}, - $keys = undef, - $manage_root_ssh_config = false, - $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", - $sshd_config_tcp_keepalive = undef, - $sshd_config_use_privilege_separation = undef, - $sshd_config_permittunnel = undef, - $sshd_config_hostcertificate = undef, - $sshd_config_trustedusercakeys = undef, - $sshd_config_key_revocation_list = undef, - $sshd_config_authorized_principals_file = undef, - $sshd_config_allowagentforwarding = undef, + $hiera_merge = false, + $packages = 'USE_DEFAULTS', + $permit_root_login = 'yes', + $purge_keys = true, + $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', + $ssh_config_path = '/etc/ssh/ssh_config', + $ssh_config_owner = 'root', + $ssh_config_group = 'root', + $ssh_config_mode = '0644', + $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', + $ssh_config_forward_agent = undef, + $ssh_config_server_alive_interval = undef, + $ssh_config_sendenv_xmodifiers = false, + $ssh_hostbasedauthentication = undef, + $ssh_config_proxy_command = undef, + $ssh_strict_host_key_checking = undef, + $ssh_config_ciphers = undef, + $ssh_config_kexalgorithms = undef, + $ssh_config_macs = undef, + $ssh_config_use_roaming = 'USE_DEFAULTS', + $ssh_config_template = 'ssh/ssh_config.erb', + $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapiauthentication = 'yes', + $ssh_gssapidelegatecredentials = undef, + $sshd_config_path = '/etc/ssh/sshd_config', + $sshd_config_owner = 'root', + $sshd_config_group = 'root', + $sshd_config_loglevel = 'INFO', + $sshd_config_mode = 'USE_DEFAULTS', + $sshd_config_permitemptypasswords = undef, + $sshd_config_permituserenvironment = undef, + $sshd_config_compression = undef, + $sshd_config_port = '22', + $sshd_config_syslog_facility = 'AUTH', + $sshd_config_template = 'ssh/sshd_config.erb', + $sshd_config_login_grace_time = '120', + $sshd_config_challenge_resp_auth = 'yes', + $sshd_config_print_motd = 'yes', + $sshd_config_print_last_log = undef, + $sshd_config_use_dns = 'USE_DEFAULTS', + $sshd_config_authkey_location = undef, + $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', + $sshd_config_banner = 'none', + $sshd_config_ciphers = undef, + $sshd_config_kexalgorithms = undef, + $sshd_config_macs = undef, + $ssh_enable_ssh_keysign = undef, + $sshd_config_allowgroups = [], + $sshd_config_allowusers = [], + $sshd_config_denygroups = [], + $sshd_config_denyusers = [], + $sshd_config_maxauthtries = undef, + $sshd_config_maxstartups = undef, + $sshd_config_maxsessions = undef, + $sshd_config_chrootdirectory = undef, + $sshd_config_forcecommand = undef, + $sshd_config_match = undef, + $sshd_authorized_keys_command = undef, + $sshd_authorized_keys_command_user = undef, + $sshd_banner_content = undef, + $sshd_banner_owner = 'root', + $sshd_banner_group = 'root', + $sshd_banner_mode = '0644', + $sshd_config_xauth_location = 'USE_DEFAULTS', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_kerberos_authentication = undef, + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_x11_use_localhost = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', + $sshd_config_hostkey = 'USE_DEFAULTS', + $sshd_listen_address = undef, + $sshd_hostbasedauthentication = 'no', + $sshd_pubkeyacceptedkeytypes = undef, + $sshd_pubkeyauthentication = 'yes', + $sshd_ignoreuserknownhosts = 'no', + $sshd_ignorerhosts = 'yes', + $sshd_config_authenticationmethods = undef, + $manage_service = true, + $sshd_addressfamily = 'USE_DEFAULTS', + $service_ensure = 'running', + $service_name = 'USE_DEFAULTS', + $service_enable = true, + $service_hasrestart = true, + $service_hasstatus = 'USE_DEFAULTS', + $ssh_key_ensure = 'present', + $ssh_key_import = true, + $ssh_key_type = 'ssh-rsa', + $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_list = undef, + $ssh_config_global_known_hosts_owner = 'root', + $ssh_config_global_known_hosts_group = 'root', + $ssh_config_global_known_hosts_mode = '0644', + $ssh_config_user_known_hosts_file = undef, + Optional[Ssh::Include] $ssh_config_include = 'USE_DEFAULTS', + $config_entries = {}, + $keys = undef, + $manage_root_ssh_config = false, + $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $sshd_config_tcp_keepalive = undef, + $sshd_config_use_privilege_separation = undef, + $sshd_config_permittunnel = undef, + $sshd_config_hostcertificate = undef, + $sshd_config_trustedusercakeys = undef, + $sshd_config_key_revocation_list = undef, + $sshd_config_authorized_principals_file = undef, + $sshd_config_allowagentforwarding = undef, + Optional[Ssh::Include] $sshd_config_include = 'USE_DEFAULTS', ) { case $::osfamily { @@ -134,6 +136,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -153,6 +156,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } 'Suse': { $default_packages = 'openssh' @@ -162,6 +166,7 @@ class ssh ( $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' @@ -176,6 +181,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef case $::architecture { 'x86_64': { if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) { @@ -212,6 +218,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -225,6 +232,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } '18.04': { $default_sshd_config_hostkey = [ @@ -239,6 +247,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -252,32 +261,36 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } '20.04': { - $default_sshd_config_hostkey = [ - '/etc/ssh/ssh_host_rsa_key', - '/etc/ssh/ssh_host_dsa_key', - '/etc/ssh/ssh_host_ecdsa_key', - '/etc/ssh/ssh_host_ed25519_key', - ] - $default_ssh_config_hash_known_hosts = 'yes' - $default_sshd_config_xauth_location = undef - $default_ssh_config_forward_x11_trusted = 'yes' - $default_ssh_package_source = undef + $default_service_hasstatus = true $default_ssh_package_adminfile = undef + $default_ssh_package_source = undef + $default_ssh_config_hash_known_hosts = 'yes' + $default_ssh_gssapiauthentication = 'yes' $default_ssh_sendenv = true - $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' + $default_sshd_acceptenv = true + $default_sshd_addressfamily = 'any' + #$default_sshd_config_challenge_resp_auth = 'no' + $default_sshd_config_hostkey = [] $default_sshd_config_mode = '0600' + $default_sshd_config_permittunnel = undef + $default_sshd_config_print_motd = 'no' + $default_sshd_config_serverkeybits = undef + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_sshd_config_tcp_keepalive = undef $default_sshd_config_use_dns = 'yes' - $default_sshd_use_pam = 'yes' + $default_sshd_config_xauth_location = undef + $default_sshd_gssapiauthentication = 'yes' + $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef - $default_sshd_gssapicleanupcredentials = 'yes' - $default_sshd_acceptenv = true - $default_service_hasstatus = true - $default_sshd_config_serverkeybits = '1024' - $default_sshd_addressfamily = 'any' - $default_sshd_config_tcp_keepalive = 'yes' + $default_sshd_use_pam = 'yes' + $default_sshd_x11_forwarding = 'yes' + $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' } /^10.