puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add Solaris support

Browse Source 
Parameterized the OS specific options
This commit is contained in:
Mark Nalyanya 2014-01-22 17:05:48 +01:00 committed by Garrett Honeycutt
parent 0f17236f75
commit 2ee8163d9b
5 changed files with 654 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
README.md
View File

@ -15,6 +15,7 @@ This module has been tested to work on the following systems with Puppet v3.
* EL 6 * EL 6
* SLES 11 * SLES 11
* Ubuntu 12.04 LTS * Ubuntu 12.04 LTS
* Solaris 10
=== ===
@ -34,13 +35,13 @@ ssh_config_hash_known_hosts
HashKnownHosts in ssh_config. HashKnownHosts in ssh_config.
Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts. Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts.
These hashed names may be used normally by ssh and sshd, but they do not reveal identifying These hashed names may be used normally by ssh and sshd, but they do not reveal identifying
information should the file's contents be disclosed. The default is 'no'. information should the file's contents be disclosed. The default is 'no' on Linux OS.
Note that existing names and addresses in known hosts files will not be converted automatically, Note that existing names and addresses in known hosts files will not be converted automatically,
but may be manually hashed using ssh-keygen. Use of this option may break facilities such as but may be manually hashed using ssh-keygen. Use of this option may break facilities such as
tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts. tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts.
- *Default*: 'no' - *Default*: based on OS platform.
ssh_config_path ssh_config_path
--------------- ---------------
@ -86,7 +87,7 @@ ServerAliveInterval option in ssh_config. Not set by default.
ssh_config_sendenv_xmodifiers ssh_config_sendenv_xmodifiers
----------------------- -----------------------
Boolean to set 'SendEnv XMODIFIERS' in ssh_config. Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on Linux OS.
- *Default*: false - *Default*: false
@ -110,9 +111,9 @@ sshd_config's group.
sshd_config_mode sshd_config_mode
--------------- ---------------
sshd_config's mode. sshd_config's mode. The default is '0600' on Linux OS and '0644' on Solaris OS.
- *Default*: '0600' - *Default*: based on OS platform.
sshd_config_port sshd_config_port
--------------------------- ---------------------------
@ -146,9 +147,9 @@ PrintMotd option in sshd_config.
sshd_config_use_dns sshd_config_use_dns
------------------- -------------------
UseDNS option in sshd_config. UseDNS option in sshd_config. The default is 'yes' on Linux OS.
- *Default*: 'yes' - *Default*: based on OS platform. (Only valid on Linux OS.)
sshd_config_banner sshd_config_banner
------------------ ------------------
@ -184,13 +185,13 @@ sshd_config_xauth_location
-------------------------- --------------------------
XAuthLocation option in sshd_config. XAuthLocation option in sshd_config.
- *Default*: '/usr/bin/xauth' - *Default*: based on OS platform.
sshd_config_subsystem_sftp sshd_config_subsystem_sftp
-------------------------- --------------------------
Path to sftp file transfer subsystem in sshd_config. Path to sftp file transfer subsystem in sshd_config.
- *Default*: '/usr/libexec/openssh/sftp-server' - *Default*: based on OS platform.
sshd_password_authentication sshd_password_authentication
@ -210,9 +211,9 @@ Specifies whether TCP forwarding is permitted.
sshd_x11_forwarding sshd_x11_forwarding
------------------- -------------------
X11Forwarding in sshd_config. X11Forwarding in sshd_config.
Specifies whether X11 forwarding is permitted. Specifies whether X11 forwarding is permitted. Module sets this option to 'yes'. Future release will update the default to be based on OS platform.
- *Default*: 'no' - *Default*: 'yes'
sshd_use_pam sshd_use_pam
------------ ------------
@ -220,8 +221,9 @@ UsePam in sshd_config.
Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM
authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition
to PAM account and session module processing for all authentication types. to PAM account and session module processing for all authentication types.
