puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #343 from mergwyn/PR343_merge

Browse Source 
Add Ubuntu 20.04 support
This commit is contained in:
Garrett Honeycutt 2020-09-07 14:29:48 -04:00 committed by GitHub
commit 237bd9c2a9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 494 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -5,7 +5,7 @@ cache: bundler
before_install:
- if [ $BUNDLER_VERSION ]; then
gem install -v $BUNDLER_VERSION bundler --no-rdoc --no-ri;
gem install -v $BUNDLER_VERSION bundler --no-document;
fi
- bundle -v
- rm Gemfile.lock || true

1
README.md
View File

@ -40,6 +40,7 @@ for the exact matrix of supported Puppet and ruby versions.
* Ubuntu 14.04 LTS
* Ubuntu 16.04 LTS
* Ubuntu 18.04 LTS
* Ubuntu 20.04 LTS
* Solaris 9
* Solaris 10
* Solaris 11

82
manifests/init.pp
View File

@ -110,6 +110,7 @@ class ssh (
$ssh_config_global_known_hosts_group = 'root',
$ssh_config_global_known_hosts_mode = '0644',
$ssh_config_user_known_hosts_file = undef,
$ssh_config_include = 'USE_DEFAULTS',
$config_entries = {},
$keys = undef,
$manage_root_ssh_config = false,
@ -122,6 +123,7 @@ class ssh (
$sshd_config_key_revocation_list = undef,
$sshd_config_authorized_principals_file = undef,
$sshd_config_allowagentforwarding = undef,
$sshd_config_include = 'USE_DEFAULTS',
) {
case $::osfamily {
@ -134,6 +136,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -153,6 +156,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
'Suse': {
$default_packages = 'openssh'
@ -162,6 +166,7 @@ class ssh (
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_include = undef
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = '/usr/bin/xauth'
@ -176,6 +181,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
case $::architecture {
'x86_64': {
if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) {
@ -212,6 +218,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -225,6 +232,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
'18.04': {
$default_sshd_config_hostkey = [
@ -239,6 +247,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -252,6 +261,35 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
'20.04': {
$default_service_hasstatus = true
$default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_hash_known_hosts = 'yes'
$default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf'
$default_ssh_gssapiauthentication = 'yes'
$default_ssh_package_adminfile = undef
$default_ssh_package_source = undef
$default_ssh_sendenv = true
$default_sshd_acceptenv = true
$default_sshd_addressfamily = 'any'
$default_sshd_config_hostkey = []
$default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf'
$default_sshd_config_mode = '0600'
$default_sshd_config_permittunnel = undef
$default_sshd_config_print_motd = 'no'
$default_sshd_config_serverkeybits = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_tcp_keepalive = undef
$default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = undef
$default_sshd_gssapiauthentication = 'yes'
$default_sshd_gssapicleanupcredentials = 'yes'
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_sshd_use_pam = 'yes'
$default_sshd_x11_forwarding = 'yes'
}
/^10.*/: {
$default_sshd_config_hostkey = [
@ -262,6 +300,7 @@ class ssh (
$default_sshd_config_mode = '0600'
$default_sshd_use_pam = 'yes'
$default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_include = undef
$default_sshd_acceptenv = true
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_ssh_config_hash_known_hosts = 'yes'
@ -278,6 +317,7 @@ class ssh (
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_service_hasstatus = true
$default_sshd_config_include = undef
}
/^9.*/: {
$default_sshd_config_hostkey = [
@ -292,6 +332,7 @@ class ssh (
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_ssh_config_hash_known_hosts = 'yes'
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_addressfamily = undef
$default_sshd_config_serverkeybits = undef
$default_sshd_gssapicleanupcredentials = undef
@ -303,6 +344,7 @@ class ssh (
$default_ssh_package_adminfile = undef
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_sshd_config_include = undef
$default_service_hasstatus = true
}
/^7.*/: {
@ -313,6 +355,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -326,6 +369,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
/^8.*/: {
@ -334,6 +378,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_hostkey = [
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
@ -354,6 +399,7 @@ class ssh (
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_service_hasstatus = true
$default_sshd_config_include = undef
}
default: { fail ("Operating System : ${::operatingsystemrelease} not supported") }
}
@ -362,6 +408,7 @@ class ssh (
$default_ssh_config_hash_known_hosts = undef
$default_ssh_sendenv = false
$default_ssh_config_forward_x11_trusted = undef
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
$default_sshd_config_mode = '0644'
$default_sshd_config_use_dns = undef
@ -377,6 +424,7 @@ class ssh (
$default_sshd_addressfamily = undef
$default_sshd_config_tcp_keepalive = undef
$default_sshd_config_permittunnel = undef
$default_sshd_config_include = undef
case $::kernelrelease {
'5.11': {
$default_packages = ['network/ssh',
@ -542,6 +590,23 @@ class ssh (
$ssh_config_use_roaming_real = $ssh_config_use_roaming
}
if $ssh_config_include == 'USE_DEFAULTS' {
$ssh_config_include_real = $default_ssh_config_include
} else {
case type3x($ssh_config_include) {
'array': {
validate_array($ssh_config_include)
}
'string': {
validate_string($ssh_config_include)
}
default: {
fail('ssh::ssh_config_include type must be a strting or array.')
}
}
$ssh_config_include_real = $ssh_config_include
}
if $ssh_sendenv == 'USE_DEFAULTS' {
$ssh_sendenv_real = $default_ssh_sendenv
} else {
@ -611,6 +676,23 @@ class ssh (
$sshd_addressfamily_real = $sshd_addressfamily
}
if $sshd_config_include == 'USE_DEFAULTS' {
$sshd_config_include_real = $default_sshd_config_include
} else {
case type3x($sshd_config_include) {
'array': {
validate_array($sshd_config_include)
}
'string': {
validate_string($sshd_config_include)
}
default: {
fail('ssh::sshd_config_include type must be a strting or array.')
}
}
$sshd_config_include_real = $sshd_config_include
}
case $sshd_config_maxsessions {
'unset', undef: { $sshd_config_maxsessions_integer = undef }
default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) }