*/: { $default_sshd_config_hostkey = [ @@ -288,6 +301,7 @@ class ssh ( $default_sshd_config_mode = '0600' $default_sshd_use_pam = 'yes' $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_acceptenv = true $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' @@ -304,6 +318,7 @@ class ssh ( $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_service_hasstatus = true + $default_sshd_config_include = undef } /^9.*/: { $default_sshd_config_hostkey = [ @@ -318,6 +333,7 @@ class ssh ( $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_addressfamily = undef $default_sshd_config_serverkeybits = undef $default_sshd_gssapicleanupcredentials = undef @@ -329,6 +345,7 @@ class ssh ( $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_config_include = undef $default_service_hasstatus = true } /^7.*/: { @@ -339,6 +356,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -352,6 +370,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } /^8.*/: { @@ -360,6 +379,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', @@ -380,6 +400,7 @@ class ssh ( $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_service_hasstatus = true + $default_sshd_config_include = undef } default: { fail ("Operating System : ${::operatingsystemrelease} not supported") } } @@ -388,6 +409,7 @@ class ssh ( $default_ssh_config_hash_known_hosts = undef $default_ssh_sendenv = false $default_ssh_config_forward_x11_trusted = undef + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_mode = '0644' $default_sshd_config_use_dns = undef @@ -403,6 +425,7 @@ class ssh ( $default_sshd_addressfamily = undef $default_sshd_config_tcp_keepalive = undef $default_sshd_config_permittunnel = undef + $default_sshd_config_include = undef case $::kernelrelease { '5.11': { $default_packages = ['network/ssh', @@ -568,6 +591,12 @@ class ssh ( $ssh_config_use_roaming_real = $ssh_config_use_roaming } + if $ssh_config_include == 'USE_DEFAULTS' { + $ssh_config_include_real = $default_ssh_config_include + } else { + $ssh_config_include_real = $ssh_config_include + } + if $ssh_sendenv == 'USE_DEFAULTS' { $ssh_sendenv_real = $default_ssh_sendenv } else { @@ -637,6 +666,12 @@ class ssh ( $sshd_addressfamily_real = $sshd_addressfamily } + if $sshd_config_include == 'USE_DEFAULTS' { + $sshd_config_include_real = $default_sshd_config_include + } else { + $sshd_config_include_real = $sshd_config_include + } + case $sshd_config_maxsessions { 'unset', undef: { $sshd_config_maxsessions_integer = undef } default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) } diff --git a/spec/fixtures/ssh_config_ubuntu2004 b/spec/fixtures/ssh_config_ubuntu2004 index d13cc55..9b7f5d5 100644 --- a/spec/fixtures/ssh_config_ubuntu2004 +++ b/spec/fixtures/ssh_config_ubuntu2004 @@ -20,6 +20,8 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +Include /etc/ssh/ssh_config.d/*.conf + # Host * # ForwardAgent no # ForwardX11 no diff --git a/spec/fixtures/sshd_config_ubuntu2004 b/spec/fixtures/sshd_config_ubuntu2004 index af936a1..60d8a68 100644 --- a/spec/fixtures/sshd_config_ubuntu2004 +++ b/spec/fixtures/sshd_config_ubuntu2004 @@ -13,6 +13,8 @@ # possible, but leave them commented. Uncommented options change a # default value. +Include /etc/ssh/sshd_config.d/*.conf + #Port 22 Port 22 #Protocol 2,1 @@ -25,15 +27,10 @@ AddressFamily any # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 -ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -115,7 +112,6 @@ X11UseLocalhost yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no @@ -131,7 +127,6 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no -PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 9cb65e3..a7b18c4 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -20,6 +20,14 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +<% if defined?(@ssh_config_include_real) -%> +<% if @ssh_config_include_real.is_a? Array -%> +Include <%= @ssh_config_include_real.join(' ') %> +<% else -%> +Include <%= @ssh_config_include_real %> +<% end -%> + +<% end -%> # Host * # ForwardAgent no # ForwardX11 no @@ -75,7 +83,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. -<% if @ssh_config_forward_x11_trusted_real != nil -%> +<% if defined?(@ssh_config_forward_x11_trusted_real) -%> ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %> <% end -%> <% if @ssh_config_forward_agent != nil -%> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 4e1bd70..e020a80 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -13,13 +13,21 @@ # possible, but leave them commented. Uncommented options change a # default value. +<% if defined?(@sshd_config_include_real) -%> +<% if @sshd_config_include_real.is_a? Array -%> +Include <%= @sshd_config_include_real.join(' ') %> +<% else -%> +Include <%= @sshd_config_include_real %> +<% end -%> + +<% end -%> #Port 22 <% @sshd_config_port_array.each do |p| -%> <%= "Port #{p}" %> <% end -%> #Protocol 2,1 Protocol 2 -<% if @sshd_addressfamily_real != nil -%> +<% if defined?(@sshd_addressfamily_real) -%> #AddressFamily any AddressFamily <%= @sshd_addressfamily_real %> <% end -%> diff --git a/types/include.pp b/types/include.pp new file mode 100644 index 0000000..f5b5f20 --- /dev/null +++ b/types/include.pp @@ -0,0 +1,5 @@ +# config files to be includes +# @summary +# directory of array of directories to be included +# +type Ssh::Include = Variant[String[1],Array[String[1]]] From 57814688cd61c896513c2ec0b952d1df45154eec Mon Sep 17 00:00:00 2001 From: mergwyn Date: Thu, 11 Jun 2020 20:49:23 +0100 Subject: [PATCH 04/12] Align fixtures with 20.04 defaults Align fixtures with defaults --- manifests/init.pp | 310 +++++++++++++++------------ spec/fixtures/ssh_config_ubuntu2004 | 2 + spec/fixtures/sshd_config_ubuntu2004 | 9 +- templates/ssh_config.erb | 10 +- templates/sshd_config.erb | 10 +- types/include.pp | 5 + 6 files changed, 200 insertions(+), 146 deletions(-) create mode 100644 types/include.pp diff --git a/manifests/init.pp b/manifests/init.pp index f26009c..9909b45 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,125 +3,127 @@ # Manage ssh client and server # class ssh ( - $hiera_merge = false, - $packages = 'USE_DEFAULTS', - $permit_root_login = 'yes', - $purge_keys = true, - $manage_firewall = false, - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $ssh_config_hash_known_hosts = 'USE_DEFAULTS', - $ssh_config_path = '/etc/ssh/ssh_config', - $ssh_config_owner = 'root', - $ssh_config_group = 'root', - $ssh_config_mode = '0644', - $ssh_config_forward_x11 = undef, - $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', - $ssh_config_forward_agent = undef, - $ssh_config_server_alive_interval = undef, - $ssh_config_sendenv_xmodifiers = false, - $ssh_hostbasedauthentication = undef, - $ssh_config_proxy_command = undef, - $ssh_strict_host_key_checking = undef, - $ssh_config_ciphers = undef, - $ssh_config_kexalgorithms = undef, - $ssh_config_macs = undef, - $ssh_config_use_roaming = 'USE_DEFAULTS', - $ssh_config_template = 'ssh/ssh_config.erb', - $ssh_sendenv = 'USE_DEFAULTS', - $ssh_gssapiauthentication = 'yes', - $ssh_gssapidelegatecredentials = undef, - $sshd_config_path = '/etc/ssh/sshd_config', - $sshd_config_owner = 'root', - $sshd_config_group = 'root', - $sshd_config_loglevel = 'INFO', - $sshd_config_mode = 'USE_DEFAULTS', - $sshd_config_permitemptypasswords = undef, - $sshd_config_permituserenvironment = undef, - $sshd_config_compression = undef, - $sshd_config_port = '22', - $sshd_config_syslog_facility = 'AUTH', - $sshd_config_template = 'ssh/sshd_config.erb', - $sshd_config_login_grace_time = '120', - $sshd_config_challenge_resp_auth = 'yes', - $sshd_config_print_motd = 'yes', - $sshd_config_print_last_log = undef, - $sshd_config_use_dns = 'USE_DEFAULTS', - $sshd_config_authkey_location = undef, - $sshd_config_strictmodes = undef, - $sshd_config_serverkeybits = 'USE_DEFAULTS', - $sshd_config_banner = 'none', - $sshd_config_ciphers = undef, - $sshd_config_kexalgorithms = undef, - $sshd_config_macs = undef, - $ssh_enable_ssh_keysign = undef, - $sshd_config_allowgroups = [], - $sshd_config_allowusers = [], - $sshd_config_denygroups = [], - $sshd_config_denyusers = [], - $sshd_config_maxauthtries = undef, - $sshd_config_maxstartups = undef, - $sshd_config_maxsessions = undef, - $sshd_config_chrootdirectory = undef, - $sshd_config_forcecommand = undef, - $sshd_config_match = undef, - $sshd_authorized_keys_command = undef, - $sshd_authorized_keys_command_user = undef, - $sshd_banner_content = undef, - $sshd_banner_owner = 'root', - $sshd_banner_group = 'root', - $sshd_banner_mode = '0644', - $sshd_config_xauth_location = 'USE_DEFAULTS', - $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_kerberos_authentication = undef, - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_x11_use_localhost = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_count_max = '3', - $sshd_client_alive_interval = '0', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $sshd_acceptenv = 'USE_DEFAULTS', - $sshd_config_hostkey = 'USE_DEFAULTS', - $sshd_listen_address = undef, - $sshd_hostbasedauthentication = 'no', - $sshd_pubkeyacceptedkeytypes = undef, - $sshd_pubkeyauthentication = 'yes', - $sshd_ignoreuserknownhosts = 'no', - $sshd_ignorerhosts = 'yes', - $sshd_config_authenticationmethods = undef, - $manage_service = true, - $sshd_addressfamily = 'USE_DEFAULTS', - $service_ensure = 'running', - $service_name = 'USE_DEFAULTS', - $service_enable = true, - $service_hasrestart = true, - $service_hasstatus = 'USE_DEFAULTS', - $ssh_key_ensure = 'present', - $ssh_key_import = true, - $ssh_key_type = 'ssh-rsa', - $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', - $ssh_config_global_known_hosts_list = undef, - $ssh_config_global_known_hosts_owner = 'root', - $ssh_config_global_known_hosts_group = 'root', - $ssh_config_global_known_hosts_mode = '0644', - $ssh_config_user_known_hosts_file = undef, - $config_entries = {}, - $keys = undef, - $manage_root_ssh_config = false, - $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", - $sshd_config_tcp_keepalive = undef, - $sshd_config_use_privilege_separation = undef, - $sshd_config_permittunnel = undef, - $sshd_config_hostcertificate = undef, - $sshd_config_trustedusercakeys = undef, - $sshd_config_key_revocation_list = undef, - $sshd_config_authorized_principals_file = undef, - $sshd_config_allowagentforwarding = undef, + $hiera_merge = false, + $packages = 'USE_DEFAULTS', + $permit_root_login = 'yes', + $purge_keys = true, + $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', + $ssh_config_path = '/etc/ssh/ssh_config', + $ssh_config_owner = 'root', + $ssh_config_group = 'root', + $ssh_config_mode = '0644', + $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', + $ssh_config_forward_agent = undef, + $ssh_config_server_alive_interval = undef, + $ssh_config_sendenv_xmodifiers = false, + $ssh_hostbasedauthentication = undef, + $ssh_config_proxy_command = undef, + $ssh_strict_host_key_checking = undef, + $ssh_config_ciphers = undef, + $ssh_config_kexalgorithms = undef, + $ssh_config_macs = undef, + $ssh_config_use_roaming = 'USE_DEFAULTS', + $ssh_config_template = 'ssh/ssh_config.erb', + $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapiauthentication = 'yes', + $ssh_gssapidelegatecredentials = undef, + $sshd_config_path = '/etc/ssh/sshd_config', + $sshd_config_owner = 'root', + $sshd_config_group = 'root', + $sshd_config_loglevel = 'INFO', + $sshd_config_mode = 'USE_DEFAULTS', + $sshd_config_permitemptypasswords = undef, + $sshd_config_permituserenvironment = undef, + $sshd_config_compression = undef, + $sshd_config_port = '22', + $sshd_config_syslog_facility = 'AUTH', + $sshd_config_template = 'ssh/sshd_config.erb', + $sshd_config_login_grace_time = '120', + $sshd_config_challenge_resp_auth = 'yes', + $sshd_config_print_motd = 'yes', + $sshd_config_print_last_log = undef, + $sshd_config_use_dns = 'USE_DEFAULTS', + $sshd_config_authkey_location = undef, + $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', + $sshd_config_banner = 'none', + $sshd_config_ciphers = undef, + $sshd_config_kexalgorithms = undef, + $sshd_config_macs = undef, + $ssh_enable_ssh_keysign = undef, + $sshd_config_allowgroups = [], + $sshd_config_allowusers = [], + $sshd_config_denygroups = [], + $sshd_config_denyusers = [], + $sshd_config_maxauthtries = undef, + $sshd_config_maxstartups = undef, + $sshd_config_maxsessions = undef, + $sshd_config_chrootdirectory = undef, + $sshd_config_forcecommand = undef, + $sshd_config_match = undef, + $sshd_authorized_keys_command = undef, + $sshd_authorized_keys_command_user = undef, + $sshd_banner_content = undef, + $sshd_banner_owner = 'root', + $sshd_banner_group = 'root', + $sshd_banner_mode = '0644', + $sshd_config_xauth_location = 'USE_DEFAULTS', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_kerberos_authentication = undef, + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_x11_use_localhost = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', + $sshd_config_hostkey = 'USE_DEFAULTS', + $sshd_listen_address = undef, + $sshd_hostbasedauthentication = 'no', + $sshd_pubkeyacceptedkeytypes = undef, + $sshd_pubkeyauthentication = 'yes', + $sshd_ignoreuserknownhosts = 'no', + $sshd_ignorerhosts = 'yes', + $sshd_config_authenticationmethods = undef, + $manage_service = true, + $sshd_addressfamily = 'USE_DEFAULTS', + $service_ensure = 'running', + $service_name = 'USE_DEFAULTS', + $service_enable = true, + $service_hasrestart = true, + $service_hasstatus = 'USE_DEFAULTS', + $ssh_key_ensure = 'present', + $ssh_key_import = true, + $ssh_key_type = 'ssh-rsa', + $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_list = undef, + $ssh_config_global_known_hosts_owner = 'root', + $ssh_config_global_known_hosts_group = 'root', + $ssh_config_global_known_hosts_mode = '0644', + $ssh_config_user_known_hosts_file = undef, + Optional[Ssh::Include] $ssh_config_include = 'USE_DEFAULTS', + $config_entries = {}, + $keys = undef, + $manage_root_ssh_config = false, + $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $sshd_config_tcp_keepalive = undef, + $sshd_config_use_privilege_separation = undef, + $sshd_config_permittunnel = undef, + $sshd_config_hostcertificate = undef, + $sshd_config_trustedusercakeys = undef, + $sshd_config_key_revocation_list = undef, + $sshd_config_authorized_principals_file = undef, + $sshd_config_allowagentforwarding = undef, + Optional[Ssh::Include] $sshd_config_include = 'USE_DEFAULTS', ) { case $::osfamily { @@ -134,6 +136,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -153,6 +156,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } 'Suse': { $default_packages = 'openssh' @@ -162,6 +166,7 @@ class ssh ( $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' @@ -176,6 +181,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef case $::architecture { 'x86_64': { if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) { @@ -212,6 +218,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -225,6 +232,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } '18.04': { $default_sshd_config_hostkey = [ @@ -239,6 +247,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -252,32 +261,37 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } '20.04': { - $default_sshd_config_hostkey = [ - '/etc/ssh/ssh_host_rsa_key', - '/etc/ssh/ssh_host_dsa_key', - '/etc/ssh/ssh_host_ecdsa_key', - '/etc/ssh/ssh_host_ed25519_key', - ] - $default_ssh_config_hash_known_hosts = 'yes' - $default_sshd_config_xauth_location = undef - $default_ssh_config_forward_x11_trusted = 'yes' - $default_ssh_package_source = undef + $default_service_hasstatus = true $default_ssh_package_adminfile = undef + $default_ssh_package_source = undef + $default_ssh_config_hash_known_hosts = 'yes' + $default_ssh_gssapiauthentication = 'yes' $default_ssh_sendenv = true - $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' + $default_sshd_acceptenv = true + $default_sshd_addressfamily = 'any' + #$default_sshd_config_challenge_resp_auth = 'no' + $default_sshd_config_hostkey = [] $default_sshd_config_mode = '0600' + $default_sshd_config_permittunnel = undef + $default_sshd_config_print_motd = 'no' + $default_sshd_config_serverkeybits = undef + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_sshd_config_tcp_keepalive = undef $default_sshd_config_use_dns = 'yes' - $default_sshd_use_pam = 'yes' + $default_sshd_config_xauth_location = undef + $default_sshd_gssapiauthentication = 'yes' + $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef - $default_sshd_gssapicleanupcredentials = 'yes' - $default_sshd_acceptenv = true - $default_service_hasstatus = true - $default_sshd_config_serverkeybits = '1024' - $default_sshd_addressfamily = 'any' - $default_sshd_config_tcp_keepalive = 'yes' + $default_sshd_use_pam = 'yes' + $default_sshd_x11_forwarding = 'yes' + $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' + } /^10.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', @@ -287,6 +301,7 @@ class ssh ( $default_sshd_config_mode = '0600' $default_sshd_use_pam = 'yes' $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_acceptenv = true $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' @@ -303,6 +318,7 @@ class ssh ( $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_service_hasstatus = true + $default_sshd_config_include = undef } /^9.*/: { $default_sshd_config_hostkey = [ @@ -317,6 +333,7 @@ class ssh ( $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_addressfamily = undef $default_sshd_config_serverkeybits = undef $default_sshd_gssapicleanupcredentials = undef @@ -328,6 +345,7 @@ class ssh ( $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_config_include = undef $default_service_hasstatus = true } /^7.*/: { @@ -338,6 +356,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -351,6 +370,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } /^8.*/: { @@ -359,6 +379,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', @@ -379,6 +400,7 @@ class ssh ( $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_service_hasstatus = true + $default_sshd_config_include = undef } default: { fail ("Operating System : ${::operatingsystemrelease} not supported") } } @@ -387,6 +409,7 @@ class ssh ( $default_ssh_config_hash_known_hosts = undef $default_ssh_sendenv = false $default_ssh_config_forward_x11_trusted = undef + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_mode = '0644' $default_sshd_config_use_dns = undef @@ -402,6 +425,7 @@ class ssh ( $default_sshd_addressfamily = undef $default_sshd_config_tcp_keepalive = undef $default_sshd_config_permittunnel = undef + $default_sshd_config_include = undef case $::kernelrelease { '5.11': { $default_packages = ['network/ssh', @@ -567,6 +591,12 @@ class ssh ( $ssh_config_use_roaming_real = $ssh_config_use_roaming } + if $ssh_config_include == 'USE_DEFAULTS' { + $ssh_config_include_real = $default_ssh_config_include + } else { + $ssh_config_include_real = $ssh_config_include + } + if $ssh_sendenv == 'USE_DEFAULTS' { $ssh_sendenv_real = $default_ssh_sendenv } else { @@ -636,6 +666,12 @@ class ssh ( $sshd_addressfamily_real = $sshd_addressfamily } + if $sshd_config_include == 'USE_DEFAULTS' { + $sshd_config_include_real = $default_sshd_config_include + } else { + $sshd_config_include_real = $sshd_config_include + } + case $sshd_config_maxsessions { 'unset', undef: { $sshd_config_maxsessions_integer = undef } default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) } diff --git a/spec/fixtures/ssh_config_ubuntu2004 b/spec/fixtures/ssh_config_ubuntu2004 index d13cc55..9b7f5d5 100644 --- a/spec/fixtures/ssh_config_ubuntu2004 +++ b/spec/fixtures/ssh_config_ubuntu2004 @@ -20,6 +20,8 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +Include /etc/ssh/ssh_config.d/*.conf + # Host * # ForwardAgent no # ForwardX11 no diff --git a/spec/fixtures/sshd_config_ubuntu2004 b/spec/fixtures/sshd_config_ubuntu2004 index af936a1..60d8a68 100644 --- a/spec/fixtures/sshd_config_ubuntu2004 +++ b/spec/fixtures/sshd_config_ubuntu2004 @@ -13,6 +13,8 @@ # possible, but leave them commented. Uncommented options change a # default value. +Include /etc/ssh/sshd_config.d/*.conf + #Port 22 Port 22 #Protocol 2,1 @@ -25,15 +27,10 @@ AddressFamily any # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 -ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -115,7 +112,6 @@ X11UseLocalhost yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no @@ -131,7 +127,6 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no -PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 9cb65e3..a7b18c4 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -20,6 +20,14 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +<% if defined?(@ssh_config_include_real) -%> +<% if @ssh_config_include_real.is_a? Array -%> +Include <%= @ssh_config_include_real.join(' ') %> +<% else -%> +Include <%= @ssh_config_include_real %> +<% end -%> + +<% end -%> # Host * # ForwardAgent no # ForwardX11 no @@ -75,7 +83,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. -<% if @ssh_config_forward_x11_trusted_real != nil -%> +<% if defined?(@ssh_config_forward_x11_trusted_real) -%> ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %> <% end -%> <% if @ssh_config_forward_agent != nil -%> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 4e1bd70..e020a80 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -13,13 +13,21 @@ # possible, but leave them commented. Uncommented options change a # default value. +<% if defined?