diff --git a/Modulefile b/Modulefile index d1613ca..d724ae1 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'ghoneycutt-ssh' -version '2.0.1' +version '2.2.0' source 'git://github.com/ghoneycutt/puppet-module-ssh.git' author 'ghoneycutt' license 'Apache License, Version 2.0' diff --git a/README.md b/README.md index 07041a5..253e566 100644 --- a/README.md +++ b/README.md @@ -234,4 +234,3 @@ ssh::keys: ensure: absent user: root - diff --git a/manifests/init.pp b/manifests/init.pp index 694f709..f502a6d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,9 +16,7 @@ # user: root # class ssh ( - $packages = ['openssh-server', - 'openssh-server', - 'openssh-clients'], + $packages = 'USE_DEFAULTS', $permit_root_login = 'no', $purge_keys = 'true', $manage_firewall = false, @@ -40,7 +38,7 @@ class ssh ( $sshd_config_use_dns = 'yes', $sshd_config_banner = 'none', $sshd_config_xauth_location = '/usr/bin/xauth', - $sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', $service_ensure = 'running', $service_name = 'sshd', $service_enable = 'true', @@ -83,9 +81,33 @@ class ssh ( } } + case $::osfamily { + 'RedHat': { + $default_packages = ['openssh-server', + 'openssh-server', + 'openssh-clients'] + $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' + } + default: { + fail("ssh supports osfamily RedHat. Detected osfamily is <${::osfamily}>.") + } + } + + if $packages == 'USE_DEFAULTS' { + $packages_real = $default_packages + } else { + $packages_real = $packages + } + + if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' { + $sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp + } else { + $sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp + } + package { 'ssh_packages': ensure => installed, - name => $packages, + name => $packages_real, } file { 'ssh_config' : diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index eb7d7e6..66ab8c8 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,10 +1,11 @@ require 'spec_helper' describe 'ssh' do - context 'with default params' do + context 'with default params on osfamily RedHat' do let :facts do { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end @@ -45,10 +46,42 @@ describe 'ssh' do }) } + it { + should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) + } + + it { + should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) + } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } + it { + should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) + } + + it { + should contain_file('sshd_config').with_content(/^PrintMotd yes$/) + } + + it { + should contain_file('sshd_config').with_content(/^UseDNS yes$/) + } + + it { + should contain_file('sshd_config').with_content(/^Banner none$/) + } + + it { + should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/bin\/xauth$/) + } + + it { + should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/libexec\/openssh\/sftp-server$/) + } + it { should contain_service('sshd_service').with({ 'ensure' => 'running', @@ -67,7 +100,7 @@ describe 'ssh' do } end - context 'with manage_root_ssh_config set to \'true\'' do + context 'with manage_root_ssh_config set to \'true\' on valid osfamily' do let :facts do { :fqdn => 'monkey.example.com', @@ -84,60 +117,6 @@ describe 'ssh' do it { should include_class('common')} - it { - should contain_package('ssh_packages').with({ - 'ensure' => 'installed', - 'name' => ['openssh-server','openssh-server','openssh-clients'], - }) - } - - it { - should contain_file('ssh_config').with({ - 'ensure' => 'file', - 'path' => '/etc/ssh/ssh_config', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - 'require' => 'Package[ssh_packages]', - }) - } - - it { - should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) - } - - it { - should contain_file('sshd_config').with({ - 'ensure' => 'file', - 'path' => '/etc/ssh/sshd_config', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0600', - 'require' => 'Package[ssh_packages]', - }) - } - - it { - should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) - } - - it { - should contain_service('sshd_service').with({ - 'ensure' => 'running', - 'name' => 'sshd', - 'enable' => 'true', - 'hasrestart' => 'true', - 'hasstatus' => 'true', - 'subscribe' => 'File[sshd_config]', - }) - } - - it { - should contain_resources('sshkey').with({ - 'purge' => 'true', - }) - } - it { should contain_file('root_ssh_dir').with({ 'ensure' => 'directory', @@ -148,9 +127,19 @@ describe 'ssh' do 'require' => 'Common::Mkdir_p[/root/.ssh]', }) } + + it { + should contain_file('root_ssh_config').with({ + 'ensure' => 'file', + 'path' => '/root/.ssh/config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0600', + }) + } end - context 'with manage_root_ssh_config set to invalid value' do + context 'with manage_root_ssh_config set to invalid value on valid osfamily' do let :facts do { :fqdn => 'monkey.example.com', @@ -170,10 +159,11 @@ describe 'ssh' do end end - context 'with manage_firewall set to true' do + context 'with manage_firewall set to true on valid osfamily' do let :facts do { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end @@ -185,60 +175,6 @@ describe 'ssh' do it { should_not include_class('common')} - it { - should contain_package('ssh_packages').with({ - 'ensure' => 'installed', - 'name' => ['openssh-server','openssh-server','openssh-clients'], - }) - } - - it { - should contain_file('ssh_config').with({ - 'ensure' => 'file', - 'path' => '/etc/ssh/ssh_config', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - 'require' => 'Package[ssh_packages]', - }) - } - - it { - should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) - } - - it { - should contain_file('sshd_config').with({ - 'ensure' => 'file', - 'path' => '/etc/ssh/sshd_config', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0600', - 'require' => 'Package[ssh_packages]', - }) - } - - it { - should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) - } - - it { - should contain_service('sshd_service').with({ - 'ensure' => 'running', - 'name' => 'sshd', - 'enable' => 'true', - 'hasrestart' => 'true', - 'hasstatus' => 'true', - 'subscribe' => 'File[sshd_config]', - }) - } - - it { - should contain_resources('sshkey').with({ - 'purge' => 'true', - }) - } - it { should contain_firewall('22 open port 22 for SSH').with({ 'action' => 'accept', @@ -247,7 +183,11 @@ describe 'ssh' do }) } end - context 'with keys defined' do + + context 'with keys defined on valid osfamily' do + let :facts do + { :osfamily => 'RedHat' } + end let(:params) { { :keys => { 'root_for_userX' => { 'ensure' => 'present', @@ -267,6 +207,9 @@ describe 'ssh' do 'type' => 'dsa', 'key' => 'AAAA==', }) + } + + it { should contain_ssh_authorized_key('root_for_userY').with({ 'ensure' => 'absent', 'user' => 'root', diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index ecad246..fc4ab00 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -1,7 +1,7 @@ # This file is being maintained by Puppet. # DO NOT EDIT -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -46,7 +46,7 @@ PermitRootLogin <%= @permit_root_login %> #RSAAuthentication yes #PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no @@ -126,4 +126,4 @@ Banner <%= @sshd_config_banner %> XAuthLocation <%= @sshd_config_xauth_location %> # override default of no subsystems -Subsystem sftp <%= @sshd_config_subsystem_sftp %> +Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>