Add support for AllowAgentForwarding option in sshd_config

README.md

@@ -621,6 +621,13 @@ See `sshd_config(5)` for more details
 
 - *Default*: undefined
 
+sshd_config_allowagentforwarding
+--------------------------------
+AllowAgentForwarding option in sshd_config. Specifies if ssh-agent(1)
+forwarding is permitted. Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
 config_entries
 --------------
 Hash of config entries for a specific user's ~/.ssh/config. Please check the docs for ssd::config_entry for a list and details of the parameters usable here.

manifests/init.pp

@@ -119,6 +119,7 @@ class ssh (
   $sshd_config_hostcertificate            = undef,
   $sshd_config_trustedusercakeys          = undef,
   $sshd_config_authorized_principals_file = undef,
+  $sshd_config_allowagentforwarding       = undef,
 ) {
 
   case $::osfamily {
@@ -866,6 +867,10 @@ class ssh (
     validate_string($sshd_config_authorized_principals_file_real)
   }
 
+  if $sshd_config_allowagentforwarding != undef {
+    validate_re($sshd_config_allowagentforwarding, '^(yes|no)$', "ssh::sshd_config_allowagentforwarding may be either 'yes' or 'no' and is set to <${sshd_config_allowagentforwarding}>.")
+  }
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,

spec/classes/init_spec.rb

@@ -470,6 +470,7 @@ describe 'ssh' do
         :sshd_config_tcp_keepalive            => 'yes',
   :sshd_config_use_privilege_separation => 'no',
         :sshd_config_permittunnel             => 'no',
+        :sshd_config_allowagentforwarding     => 'no',
       }
     end
 
@@ -1269,6 +1270,26 @@ describe 'sshd_config_print_last_log param' do
     end
   end
 
+  describe 'with sshd_config_allowagentforwarding' do
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        let(:params) { { 'sshd_config_allowagentforwarding' => value } }
+
+        it { should contain_file('sshd_config').with_content(/^AllowAgentForwarding #{value}$/) }
+      end
+    end
+
+    context 'set to invalid value on valid osfamily' do
+      let(:params) { { :sshd_config_allowagentforwarding => 'invalid' } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_allowagentforwarding may be either \'yes\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+
 
   context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
     let(:params) { { :sshd_config_strictmodes => 'invalid' } }

templates/sshd_config.erb

@@ -220,6 +220,10 @@ ChrootDirectory <%= @sshd_config_chrootdirectory %>
 <% if @sshd_config_forcecommand -%>
 ForceCommand <%= @sshd_config_forcecommand %>
 <% end -%>
+<% if @sshd_config_allowagentforwarding != nil -%>
+#AllowAgentForwarding yes
+AllowAgentForwarding <%= @sshd_config_allowagentforwarding %>
+<% end -%>
 
 # no default banner path
 #Banner none
@@ -275,4 +279,4 @@ TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
 <% end -%>
 <% if @sshd_config_authorized_principals_file_real -%>
 AuthorizedPrincipalsFile <%= @sshd_config_authorized_principals_file_real %>
-<% end -%>
+<% end -%>