This module sets this option to 'yes' on Linux OS and undef on Solaris OS.
- *Default*: 'no' - *Default*: based on OS platform. (Valid only on Linux OS)
sshd_client_alive_interval sshd_client_alive_interval
-------------------------- --------------------------
@ -251,6 +253,57 @@ Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-o
- *Default*: yes - *Default*: yes
ssh_config_forward_x11_trusted
------------------------------
ForwardX11Trusted. Determine remote X11 client access to the original X11 display.
The option is set to 'yes' on Linux OS.
- *Default*: based on OS platform. (Not valid on Solaris OS.)
ssh_package_source
------------------
Source to SSH packages.
- *Default*: based on OS platform. (used on Solaris)
ssh_package_adminfile
---------------------
Path to admin file for SSH packages.
- *Default*: based on OS platform. (used on Solaris)
sshd_gssapiauthentication
-------------------------
GSSAPIAuthentication: Enables/disables GSS-API user authentication.
- *Default*: based on OS platform.
sshd_gssapikeyexchange
----------------------
GSSAPIKeyExchange: Enables/disables GSS-API-authenticated key exchanges.
- *Default*: based on OS platform.
sshd_pamauthenticationviakbdint
-------------------------------
PAMAuthenticationViaKBDInt: Use PAM via keyboard interactive method for authentication.
- *Default*: based on OS platform. (valid on Solaris OS)
sshd_gssapicleanupcredentials
-----------------------------
GSSAPICleanupCredentials: Specifies whether to automatically destroy the user's credentials on logout.
Default is 'yes' on Linux OS.
- *Default*: based on OS platform. (Only valid on Linux OS)
ssh_acceptenv
-------------
Boolean to enable AcceptEnv and SendEnv options for specifying environment variables.
Default is set to 'true' on Linux OS.
- *Default*: based on OS platform. (Only valid on Linux OS)
purge_keys purge_keys
---------- ----------
Remove keys not managed by puppet. Remove keys not managed by puppet.
@ -259,7 +312,7 @@ Remove keys not managed by puppet.
manage_firewall manage_firewall
--------------- ---------------
Open firewall for SSH service. Open firewall for SSH service. Not used on Solaris OS.
- *Default*: false - *Default*: false

297
manifests/init.pp
View File

@ -8,31 +8,32 @@ class ssh (
$permit_root_login = 'yes', $permit_root_login = 'yes',
$purge_keys = 'true', $purge_keys = 'true',
$manage_firewall = false, $manage_firewall = false,
$ssh_config_hash_known_hosts = 'no', $ssh_config_hash_known_hosts = 'USE_DEFAULTS',
$ssh_config_path = '/etc/ssh/ssh_config', $ssh_config_path = '/etc/ssh/ssh_config',
$ssh_config_owner = 'root', $ssh_config_owner = 'root',
$ssh_config_group = 'root', $ssh_config_group = 'root',
$ssh_config_mode = '0644', $ssh_config_mode = '0644',
$ssh_config_forward_x11 = undef, $ssh_config_forward_x11 = undef,
$ssh_config_forward_x11_trusted = 'USE_DEFAULTS',
$ssh_config_forward_agent = undef, $ssh_config_forward_agent = undef,
$ssh_config_server_alive_interval = undef, $ssh_config_server_alive_interval = undef,
$ssh_config_sendenv_xmodifiers = false, $ssh_config_sendenv_xmodifiers = false,
$sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_path = '/etc/ssh/sshd_config',
$sshd_config_owner = 'root', $sshd_config_owner = 'root',
$sshd_config_group = 'root', $sshd_config_group = 'root',
$sshd_config_mode = '0600', $sshd_config_mode = 'USE_DEFAULTS',
$sshd_config_port = '22', $sshd_config_port = '22',
$sshd_config_syslog_facility = 'AUTH', $sshd_config_syslog_facility = 'AUTH',
$sshd_config_login_grace_time = '120', $sshd_config_login_grace_time = '120',
$sshd_config_challenge_resp_auth = 'yes', $sshd_config_challenge_resp_auth = 'yes',
$sshd_config_print_motd = 'yes', $sshd_config_print_motd = 'yes',