(@sshd_config_include_real) -%> +<% if @sshd_config_include_real.is_a? Array -%> +Include <%= @sshd_config_include_real.join(' ') %> +<% else -%> +Include <%= @sshd_config_include_real %> +<% end -%> + +<% end -%> #Port 22 <% @sshd_config_port_array.each do |p| -%> <%= "Port #{p}" %> <% end -%> #Protocol 2,1 Protocol 2 -<% if @sshd_addressfamily_real != nil -%> +<% if defined?(@sshd_addressfamily_real) -%> #AddressFamily any AddressFamily <%= @sshd_addressfamily_real %> <% end -%> diff --git a/types/include.pp b/types/include.pp new file mode 100644 index 0000000..f5b5f20 --- /dev/null +++ b/types/include.pp @@ -0,0 +1,5 @@ +# config files to be includes +# @summary +# directory of array of directories to be included +# +type Ssh::Include = Variant[String[1],Array[String[1]]] From 0ac7da0dc27f81af54a26231ec728f6ccfe06d12 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Mon, 6 Jul 2020 20:57:32 +0100 Subject: [PATCH 05/12] Remove type to make puppet 3 compatible --- manifests/init.pp | 4 ++-- types/include.pp | 5 ----- 2 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 types/include.pp diff --git a/manifests/init.pp b/manifests/init.pp index 9909b45..6488a97 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -110,7 +110,7 @@ class ssh ( $ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_mode = '0644', $ssh_config_user_known_hosts_file = undef, - Optional[Ssh::Include] $ssh_config_include = 'USE_DEFAULTS', + $ssh_config_include = 'USE_DEFAULTS', $config_entries = {}, $keys = undef, $manage_root_ssh_config = false, @@ -123,7 +123,7 @@ class ssh ( $sshd_config_key_revocation_list = undef, $sshd_config_authorized_principals_file = undef, $sshd_config_allowagentforwarding = undef, - Optional[Ssh::Include] $sshd_config_include = 'USE_DEFAULTS', + $sshd_config_include = 'USE_DEFAULTS', ) { case $::osfamily { diff --git a/types/include.pp b/types/include.pp deleted file mode 100644 index f5b5f20..0000000 --- a/types/include.pp +++ /dev/null @@ -1,5 +0,0 @@ -# config files to be includes -# @summary -# directory of array of directories to be included -# -type Ssh::Include = Variant[String[1],Array[String[1]]] From f2b6c2d8a89e8fce8814fe51dd4c8a0a79927c48 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Thu, 11 Jun 2020 20:49:23 +0100 Subject: [PATCH 06/12] # This is a combination of 2 commits. # This is the 1st commit message: Align fixtures with 20.04 defaults Align fixtures with defaults # This is the commit message #2: Remove type to make puppet 3 compatible --- manifests/init.pp | 310 +++++++++++++++------------ spec/fixtures/ssh_config_ubuntu2004 | 2 + spec/fixtures/sshd_config_ubuntu2004 | 9 +- templates/ssh_config.erb | 10 +- templates/sshd_config.erb | 10 +- 5 files changed, 195 insertions(+), 146 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f26009c..6488a97 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,125 +3,127 @@ # Manage ssh client and server # class ssh ( - $hiera_merge = false, - $packages = 'USE_DEFAULTS', - $permit_root_login = 'yes', - $purge_keys = true, - $manage_firewall = false, - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $ssh_config_hash_known_hosts = 'USE_DEFAULTS', - $ssh_config_path = '/etc/ssh/ssh_config', - $ssh_config_owner = 'root', - $ssh_config_group = 'root', - $ssh_config_mode = '0644', - $ssh_config_forward_x11 = undef, - $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', - $ssh_config_forward_agent = undef, - $ssh_config_server_alive_interval = undef, - $ssh_config_sendenv_xmodifiers = false, - $ssh_hostbasedauthentication = undef, - $ssh_config_proxy_command = undef, - $ssh_strict_host_key_checking = undef, - $ssh_config_ciphers = undef, - $ssh_config_kexalgorithms = undef, - $ssh_config_macs = undef, - $ssh_config_use_roaming = 'USE_DEFAULTS', - $ssh_config_template = 'ssh/ssh_config.erb', - $ssh_sendenv = 'USE_DEFAULTS', - $ssh_gssapiauthentication = 'yes', - $ssh_gssapidelegatecredentials = undef, - $sshd_config_path = '/etc/ssh/sshd_config', - $sshd_config_owner = 'root', - $sshd_config_group = 'root', - $sshd_config_loglevel = 'INFO', - $sshd_config_mode = 'USE_DEFAULTS', - $sshd_config_permitemptypasswords = undef, - $sshd_config_permituserenvironment = undef, - $sshd_config_compression = undef, - $sshd_config_port = '22', - $sshd_config_syslog_facility = 'AUTH', - $sshd_config_template = 'ssh/sshd_config.erb', - $sshd_config_login_grace_time = '120', - $sshd_config_challenge_resp_auth = 'yes', - $sshd_config_print_motd = 'yes', - $sshd_config_print_last_log = undef, - $sshd_config_use_dns = 'USE_DEFAULTS', - $sshd_config_authkey_location = undef, - $sshd_config_strictmodes = undef, - $sshd_config_serverkeybits = 'USE_DEFAULTS', - $sshd_config_banner = 'none', - $sshd_config_ciphers = undef, - $sshd_config_kexalgorithms = undef, - $sshd_config_macs = undef, - $ssh_enable_ssh_keysign = undef, - $sshd_config_allowgroups = [], - $sshd_config_allowusers = [], - $sshd_config_denygroups = [], - $sshd_config_denyusers = [], - $sshd_config_maxauthtries = undef, - $sshd_config_maxstartups = undef, - $sshd_config_maxsessions = undef, - $sshd_config_chrootdirectory = undef, - $sshd_config_forcecommand = undef, - $sshd_config_match = undef, - $sshd_authorized_keys_command = undef, - $sshd_authorized_keys_command_user = undef, - $sshd_banner_content = undef, - $sshd_banner_owner = 'root', - $sshd_banner_group = 'root', - $sshd_banner_mode = '0644', - $sshd_config_xauth_location = 'USE_DEFAULTS', - $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_kerberos_authentication = undef, - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_x11_use_localhost = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_count_max = '3', - $sshd_client_alive_interval = '0', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $sshd_acceptenv = 'USE_DEFAULTS', - $sshd_config_hostkey = 'USE_DEFAULTS', - $sshd_listen_address = undef, - $sshd_hostbasedauthentication = 'no', - $sshd_pubkeyacceptedkeytypes = undef, - $sshd_pubkeyauthentication = 'yes', - $sshd_ignoreuserknownhosts = 'no', - $sshd_ignorerhosts = 'yes', - $sshd_config_authenticationmethods = undef, - $manage_service = true, - $sshd_addressfamily = 'USE_DEFAULTS', - $service_ensure = 'running', - $service_name = 'USE_DEFAULTS', - $service_enable = true, - $service_hasrestart = true, - $service_hasstatus = 'USE_DEFAULTS', - $ssh_key_ensure = 'present', - $ssh_key_import = true, - $ssh_key_type = 'ssh-rsa', - $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', - $ssh_config_global_known_hosts_list = undef, - $ssh_config_global_known_hosts_owner = 'root', - $ssh_config_global_known_hosts_group = 'root', - $ssh_config_global_known_hosts_mode = '0644', - $ssh_config_user_known_hosts_file = undef, - $config_entries = {}, - $keys = undef, - $manage_root_ssh_config = false, - $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", - $sshd_config_tcp_keepalive = undef, - $sshd_config_use_privilege_separation = undef, - $sshd_config_permittunnel = undef, - $sshd_config_hostcertificate = undef, - $sshd_config_trustedusercakeys = undef, - $sshd_config_key_revocation_list = undef, - $sshd_config_authorized_principals_file = undef, - $sshd_config_allowagentforwarding = undef, + $hiera_merge = false, + $packages = 'USE_DEFAULTS', + $permit_root_login = 'yes', + $purge_keys = true, + $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', + $ssh_config_path = '/etc/ssh/ssh_config', + $ssh_config_owner = 'root', + $ssh_config_group = 'root', + $ssh_config_mode = '0644', + $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', + $ssh_config_forward_agent = undef, + $ssh_config_server_alive_interval = undef, + $ssh_config_sendenv_xmodifiers = false, + $ssh_hostbasedauthentication = undef, + $ssh_config_proxy_command = undef, + $ssh_strict_host_key_checking = undef, + $ssh_config_ciphers = undef, + $ssh_config_kexalgorithms = undef, + $ssh_config_macs = undef, + $ssh_config_use_roaming = 'USE_DEFAULTS', + $ssh_config_template = 'ssh/ssh_config.erb', + $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapiauthentication = 'yes', + $ssh_gssapidelegatecredentials = undef, + $sshd_config_path = '/etc/ssh/sshd_config', + $sshd_config_owner = 'root', + $sshd_config_group = 'root', + $sshd_config_loglevel = 'INFO', + $sshd_config_mode = 'USE_DEFAULTS', + $sshd_config_permitemptypasswords = undef, + $sshd_config_permituserenvironment = undef, + $sshd_config_compression = undef, + $sshd_config_port = '22', + $sshd_config_syslog_facility = 'AUTH', + $sshd_config_template = 'ssh/sshd_config.erb', + $sshd_config_login_grace_time = '120', + $sshd_config_challenge_resp_auth = 'yes', + $sshd_config_print_motd = 'yes', + $sshd_config_print_last_log = undef, + $sshd_config_use_dns = 'USE_DEFAULTS', + $sshd_config_authkey_location = undef, + $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', + $sshd_config_banner = 'none', + $sshd_config_ciphers = undef, + $sshd_config_kexalgorithms = undef, + $sshd_config_macs = undef, + $ssh_enable_ssh_keysign = undef, + $sshd_config_allowgroups = [], + $sshd_config_allowusers = [], + $sshd_config_denygroups = [], + $sshd_config_denyusers = [], + $sshd_config_maxauthtries = undef, + $sshd_config_maxstartups = undef, + $sshd_config_maxsessions = undef, + $sshd_config_chrootdirectory = undef, + $sshd_config_forcecommand = undef, + $sshd_config_match = undef, + $sshd_authorized_keys_command = undef, + $sshd_authorized_keys_command_user = undef, + $sshd_banner_content = undef, + $sshd_banner_owner = 'root', + $sshd_banner_group = 'root', + $sshd_banner_mode = '0644', + $sshd_config_xauth_location = 'USE_DEFAULTS', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_kerberos_authentication = undef, + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_x11_use_localhost = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', + $sshd_config_hostkey = 'USE_DEFAULTS', + $sshd_listen_address = undef, + $sshd_hostbasedauthentication = 'no', + $sshd_pubkeyacceptedkeytypes = undef, + $sshd_pubkeyauthentication = 'yes', + $sshd_ignoreuserknownhosts = 'no', + $sshd_ignorerhosts = 'yes', + $sshd_config_authenticationmethods = undef, + $manage_service = true, + $sshd_addressfamily = 'USE_DEFAULTS', + $service_ensure = 'running', + $service_name = 'USE_DEFAULTS', + $service_enable = true, + $service_hasrestart = true, + $service_hasstatus = 'USE_DEFAULTS', + $ssh_key_ensure = 'present', + $ssh_key_import = true, + $ssh_key_type = 'ssh-rsa', + $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_list = undef, + $ssh_config_global_known_hosts_owner = 'root', + $ssh_config_global_known_hosts_group = 'root', + $ssh_config_global_known_hosts_mode = '0644', + $ssh_config_user_known_hosts_file = undef, + $ssh_config_include = 'USE_DEFAULTS', + $config_entries = {}, + $keys = undef, + $manage_root_ssh_config = false, + $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $sshd_config_tcp_keepalive = undef, + $sshd_config_use_privilege_separation = undef, + $sshd_config_permittunnel = undef, + $sshd_config_hostcertificate = undef, + $sshd_config_trustedusercakeys = undef, + $sshd_config_key_revocation_list = undef, + $sshd_config_authorized_principals_file = undef, + $sshd_config_allowagentforwarding = undef, + $sshd_config_include = 'USE_DEFAULTS', ) { case $::osfamily { @@ -134,6 +136,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -153,6 +156,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } 'Suse': { $default_packages = 'openssh' @@ -162,6 +166,7 @@ class ssh ( $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' @@ -176,6 +181,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef case $::architecture { 'x86_64': { if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) { @@ -212,6 +218,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -225,6 +232,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } '18.04': { $default_sshd_config_hostkey = [ @@ -239,6 +247,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -252,32 +261,37 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } '20.04': { - $default_sshd_config_hostkey = [ - '/etc/ssh/ssh_host_rsa_key', - '/etc/ssh/ssh_host_dsa_key', - '/etc/ssh/ssh_host_ecdsa_key', - '/etc/ssh/ssh_host_ed25519_key', - ] - $default_ssh_config_hash_known_hosts = 'yes' - $default_sshd_config_xauth_location = undef - $default_ssh_config_forward_x11_trusted = 'yes' - $default_ssh_package_source = undef + $default_service_hasstatus = true $default_ssh_package_adminfile = undef + $default_ssh_package_source = undef + $default_ssh_config_hash_known_hosts = 'yes' + $default_ssh_gssapiauthentication = 'yes' $default_ssh_sendenv = true - $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' + $default_sshd_acceptenv = true + $default_sshd_addressfamily = 'any' + #$default_sshd_config_challenge_resp_auth = 'no' + $default_sshd_config_hostkey = [] $default_sshd_config_mode = '0600' + $default_sshd_config_permittunnel = undef + $default_sshd_config_print_motd = 'no' + $default_sshd_config_serverkeybits = undef + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_sshd_config_tcp_keepalive = undef $default_sshd_config_use_dns = 'yes' - $default_sshd_use_pam = 'yes' + $default_sshd_config_xauth_location = undef + $default_sshd_gssapiauthentication = 'yes' + $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef - $default_sshd_gssapicleanupcredentials = 'yes' - $default_sshd_acceptenv = true - $default_service_hasstatus = true - $default_sshd_config_serverkeybits = '1024' - $default_sshd_addressfamily = 'any' - $default_sshd_config_tcp_keepalive = 'yes' + $default_sshd_use_pam = 'yes' + $default_sshd_x11_forwarding = 'yes' + $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' + } /^10.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', @@ -287,6 +301,7 @@ class ssh ( $default_sshd_config_mode = '0600' $default_sshd_use_pam = 'yes' $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_acceptenv = true $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' @@ -303,6 +318,7 @@ class ssh ( $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_service_hasstatus = true + $default_sshd_config_include = undef } /^9.