puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add support for changing HostKey option

Browse Source 
This is to make it possible to change the HostKey parameter in
sshd_config.

As the HostKey is hardcoded to the template now it is currently not
possible to connect using for example ssh-dss. This commit changes that
behaviour.
This commit is contained in:
Diddi Oscarsson 2014-08-29 12:50:21 +02:00
parent 2210c9c622
commit 2dfe01c0e3
4 changed files with 61 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -187,6 +187,12 @@ Specify location of authorized_keys file. Default is to not specify.
- *Default*: undef - *Default*: undef
sshd_config_hostkey
----------------------------
Specify an array of server side HostKey files to use. Default is to use only /etc/ssh/ssh_host_rsa_key
- *Default*: /etc/ssh/ssh_host_rsa_key
sshd_config_strictmodes sshd_config_strictmodes
---------------------------- ----------------------------
Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no. Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no.

13
manifests/init.pp
View File

@ -61,6 +61,7 @@ class ssh (
$sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS',
$sshd_gssapicleanupcredentials = 'USE_DEFAULTS', $sshd_gssapicleanupcredentials = 'USE_DEFAULTS',
$sshd_acceptenv = 'USE_DEFAULTS', $sshd_acceptenv = 'USE_DEFAULTS',
$sshd_config_hostkey = 'USE_DEFAULTS',
$service_ensure = 'running', $service_ensure = 'running',
$service_name = 'USE_DEFAULTS', $service_name = 'USE_DEFAULTS',
$service_enable = 'true', $service_enable = 'true',
@ -95,6 +96,7 @@ class ssh (
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
} }
'Suse': { 'Suse': {
$default_packages = 'openssh' $default_packages = 'openssh'
@ -114,6 +116,7 @@ class ssh (
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
case $::architecture { case $::architecture {
'x86_64': { 'x86_64': {
$default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
@ -146,6 +149,7 @@ class ssh (
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
} }
'Solaris': { 'Solaris': {
$default_ssh_config_hash_known_hosts = undef $default_ssh_config_hash_known_hosts = undef
@ -162,6 +166,7 @@ class ssh (
$default_sshd_acceptenv = false $default_sshd_acceptenv = false
$default_sshd_config_serverkeybits = '768' $default_sshd_config_serverkeybits = '768'
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
case $::kernelrelease { case $::kernelrelease {
'5.11': { '5.11': {
$default_packages = ['network/ssh', $default_packages = ['network/ssh',
@ -332,6 +337,14 @@ class ssh (
} }
} }
if $sshd_config_hostkey == 'USE_DEFAULTS' {
$sshd_config_hostkey_real = $default_sshd_config_hostkey
} else {
validate_array($sshd_config_hostkey)
validate_absolute_path(join($sshd_config_hostkey))
$sshd_config_hostkey_real = $sshd_config_hostkey
}
if $service_hasstatus == 'USE_DEFAULTS' { if $service_hasstatus == 'USE_DEFAULTS' {
$service_hasstatus_real = $default_service_hasstatus $service_hasstatus_real = $default_service_hasstatus
} else { } else {

39
spec/classes/init_spec.rb
View File

@ -850,6 +850,9 @@ describe 'ssh' do
:sshd_config_serverkeybits => '1024', :sshd_config_serverkeybits => '1024',
:sshd_client_alive_count_max => '0', :sshd_client_alive_count_max => '0',
:sshd_config_authkey_location => '.ssh/authorized_keys', :sshd_config_authkey_location => '.ssh/authorized_keys',
:sshd_config_hostkey => [ '/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
],
:sshd_config_strictmodes => 'yes', :sshd_config_strictmodes => 'yes',
:sshd_config_ciphers => [ 'aes128-cbc', :sshd_config_ciphers => [ 'aes128-cbc',
'3des-cbc', '3des-cbc',
@ -910,11 +913,12 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
@ -1391,6 +1395,39 @@ describe 'ssh' do
end end
end end
context 'with sshd_config_hostkey set to invalid value on valid osfamily' do
let(:params) { { :sshd_config_hostkey => false } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/is not an Array/)
end
end
context 'with sshd_config_hostkey set to invalid path on valid osfamily' do
let(:params) { { :sshd_config_hostkey => ['not_a_path'] } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/is not an absolute path./)
end
end
context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
let :facts do let :facts do
{ {

5
templates/sshd_config.erb
View File

@ -24,8 +24,11 @@ Protocol 2
# HostKey for protocol version 1 # HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2 # HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_dsa_key
<% @sshd_config_hostkey_real.each do |hostkey| -%>
HostKey <%= hostkey %>
<% end -%>
# Lifetime and size of ephemeral version 1 server key # Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h #KeyRegenerationInterval 1h