$sshd_config_use_dns = 'yes', $sshd_config_use_dns = 'USE_DEFAULTS',
$sshd_config_banner = 'none', $sshd_config_banner = 'none',
$sshd_banner_content = undef, $sshd_banner_content = undef,
$sshd_banner_owner = 'root', $sshd_banner_owner = 'root',
$sshd_banner_group = 'root', $sshd_banner_group = 'root',
$sshd_banner_mode = '0644', $sshd_banner_mode = '0644',
$sshd_config_xauth_location = '/usr/bin/xauth', $sshd_config_xauth_location = 'USE_DEFAULTS',
$sshd_config_subsystem_sftp = 'USE_DEFAULTS', $sshd_config_subsystem_sftp = 'USE_DEFAULTS',
$service_ensure = 'running', $service_ensure = 'running',
$service_name = 'USE_DEFAULTS', $service_name = 'USE_DEFAULTS',
@ -47,17 +48,229 @@ class ssh (
$sshd_password_authentication = 'yes', $sshd_password_authentication = 'yes',
$sshd_allow_tcp_forwarding = 'yes', $sshd_allow_tcp_forwarding = 'yes',
$sshd_x11_forwarding = 'yes', $sshd_x11_forwarding = 'yes',
$sshd_use_pam = 'yes', $sshd_use_pam = 'USE_DEFAULTS',
$sshd_client_alive_interval = '0', $sshd_client_alive_interval = '0',
$ssh_package_source = 'USE_DEFAULTS',
$ssh_package_adminfile = 'USE_DEFAULTS',
$sshd_gssapiauthentication = 'yes',
$sshd_gssapikeyexchange = 'USE_DEFAULTS',
$sshd_pamauthenticationviakbdint = 'USE_DEFAULTS',
$sshd_gssapicleanupcredentials = 'USE_DEFAULTS',
$ssh_acceptenv = 'USE_DEFAULTS',
) { ) {
case $::osfamily {
'RedHat': {
$default_packages = ['openssh-server',
'openssh-clients']
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_ssh_config_hash_known_hosts = 'no'
$default_service_name = 'sshd'
$default_ssh_config_forward_x11_trusted = 'yes'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = '/usr/bin/xauth'
$default_sshd_use_pam = 'yes'
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_sshd_gssapicleanupcredentials = 'yes'
$default_ssh_acceptenv = true
}
'Suse': {
$default_packages = 'openssh'
$default_ssh_config_hash_known_hosts = 'no'
$default_service_name = 'sshd'
$default_ssh_config_forward_x11_trusted = 'yes'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = '/usr/bin/xauth'
$default_sshd_use_pam = 'yes'
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_sshd_gssapicleanupcredentials = 'yes'
$default_ssh_acceptenv = true
case $::architecture {
'x86_64': {
$default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
}
'i386' : {
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
}
default: {
fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.")
}
}
}
'Debian': {
$default_packages = ['openssh-server',
'openssh-client']
$default_ssh_config_hash_known_hosts = 'no'
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_service_name = 'ssh'
$default_ssh_config_forward_x11_trusted = 'yes'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = '/usr/bin/xauth'
$default_sshd_use_pam = 'yes'
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_sshd_gssapicleanupcredentials = 'yes'
$default_ssh_acceptenv = true
}
'Solaris': {
$default_packages = ['SUNWsshcu',
'SUNWsshdr',
'SUNWsshdu',
'SUNWsshr',
'SUNWsshu']
$default_ssh_config_hash_known_hosts = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
$default_ssh_config_forward_x11_trusted = undef
$default_sshd_config_mode = '0644'
$default_sshd_config_use_dns = undef
$default_sshd_config_xauth_location = '/usr/openwin/bin/xauth'
$default_sshd_use_pam = undef
$default_ssh_package_source = '/var/spool/pkg'
$default_ssh_package_adminfile = undef
$default_sshd_gssapikeyexchange = 'yes'
$default_sshd_pamauthenticationviakbdint = 'yes'
$default_sshd_gssapicleanupcredentials = undef
$default_ssh_acceptenv = false
case $::kernelrelease {
'5.10','5.11': {
$default_service_name = 'ssh'
}
'5.9' : {
$default_service_name = 'sshd'
}
default: {
fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.')