*/: { $default_sshd_config_hostkey = [ @@ -317,6 +333,7 @@ class ssh ( $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_addressfamily = undef $default_sshd_config_serverkeybits = undef $default_sshd_gssapicleanupcredentials = undef @@ -328,6 +345,7 @@ class ssh ( $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_config_include = undef $default_service_hasstatus = true } /^7.*/: { @@ -338,6 +356,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -351,6 +370,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } /^8.*/: { @@ -359,6 +379,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', @@ -379,6 +400,7 @@ class ssh ( $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_service_hasstatus = true + $default_sshd_config_include = undef } default: { fail ("Operating System : ${::operatingsystemrelease} not supported") } } @@ -387,6 +409,7 @@ class ssh ( $default_ssh_config_hash_known_hosts = undef $default_ssh_sendenv = false $default_ssh_config_forward_x11_trusted = undef + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_mode = '0644' $default_sshd_config_use_dns = undef @@ -402,6 +425,7 @@ class ssh ( $default_sshd_addressfamily = undef $default_sshd_config_tcp_keepalive = undef $default_sshd_config_permittunnel = undef + $default_sshd_config_include = undef case $::kernelrelease { '5.11': { $default_packages = ['network/ssh', @@ -567,6 +591,12 @@ class ssh ( $ssh_config_use_roaming_real = $ssh_config_use_roaming } + if $ssh_config_include == 'USE_DEFAULTS' { + $ssh_config_include_real = $default_ssh_config_include + } else { + $ssh_config_include_real = $ssh_config_include + } + if $ssh_sendenv == 'USE_DEFAULTS' { $ssh_sendenv_real = $default_ssh_sendenv } else { @@ -636,6 +666,12 @@ class ssh ( $sshd_addressfamily_real = $sshd_addressfamily } + if $sshd_config_include == 'USE_DEFAULTS' { + $sshd_config_include_real = $default_sshd_config_include + } else { + $sshd_config_include_real = $sshd_config_include + } + case $sshd_config_maxsessions { 'unset', undef: { $sshd_config_maxsessions_integer = undef } default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) } diff --git a/spec/fixtures/ssh_config_ubuntu2004 b/spec/fixtures/ssh_config_ubuntu2004 index d13cc55..9b7f5d5 100644 --- a/spec/fixtures/ssh_config_ubuntu2004 +++ b/spec/fixtures/ssh_config_ubuntu2004 @@ -20,6 +20,8 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +Include /etc/ssh/ssh_config.d/*.conf + # Host * # ForwardAgent no # ForwardX11 no diff --git a/spec/fixtures/sshd_config_ubuntu2004 b/spec/fixtures/sshd_config_ubuntu2004 index af936a1..60d8a68 100644 --- a/spec/fixtures/sshd_config_ubuntu2004 +++ b/spec/fixtures/sshd_config_ubuntu2004 @@ -13,6 +13,8 @@ # possible, but leave them commented. Uncommented options change a # default value. +Include /etc/ssh/sshd_config.d/*.conf + #Port 22 Port 22 #Protocol 2,1 @@ -25,15 +27,10 @@ AddressFamily any # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 -ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -115,7 +112,6 @@ X11UseLocalhost yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no @@ -131,7 +127,6 @@ UseDNS yes #MaxSessions 10 #PermitTunnel no -PermitTunnel no #ChrootDirectory none # no default banner path diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 9cb65e3..a7b18c4 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -20,6 +20,14 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +<% if defined?(@ssh_config_include_real) -%> +<% if @ssh_config_include_real.is_a? Array -%> +Include <%= @ssh_config_include_real.join(' ') %> +<% else -%> +Include <%= @ssh_config_include_real %> +<% end -%> + +<% end -%> # Host * # ForwardAgent no # ForwardX11 no @@ -75,7 +83,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. -<% if @ssh_config_forward_x11_trusted_real != nil -%> +<% if defined?(@ssh_config_forward_x11_trusted_real) -%> ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %> <% end -%> <% if @ssh_config_forward_agent != nil -%> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 4e1bd70..e020a80 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -13,13 +13,21 @@ # possible, but leave them commented. Uncommented options change a # default value. +<% if defined?(@sshd_config_include_real) -%> +<% if @sshd_config_include_real.is_a? Array -%> +Include <%= @sshd_config_include_real.join(' ') %> +<% else -%> +Include <%= @sshd_config_include_real %> +<% end -%> + +<% end -%> #Port 22 <% @sshd_config_port_array.each do |p| -%> <%= "Port #{p}" %> <% end -%> #Protocol 2,1 Protocol 2 -<% if @sshd_addressfamily_real != nil -%> +<% if defined?(@sshd_addressfamily_real) -%> #AddressFamily any AddressFamily <%= @sshd_addressfamily_real %> <% end -%> From 0a54ab8801aec146010b5108c7dfd8e24a37c89b Mon Sep 17 00:00:00 2001 From: mergwyn Date: Mon, 6 Jul 2020 21:08:32 +0100 Subject: [PATCH 07/12] Align fixtures with 20.04 defaults --- manifests/init.pp | 14 ++++++++++++++ types/include.pp | 5 +++++ 2 files changed, 19 insertions(+) create mode 100644 types/include.pp diff --git a/manifests/init.pp b/manifests/init.pp index 6488a97..b025e38 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -110,7 +110,11 @@ class ssh ( $ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_mode = '0644', $ssh_config_user_known_hosts_file = undef, +<<<<<<< HEAD $ssh_config_include = 'USE_DEFAULTS', +======= + Optional[Ssh::Include] $ssh_config_include = 'USE_DEFAULTS', +>>>>>>> 7aa838a... Align fixtures with defaults $config_entries = {}, $keys = undef, $manage_root_ssh_config = false, @@ -123,7 +127,11 @@ class ssh ( $sshd_config_key_revocation_list = undef, $sshd_config_authorized_principals_file = undef, $sshd_config_allowagentforwarding = undef, +<<<<<<< HEAD $sshd_config_include = 'USE_DEFAULTS', +======= + Optional[Ssh::Include] $sshd_config_include = 'USE_DEFAULTS', +>>>>>>> 7aa838a... Align fixtures with defaults ) { case $::osfamily { @@ -291,6 +299,12 @@ class ssh ( $default_sshd_use_pam = 'yes' $default_sshd_x11_forwarding = 'yes' $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' + $default_sshd_gssapicleanupcredentials = 'yes' + $default_sshd_acceptenv = true + $default_service_hasstatus = true + $default_sshd_config_serverkeybits = '1024' + $default_sshd_addressfamily = 'any' + $default_sshd_config_tcp_keepalive = 'yes' } /^10.