From 2ca1bdfcca753ea6f3bfa6b895ffc6e921b6e70e Mon Sep 17 00:00:00 2001 From: "e.vanhazendonk" Date: Wed, 6 Dec 2017 11:34:52 +0100 Subject: [PATCH] Add support for AllowAgentForwarding option in sshd_config --- README.md | 7 +++++++ manifests/init.pp | 5 +++++ spec/classes/init_spec.rb | 21 +++++++++++++++++++++ templates/sshd_config.erb | 6 +++++- 4 files changed, 38 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b7e0322..f068fd3 100644 --- a/README.md +++ b/README.md @@ -621,6 +621,13 @@ See `sshd_config(5)` for more details - *Default*: undefined +sshd_config_allowagentforwarding +-------------------------------- +AllowAgentForwarding option in sshd_config. Specifies if ssh-agent(1) +forwarding is permitted. Valid values are 'yes' and 'no'. + +- *Default*: undef + config_entries -------------- Hash of config entries for a specific user's ~/.ssh/config. Please check the docs for ssd::config_entry for a list and details of the parameters usable here. diff --git a/manifests/init.pp b/manifests/init.pp index a9cd4c8..ad33018 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -119,6 +119,7 @@ class ssh ( $sshd_config_hostcertificate = undef, $sshd_config_trustedusercakeys = undef, $sshd_config_authorized_principals_file = undef, + $sshd_config_allowagentforwarding = undef, ) { case $::osfamily { @@ -866,6 +867,10 @@ class ssh ( validate_string($sshd_config_authorized_principals_file_real) } + if $sshd_config_allowagentforwarding != undef { + validate_re($sshd_config_allowagentforwarding, '^(yes|no)$', "ssh::sshd_config_allowagentforwarding may be either 'yes' or 'no' and is set to <${sshd_config_allowagentforwarding}>.") + } + package { $packages_real: ensure => installed, source => $ssh_package_source_real, diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 43563f0..2e96204 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -470,6 +470,7 @@ describe 'ssh' do :sshd_config_tcp_keepalive => 'yes', :sshd_config_use_privilege_separation => 'no', :sshd_config_permittunnel => 'no', + :sshd_config_allowagentforwarding => 'no', } end @@ -1269,6 +1270,26 @@ describe 'sshd_config_print_last_log param' do end end + describe 'with sshd_config_allowagentforwarding' do + ['yes','no'].each do |value| + context "set to #{value}" do + let(:params) { { 'sshd_config_allowagentforwarding' => value } } + + it { should contain_file('sshd_config').with_content(/^AllowAgentForwarding #{value}$/) } + end + end + + context 'set to invalid value on valid osfamily' do + let(:params) { { :sshd_config_allowagentforwarding => 'invalid' } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::sshd_config_allowagentforwarding may be either \'yes\' or \'no\' and is set to \./) + end + end + end + context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do let(:params) { { :sshd_config_strictmodes => 'invalid' } } diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index b3b9ca1..53e1f28 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -220,6 +220,10 @@ ChrootDirectory <%= @sshd_config_chrootdirectory %> <% if @sshd_config_forcecommand -%> ForceCommand <%= @sshd_config_forcecommand %> <% end -%> +<% if @sshd_config_allowagentforwarding != nil -%> +#AllowAgentForwarding yes +AllowAgentForwarding <%= @sshd_config_allowagentforwarding %> +<% end -%> # no default banner path #Banner none @@ -275,4 +279,4 @@ TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %> <% end -%> <% if @sshd_config_authorized_principals_file_real -%> AuthorizedPrincipalsFile <%= @sshd_config_authorized_principals_file_real %> -<% end -%> \ No newline at end of file +<% end -%>