}
}
}
default: {
fail("ssh supports osfamilies RedHat, Suse, Debian and Solaris. Detected osfamily is <${::osfamily}>.")
}
}
if $packages == 'USE_DEFAULTS' {
$packages_real = $default_packages
} else {
$packages_real = $packages
}
if $ssh_config_hash_known_hosts == 'USE_DEFAULTS' {
$ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts
} else {
$ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts
}
if $service_name == 'USE_DEFAULTS' {
$service_name_real = $default_service_name
} else {
$service_name_real = $service_name
}
if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' {
$sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp
} else {
$sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp
}
if $sshd_config_mode == 'USE_DEFAULTS' {
$sshd_config_mode_real = $default_sshd_config_mode
} else {
$sshd_config_mode_real = $sshd_config_mode
}
if $sshd_config_xauth_location == 'USE_DEFAULTS' {
$sshd_config_xauth_location_real = $default_sshd_config_xauth_location
} else {
$sshd_config_xauth_location_real = $sshd_config_xauth_location
}
if $ssh_package_source == 'USE_DEFAULTS' {
$ssh_package_source_real = $default_ssh_package_source
} else {
$ssh_package_source_real = $ssh_package_source
}
if $ssh_package_adminfile == 'USE_DEFAULTS' {
$ssh_package_adminfile_real = $default_ssh_package_adminfile
} else {
$ssh_package_adminfile_real = $ssh_package_adminfile
}
if $sshd_config_use_dns == 'USE_DEFAULTS' {
$sshd_config_use_dns_real = $default_sshd_config_use_dns
} else {
$sshd_config_use_dns_real = $sshd_config_use_dns
}
if $sshd_use_pam == 'USE_DEFAULTS' {
$sshd_use_pam_real = $default_sshd_use_pam
} else {
$sshd_use_pam_real = $sshd_use_pam
}
if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' {
$ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted
} else {
$ssh_config_forward_x11_trusted_real = $ssh_config_forward_x11_trusted
}
if $sshd_gssapikeyexchange == 'USE_DEFAULTS' {
$sshd_gssapikeyexchange_real = $default_sshd_gssapikeyexchange
} else {
$sshd_gssapikeyexchange_real = $sshd_gssapikeyexchange
}
if $sshd_pamauthenticationviakbdint == 'USE_DEFAULTS' {
$sshd_pamauthenticationviakbdint_real = $default_sshd_pamauthenticationviakbdint
} else {
$sshd_pamauthenticationviakbdint_real = $sshd_pamauthenticationviakbdint
}
if $sshd_gssapicleanupcredentials == 'USE_DEFAULTS' {
$sshd_gssapicleanupcredentials_real = $default_sshd_gssapicleanupcredentials
} else {
$sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials
}
if $ssh_acceptenv == 'USE_DEFAULTS' {
$ssh_acceptenv_real = $default_ssh_acceptenv
} else {
case type($ssh_acceptenv) {
'string': {
validate_re($ssh_acceptenv, '^(true|false)$', "ssh::ssh_acceptenv may be either 'true' or 'false' and is set to <${ssh_acceptenv}>.")
$ssh_acceptenv_real = str2bool($ssh_acceptenv)
}
'boolean': {
$ssh_acceptenv_real = $ssh_acceptenv
}
default: {
fail('ssh::ssh_acceptenv type must be true or false.')