*/: { $default_sshd_config_hostkey = [ diff --git a/types/include.pp b/types/include.pp new file mode 100644 index 0000000..f5b5f20 --- /dev/null +++ b/types/include.pp @@ -0,0 +1,5 @@ +# config files to be includes +# @summary +# directory of array of directories to be included +# +type Ssh::Include = Variant[String[1],Array[String[1]]] From 81ec143d9cd32d523a4d17a72108e0a65a10dfc9 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Tue, 7 Jul 2020 09:18:49 +0100 Subject: [PATCH 08/12] Fix merge conflict --- manifests/init.pp | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 035b71c..fbaf07d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -110,15 +110,7 @@ class ssh ( $ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_mode = '0644', $ssh_config_user_known_hosts_file = undef, -<<<<<<< HEAD -<<<<<<< HEAD $ssh_config_include = 'USE_DEFAULTS', -======= - Optional[Ssh::Include] $ssh_config_include = 'USE_DEFAULTS', ->>>>>>> 7aa838a... Align fixtures with defaults -======= - $ssh_config_include = 'USE_DEFAULTS', ->>>>>>> bedb2727907d794c61ebfaaf552890096db3381b $config_entries = {}, $keys = undef, $manage_root_ssh_config = false, @@ -131,15 +123,7 @@ class ssh ( $sshd_config_key_revocation_list = undef, $sshd_config_authorized_principals_file = undef, $sshd_config_allowagentforwarding = undef, -<<<<<<< HEAD -<<<<<<< HEAD $sshd_config_include = 'USE_DEFAULTS', -======= - Optional[Ssh::Include] $sshd_config_include = 'USE_DEFAULTS', ->>>>>>> 7aa838a... Align fixtures with defaults -======= - $sshd_config_include = 'USE_DEFAULTS', ->>>>>>> bedb2727907d794c61ebfaaf552890096db3381b ) { case $::osfamily { From 4f9e08a9f064e53544b8ade1292c298a7a2bc7bf Mon Sep 17 00:00:00 2001 From: mergwyn Date: Tue, 7 Jul 2020 11:40:14 +0100 Subject: [PATCH 09/12] More fixing of merge conflicts --- manifests/init.pp | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index fbaf07d..6f4023d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -265,23 +265,23 @@ class ssh ( } '20.04': { $default_service_hasstatus = true + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_hash_known_hosts = 'yes' + $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' + $default_ssh_gssapiauthentication = 'yes' $default_ssh_package_adminfile = undef $default_ssh_package_source = undef - $default_ssh_config_hash_known_hosts = 'yes' - $default_ssh_gssapiauthentication = 'yes' $default_ssh_sendenv = true - $default_ssh_config_forward_x11_trusted = 'yes' - $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' $default_sshd_acceptenv = true $default_sshd_addressfamily = 'any' - #$default_sshd_config_challenge_resp_auth = 'no' $default_sshd_config_hostkey = [] + $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' $default_sshd_config_mode = '0600' $default_sshd_config_permittunnel = undef $default_sshd_config_print_motd = 'no' $default_sshd_config_serverkeybits = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' - $default_sshd_config_tcp_keepalive = undef + $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = undef $default_sshd_gssapiauthentication = 'yes' @@ -290,13 +290,6 @@ class ssh ( $default_sshd_pamauthenticationviakbdint = undef $default_sshd_use_pam = 'yes' $default_sshd_x11_forwarding = 'yes' - $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' - $default_sshd_gssapicleanupcredentials = 'yes' - $default_sshd_acceptenv = true - $default_service_hasstatus = true - $default_sshd_config_serverkeybits = '1024' - $default_sshd_addressfamily = 'any' - $default_sshd_config_tcp_keepalive = 'yes' } /^10.*/: { $default_sshd_config_hostkey = [ From 46b6df124024a1104640f446b8a87492df52ddb4 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Tue, 7 Jul 2020 13:39:40 +0100 Subject: [PATCH 10/12] Yet more merge conflict errors --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 6f4023d..e9d54bb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -281,7 +281,7 @@ class ssh ( $default_sshd_config_print_motd = 'no' $default_sshd_config_serverkeybits = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' - $default_sshd_config_tcp_keepalive = 'yes' + $default_sshd_config_tcp_keepalive = undef $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = undef $default_sshd_gssapiauthentication = 'yes' From 4d6e2260ddafd30b9e2768e84cbcaf3b2997f13a Mon Sep 17 00:00:00 2001 From: mergwyn Date: Mon, 7 Sep 2020 18:23:42 +0100 Subject: [PATCH 11/12] Address review comments --- manifests/init.pp | 22 +++++++++++++++ spec/classes/init_spec.rb | 57 +++++++++++++++++++++++++++++++++++++++ types/include.pp | 5 ---- 3 files changed, 79 insertions(+), 5 deletions(-) delete mode 100644 types/include.pp diff --git a/manifests/init.pp b/manifests/init.pp index e9d54bb..8e02308 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -593,6 +593,17 @@ class ssh ( if $ssh_config_include == 'USE_DEFAULTS' { $ssh_config_include_real = $default_ssh_config_include } else { + case type3x($ssh_config_include) { + 'array': { + validate_array($ssh_config_include) + } + 'string': { + validate_string($ssh_config_include) + } + default: { + fail('ssh::ssh_config_include type must be a strting or array.') + } + } $ssh_config_include_real = $ssh_config_include } @@ -668,6 +679,17 @@ class ssh ( if $sshd_config_include == 'USE_DEFAULTS' { $sshd_config_include_real = $default_sshd_config_include } else { + case type3x($sshd_config_include) { + 'array': { + validate_array($sshd_config_include) + } + 'string': { + validate_string($sshd_config_include) + } + default: { + fail('ssh::sshd_config_include type must be a strting or array.') + } + } $sshd_config_include_real = $sshd_config_include } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 6a9449f..a1c743f 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -2786,4 +2786,61 @@ describe 'sshd_config_print_last_log param' do end # var[:name].each end # validations.sort.each end # describe 'variable type and content validations' + + describe 'sshd_config_include' do + context 'when set to an array' do + let(:params) { {'sshd_config_include' => ['file1','file2'] } } + + it { should contain_file('sshd_config').with_content(/^Include file1 file2$/) } + end + + context 'when set to a string' do + let(:params) { {'sshd_config_include' => 'file1' } } + + it { should contain_file('sshd_config').with_content(/^Include file1$/) } + end + + context 'when not set' do + it { should_not contain_file('sshd_config').with_content(/^\s*Include/) } + end + + context 'when set to an invalid type (not string or array)' do + let(:params) { {'sshd_config_include' => true } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + + describe 'ssh_config_include' do + context 'when set to an array' do + let(:params) { {'ssh_config_include' => ['file1','file2'] } } + + it { should contain_file('ssh_config').with_content(/^Include file1 file2$/) } + end + + context 'when set to a string' do + let(:params) { {'ssh_config_include' => 'file1' } } + + it { should contain_file('ssh_config').with_content(/^Include file1$/) } + end + + context 'when not set' do + it { should_not contain_file('ssh_config').with_content(/^\s*Include/) } + end + + context 'when set to an invalid type (not string or array)' do + let(:params) { {'ssh_config_include' => true } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + end diff --git a/types/include.pp b/types/include.pp deleted file mode 100644 index f5b5f20..0000000 --- a/types/include.pp +++ /dev/null @@ -1,5 +0,0 @@ -# config files to be includes -# @summary -# directory of array of directories to be included -# -type Ssh::Include = Variant[String[1],Array[String[1]]] From fc1c2178482241b54de1e0bfe76e60a6b5a54b43 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Mon, 7 Sep 2020 18:40:24 +0100 Subject: [PATCH 12/12] Remove deprecated gem install documentation options --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 0650a11..2d9d92b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ cache: bundler before_install: - if [ $BUNDLER_VERSION ]; then - gem install -v $BUNDLER_VERSION bundler --no-rdoc --no-ri; + gem install -v $BUNDLER_VERSION bundler --no-document; fi - bundle -v - rm Gemfile.lock || true