puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add feature to allow setting 'SendEnv XMODIFIERS'

Browse Source 
This defaults to false and has options to independently set this in both
ssh_config and sshd_config.
This commit is contained in:
Garrett Honeycutt 2013-10-31 11:19:46 +01:00
parent c178b9519a
commit 2ecb232a0e
5 changed files with 192 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
README.md
View File

@ -19,36 +19,6 @@ This module has been tested to work on the following systems with Puppet v3.
# Parameters #
keys
----
Hash of keys for user's ~/.ssh/authorized_keys
- *Default*: undefined
packages
--------
Array of package names used for installation.
- *Default*: 'openssh-server', 'openssh-server', 'openssh-clients'
permit_root_login
-----------------
Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'.
- *Default*: no
purge_keys
----------
Remove keys not managed by puppet.
- *Default*: 'true'
manage_firewall
---------------
Open firewall for SSH service.
- *Default*: false
ssh_config_path
---------------
Path to ssh_config.
@ -91,6 +61,12 @@ ServerAliveInterval option in ssh_config. Not set by default.
- *Default*: undef
ssh_config_sendenv_xmodifiers
-----------------------
Set 'SendEnv XMODIFIERS' in ssh_config.
- *Default*: false
sshd_config_path
----------------
Path to sshd_config.
@ -163,6 +139,83 @@ Path to sftp file transfer subsystem in sshd_config.
- *Default*: '/usr/libexec/openssh/sftp-server'
sshd_password_authentication
-----------------------------
PasswordAuthentication in sshd_config.
Specifies whether password authentication is allowed.
- *Default*: 'yes'
sshd_allow_tcp_forwarding
-------------------------
AllowTcpForwarding in sshd_config.
Specifies whether TCP forwarding is permitted.
- *Default*: 'yes'
sshd_x11_forwarding
-------------------
X11Forwarding in sshd_config.
Specifies whether X11 forwarding is permitted.
- *Default*: 'no'
sshd_use_pam
------------
UsePam in sshd_config.
Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM
authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition
to PAM account and session module processing for all authentication types.
- *Default*: 'no'
sshd_client_alive_interval
--------------------------
ClientAliveInterval in sshd_config.
Sets a timeout interval in seconds after which if no data has been received from the client,
sshd(8) will send a message through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages will not be sent to the client.
This option applies to protocol version 2 only.
- *Default*: '0'
sshd_config_sendenv_xmodifiers
-----------------------
Set 'SendEnv XMODIFIERS' in sshd_config.
- *Default*: false
keys
----
Hash of keys for user's ~/.ssh/authorized_keys
- *Default*: undefined
packages
--------
Array of package names used for installation.
- *Default*: 'openssh-server', 'openssh-server', 'openssh-clients'
permit_root_login
-----------------
Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'.
- *Default*: no
purge_keys
----------
Remove keys not managed by puppet.
- *Default*: 'true'
manage_firewall
---------------
Open firewall for SSH service.
- *Default*: false
service_ensure
--------------
Ensure SSH service is running. Valid values are 'stopped' and 'running'.
@ -217,45 +270,6 @@ Content of root's ~/.ssh/config.
- *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
$sshd_password_authentication
-----------------------------
PasswordAuthentication in sshd_config.
Specifies whether password authentication is allowed.
- *Default*: 'yes'
sshd_allow_tcp_forwarding
-------------------------
AllowTcpForwarding in sshd_config.
Specifies whether TCP forwarding is permitted.
- *Default*: 'yes'
sshd_x11_forwarding
-------------------
X11Forwarding in sshd_config.
Specifies whether X11 forwarding is permitted.
- *Default*: 'no'
sshd_use_pam
------------
UsePam in sshd_config.
Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM
authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition
to PAM account and session module processing for all authentication types.
- *Default*: 'no'
sshd_client_alive_interval
--------------------------
ClientAliveInterval in sshd_config.
Sets a timeout interval in seconds after which if no data has been received from the client,
sshd(8) will send a message through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages will not be sent to the client.
This option applies to protocol version 2 only.
- *Default*: '0'
===
# Manage user's ssh_authorized_keys