}
}
}
# validate params # validate params
validate_re($ssh_config_hash_known_hosts, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts}>.") if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
}
validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.") validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
validate_re($sshd_use_pam, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.") if $sshd_use_pam_real != undef {
validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
}
if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
if $sshd_config_banner != 'none' { if $sshd_config_banner != 'none' {
@ -67,6 +280,17 @@ class ssh (
fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.') fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.')
} }
validate_re($sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.")
if $sshd_gssapikeyexchange_real != undef {
validate_re($sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.")
}
if $sshd_pamauthenticationviakbdint_real != undef {
validate_re($sshd_pamauthenticationviakbdint_real, '^(yes|no)$', "ssh::sshd_pamauthenticationviakbdint may be either 'yes' or 'no' and is set to <${sshd_pamauthenticationviakbdint_real}>.")
}
if $sshd_gssapicleanupcredentials_real != undef {
validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
}
case type($hiera_merge) { case type($hiera_merge) {
'string': { 'string': {
validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.") validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.")
@ -122,60 +346,11 @@ class ssh (
} }
} }
case $::osfamily {
'RedHat': {
$default_packages = ['openssh-server',
'openssh-clients']
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_service_name = 'sshd'
}
'Suse': {
$default_packages = 'openssh'
$default_service_name = 'sshd'
case $::architecture {
'x86_64': {
$default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
}
'i386' : {
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
}
default: {
fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.")
}
}
}
'Debian': {
$default_packages = [ 'openssh-server',
'openssh-client']
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_service_name = 'ssh'
}
default: {
fail("ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <${::osfamily}>.")
}
}
if $packages == 'USE_DEFAULTS' {
$packages_real = $default_packages
} else {
$packages_real = $packages
}
if $service_name == 'USE_DEFAULTS' {
$service_name_real = $default_service_name
} else {
$service_name_real = $service_name
}
if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' {
$sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp
} else {
$sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp
}
package { 'ssh_packages': package { 'ssh_packages':
ensure => installed, ensure => installed,
name => $packages_real, name => $packages_real,
source => $ssh_package_source_real,
adminfile => $ssh_package_adminfile_real,
} }
file { 'ssh_config' : file { 'ssh_config' :
@ -191,7 +366,7 @@ class ssh (
file { 'sshd_config' : file { 'sshd_config' :
ensure => file, ensure => file,
path => $sshd_config_path, path => $sshd_config_path,
mode => $sshd_config_mode, mode => $sshd_config_mode_real,
owner => $sshd_config_owner, owner => $sshd_config_owner,
group => $sshd_config_group, group => $sshd_config_group,
content => template('ssh/sshd_config.erb'), content => template('ssh/sshd_config.erb'),

324
spec/classes/init_spec.rb
View File

@ -36,7 +36,8 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -68,6 +69,291 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange no$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it {
should contain_service('sshd_service').with({
'ensure' => 'running',
'name' => 'sshd',
'enable' => 'true',
'hasrestart' => 'true',
'hasstatus' => 'true',
'subscribe' => 'File[sshd_config]',
})
}
it {
should contain_resources('sshkey').with({
'purge' => 'true',
})
}
end
context 'with default params on osfamily Solaris kernelrelease 5.8' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'Solaris',
:kernelrelease => '5.8',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should include_class('ssh')
}.to raise_error(Puppet::Error,/ssh module supports Solaris kernel release 5.9, 5.10 and 5.11./)
end
end
context 'with default params on osfamily Solaris kernelrelease 5.11' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'Solaris',
:kernelrelease => '5.11',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should include_class('ssh')}
it { should_not include_class('common')}
it {
should contain_package('ssh_packages').with({
'ensure' => 'installed',
'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'],
'source' => '/var/spool/pkg',
'adminfile' => nil,
})
}
it {
should contain_file('ssh_config').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_config',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'require' => 'Package[ssh_packages]',
})
}
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it {
should contain_file('sshd_config').with({
'ensure' => 'file',