3
metadata.json
View File

@ -85,7 +85,8 @@
"12.04",
"14.04",
"16.04",
"18.04"
"18.04",
"20.04"
]
}
],

70
spec/classes/init_spec.rb
View File

@ -272,6 +272,19 @@ describe 'ssh' do
:sshd_config_fixture => 'sshd_config_ubuntu1804',
:ssh_config_fixture => 'ssh_config_ubuntu1804',
},
'Ubuntu-2004' => {
:architecture => 'x86_64',
:osfamily => 'Debian',
:operatingsystemrelease => '20.04',
:ssh_version => 'OpenSSH_7.6p1',
:ssh_version_numeric => '7.6',
:ssh_packages => ['openssh-server', 'openssh-client'],
:sshd_config_mode => '0600',
:sshd_service_name => 'ssh',
:sshd_service_hasstatus => true,
:sshd_config_fixture => 'sshd_config_ubuntu2004',
:ssh_config_fixture => 'ssh_config_ubuntu2004',
},
}
osfamily_matrix.each do |os, facts|
@ -2773,4 +2786,61 @@ describe 'sshd_config_print_last_log param' do
end # var[:name].each
end # validations.sort.each
end # describe 'variable type and content validations'
describe 'sshd_config_include' do
context 'when set to an array' do
let(:params) { {'sshd_config_include' => ['file1','file2'] } }
it { should contain_file('sshd_config').with_content(/^Include file1 file2$/) }
end
context 'when set to a string' do
let(:params) { {'sshd_config_include' => 'file1' } }
it { should contain_file('sshd_config').with_content(/^Include file1$/) }
end
context 'when not set' do
it { should_not contain_file('sshd_config').with_content(/^\s*Include/) }
end
context 'when set to an invalid type (not string or array)' do
let(:params) { {'sshd_config_include' => true } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
describe 'ssh_config_include' do
context 'when set to an array' do
let(:params) { {'ssh_config_include' => ['file1','file2'] } }
it { should contain_file('ssh_config').with_content(/^Include file1 file2$/) }
end
context 'when set to a string' do
let(:params) { {'ssh_config_include' => 'file1' } }
it { should contain_file('ssh_config').with_content(/^Include file1$/) }
end
context 'when not set' do
it { should_not contain_file('ssh_config').with_content(/^\s*Include/) }
end
context 'when set to an invalid type (not string or array)' do
let(:params) { {'ssh_config_include' => true } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
end

63
spec/fixtures/ssh_config_ubuntu2004 vendored Normal file
View File

@ -0,0 +1,63 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
PasswordAuthentication yes
PubkeyAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# HashKnownHosts no
HashKnownHosts yes
GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
Host *
# GSSAPIAuthentication yes
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
UseRoaming no
# Send locale-related environment variables
SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

138
spec/fixtures/sshd_config_ubuntu2004 vendored Normal file
View File

@ -0,0 +1,138 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
AddressFamily any
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTH
#LogLevel INFO
LogLevel INFO
# Authentication:
#LoginGraceTime 120
LoginGraceTime 120
#PermitRootLogin yes
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes
PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveInterval 0
ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#MaxSessions 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

10
templates/ssh_config.erb
View File

@ -20,6 +20,14 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
<% if defined?(@ssh_config_include_real) -%>
<% if @ssh_config_include_real.is_a? Array -%>
Include <%= @ssh_config_include_real.join(' ') %>
<% else -%>
Include <%= @ssh_config_include_real %>
<% end -%>
<% end -%>
# Host *
# ForwardAgent no
# ForwardX11 no
@ -75,7 +83,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
<% if @ssh_config_forward_x11_trusted_real != nil -%>
<% if defined?(@ssh_config_forward_x11_trusted_real) -%>
ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %>
<% end -%>
<% if @ssh_config_forward_agent != nil -%>

10
templates/sshd_config.erb
View File

@ -13,13 +13,21 @@
# possible, but leave them commented. Uncommented options change a
# default value.
<% if defined?(@sshd_config_include_real) -%>
<% if @sshd_config_include_real.is_a? Array -%>
Include <%= @sshd_config_include_real.join(' ') %>
<% else -%>
Include <%= @sshd_config_include_real %>
<% end -%>
<% end -%>
#Port 22
<% @sshd_config_port_array.each do |p| -%>
<%= "Port #{p}" %>
<% end -%>
#Protocol 2,1
Protocol 2
<% if @sshd_addressfamily_real != nil -%>
<% if defined?(@sshd_addressfamily_real) -%>
#AddressFamily any
AddressFamily <%= @sshd_addressfamily_real %>
<% end -%>