26
manifests/init.pp
View File

@ -14,6 +14,7 @@ class ssh (
$ssh_config_forward_x11 = undef,
$ssh_config_forward_agent = undef,
$ssh_config_server_alive_interval = undef,
$ssh_config_sendenv_xmodifiers = false,
$sshd_config_path = '/etc/ssh/sshd_config',
$sshd_config_owner = 'root',
$sshd_config_group = 'root',
@ -26,6 +27,7 @@ class ssh (
$sshd_config_banner = 'none',
$sshd_config_xauth_location = '/usr/bin/xauth',
$sshd_config_subsystem_sftp = 'USE_DEFAULTS',
$sshd_config_sendenv_xmodifiers = false,
$service_ensure = 'running',
$service_name = 'USE_DEFAULTS',
$service_enable = 'true',
@ -50,6 +52,30 @@ class ssh (
validate_re($sshd_use_pam, '^(yes|no)$', "sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.")
if is_integer($sshd_client_alive_interval) == false { fail("sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
case type($ssh_config_sendenv_xmodifiers) {
'string': {
$ssh_config_sendenv_xmodifiers_real = str2bool($ssh_config_sendenv_xmodifiers)
}
'boolean': {
$ssh_config_sendenv_xmodifiers_real = $ssh_config_sendenv_xmodifiers
}
default: {
fail("ssh_config_sendenv_xmodifiers type must be true or false.")
}
}
case type($sshd_config_sendenv_xmodifiers) {
'string': {
$sshd_config_sendenv_xmodifiers_real = str2bool($sshd_config_sendenv_xmodifiers)
}
'boolean': {
$sshd_config_sendenv_xmodifiers_real = $sshd_config_sendenv_xmodifiers
}
default: {
fail("sshd_config_sendenv_xmodifiers type must be true or false.")
}
}
case $permit_root_login {
'no', 'yes', 'without-password', 'forced-commands-only': {
# noop

76
spec/classes/init_spec.rb
View File

@ -354,6 +354,7 @@ describe 'ssh' do
:ssh_config_forward_agent => 'yes',
:ssh_config_forward_x11 => 'yes',
:ssh_config_server_alive_interval => '300',
:ssh_config_sendenv_xmodifiers => true,
}
end
@ -372,6 +373,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) }
it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) }
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
end
context 'with params used in sshd_config set on osfamily RedHat' do
@ -398,6 +400,7 @@ describe 'ssh' do
:sshd_x11_forwarding => 'no',
:sshd_use_pam => 'no',
:sshd_client_alive_interval => '242',
:sshd_config_sendenv_xmodifiers => true,
}
end
@ -426,6 +429,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
it { should contain_file('sshd_config').with_content(/^SendEnv XMODIFIERS$/) }
end
context 'with manage_root_ssh_config set to \'true\' on valid osfamily' do
@ -582,6 +586,78 @@ describe 'ssh' do
end
end
context 'with ssh_config_sendenv_xmodifiers set to invalid type, array' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{ :ssh_config_sendenv_xmodifiers => ['invalid','type'] }
end
it 'should fail' do
expect {
should include_class('ssh')
}.to raise_error(Puppet::Error,/ssh_config_sendenv_xmodifiers type must be true or false./)
end
end
context 'with ssh_config_sendenv_xmodifiers set to stringified true' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{
:ssh_config_sendenv_xmodifiers => 'true',
}
end
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
end
context 'with sshd_config_sendenv_xmodifiers set to invalid type, array' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{ :sshd_config_sendenv_xmodifiers => ['invalid','type'] }
end
it 'should fail' do
expect {
should include_class('ssh')
}.to raise_error(Puppet::Error,/sshd_config_sendenv_xmodifiers type must be true or false./)
end
end
context 'with sshd_config_sendenv_xmodifiers set to stringified true' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{
:sshd_config_sendenv_xmodifiers => 'true',
}
end
it { should contain_file('sshd_config').with_content(/^SendEnv XMODIFIERS$/) }
end
context 'with manage_firewall set to true on valid osfamily' do
let :facts do
{

3
templates/ssh_config.erb
View File

@ -63,3 +63,6 @@ Host *
SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
<% if @ssh_config_sendenv_xmodifiers_real == true -%>
SendEnv XMODIFIERS
<% end -%>

4
templates/sshd_config.erb
View File

@ -130,3 +130,7 @@ XAuthLocation <%= @sshd_config_xauth_location %>
# override default of no subsystems
Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>
<% if @sshd_config_sendenv_xmodifiers_real == true -%>
SendEnv XMODIFIERS
<% end -%>