'path' => '/etc/ssh/sshd_config',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'require' => 'Package[ssh_packages]',
})
}
it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) }
it { should contain_file('sshd_config').with_content(/^Banner none$/) }
it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) }
it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it {
should contain_service('sshd_service').with({
'ensure' => 'running',
'name' => 'ssh',
'enable' => 'true',
'hasrestart' => 'true',
'hasstatus' => 'true',
'subscribe' => 'File[sshd_config]',
})
}
it {
should contain_resources('sshkey').with({
'purge' => 'true',
})
}
end
context 'with default params on osfamily Solaris kernelrelease 5.10' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'Solaris',
:kernelrelease => '5.10',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should include_class('ssh')}
it { should_not include_class('common')}
it {
should contain_package('ssh_packages').with({
'ensure' => 'installed',
'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'],
'source' => '/var/spool/pkg',
'adminfile' => nil,
})
}
it {
should contain_file('ssh_config').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_config',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'require' => 'Package[ssh_packages]',
})
}
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it {
should contain_file('sshd_config').with({
'ensure' => 'file',
'path' => '/etc/ssh/sshd_config',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'require' => 'Package[ssh_packages]',
})
}
it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) }
it { should contain_file('sshd_config').with_content(/^Banner none$/) }
it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) }
it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it {
should contain_service('sshd_service').with({
'ensure' => 'running',
'name' => 'ssh',
'enable' => 'true',
'hasrestart' => 'true',
'hasstatus' => 'true',
'subscribe' => 'File[sshd_config]',
})
}
it {
should contain_resources('sshkey').with({
'purge' => 'true',
})
}
end
context 'with default params on osfamily Solaris kernelrelease 5.9' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'Solaris',
:kernelrelease => '5.9',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should include_class('ssh')}
it { should_not include_class('common')}
it {
should contain_package('ssh_packages').with({
'ensure' => 'installed',
'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'],
'source' => '/var/spool/pkg',
'adminfile' => nil,
})
}
it {
should contain_file('ssh_config').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_config',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'require' => 'Package[ssh_packages]',
})
}
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it {
should contain_file('sshd_config').with({
'ensure' => 'file',
'path' => '/etc/ssh/sshd_config',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'require' => 'Package[ssh_packages]',
})
}
it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) }
it { should contain_file('sshd_config').with_content(/^Banner none$/) }
it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) }
it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -121,7 +407,8 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -153,6 +440,12 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -208,7 +501,8 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -240,6 +534,12 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -295,7 +595,8 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -327,6 +628,12 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -362,7 +669,7 @@ describe 'ssh' do
it 'should fail' do it 'should fail' do
expect { expect {
should contain_class('ssh') should contain_class('ssh')
}.to raise_error(Puppet::Error,/^ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <C64>\./) }.to raise_error(Puppet::Error,/^ssh supports osfamilies RedHat, Suse, Debian and Solaris. Detected osfamily is <C64>\./)
end end
end end
@ -400,6 +707,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts yes$/) } it { should contain_file('ssh_config').with_content(/^ HashKnownHosts yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) }
it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) }
@ -463,6 +771,12 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { it {
should contain_file('sshd_banner').with({ should contain_file('sshd_banner').with({

10
templates/ssh_config.erb
View File

@ -45,13 +45,17 @@
# TunnelDevice any:any # TunnelDevice any:any
# PermitLocalCommand no # PermitLocalCommand no
# HashKnownHosts no # HashKnownHosts no
HashKnownHosts <%= @ssh_config_hash_known_hosts %> <% if @ssh_config_hash_known_hosts_real != nil -%>
HashKnownHosts <%= @ssh_config_hash_known_hosts_real %>
<% end -%>
Host * Host *
GSSAPIAuthentication yes GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access # If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted # to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes. # mode correctly we set this to yes.
ForwardX11Trusted yes <% if @ssh_config_forward_x11_trusted_real != nil -%>
ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %>
<% end -%>
<% if @ssh_config_forward_agent != nil -%> <% if @ssh_config_forward_agent != nil -%>
ForwardAgent <%= @ssh_config_forward_agent %> ForwardAgent <%= @ssh_config_forward_agent %>
<% end -%> <% end -%>
@ -61,6 +65,7 @@ Host *
<% if @ssh_config_server_alive_interval != nil -%> <% if @ssh_config_server_alive_interval != nil -%>
ServerAliveInterval <%= @ssh_config_server_alive_interval %> ServerAliveInterval <%= @ssh_config_server_alive_interval %>
<% end -%> <% end -%>
<% if @ssh_acceptenv_real == true -%>
# Send locale-related environment variables # Send locale-related environment variables
SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
@ -68,3 +73,4 @@ Host *
<% if @ssh_config_sendenv_xmodifiers_real == true -%> <% if @ssh_config_sendenv_xmodifiers_real == true -%>
SendEnv XMODIFIERS SendEnv XMODIFIERS
<% end -%> <% end -%>
<% end -%>

31
templates/sshd_config.erb
View File

@ -24,7 +24,7 @@ Protocol 2
# HostKey for protocol version 1 # HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2 # HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key # Lifetime and size of ephemeral version 1 server key
@ -63,6 +63,14 @@ PermitRootLogin <%= @permit_root_login %>
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes
PasswordAuthentication <%= @sshd_password_authentication %> PasswordAuthentication <%= @sshd_password_authentication %>
<% if @sshd_pamauthenticationviakbdint_real != nil -%>
# Use PAM via keyboard interactive method for authentication.
# # Depending on the setup of pam.conf(4) this may allow tunneled clear text
# # passwords even when PasswordAuthentication is set to no. This is dependent
# # on what the individual modules request and is out of the control of sshd
# # or the protocol.
PAMAuthenticationViaKBDInt yes
<% end -%>
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
@ -77,10 +85,16 @@ ChallengeResponseAuthentication <%= @sshd_config_challenge_resp_auth %>
# GSSAPI options # GSSAPI options
#GSSAPIAuthentication no #GSSAPIAuthentication no
GSSAPIAuthentication yes GSSAPIAuthentication <%= @sshd_gssapiauthentication %>
<% if @sshd_gssapikeyexchange_real != nil -%>
GSSAPIKeyExchange <%= @sshd_gssapikeyexchange_real %>
<% end -%>
<% if @sshd_gssapicleanupcredentials_real != nil -%>
#GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes GSSAPICleanupCredentials <%= @sshd_gssapicleanupcredentials_real %>
<% end -%>
<% if @sshd_use_pam_real != nil -%>
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism. # be allowed through the ChallengeResponseAuthentication mechanism.
@ -90,12 +104,15 @@ GSSAPICleanupCredentials yes
# session checks to run without PAM authentication, then enable this but set # session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no # ChallengeResponseAuthentication=no
#UsePAM no #UsePAM no
UsePAM <%= @sshd_use_pam %> UsePAM <%= @sshd_use_pam_real %>
<% end -%>
<% if @ssh_acceptenv_real == true -%>
# Accept locale-related environment variables # Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL AcceptEnv LC_IDENTIFICATION LC_ALL
<% end -%>
#AllowTcpForwarding yes #AllowTcpForwarding yes
AllowTcpForwarding <%= @sshd_allow_tcp_forwarding %> AllowTcpForwarding <%= @sshd_allow_tcp_forwarding %>
#GatewayPorts no #GatewayPorts no
@ -115,8 +132,10 @@ PrintMotd <%= @sshd_config_print_motd %>
ClientAliveInterval <%= @sshd_client_alive_interval %> ClientAliveInterval <%= @sshd_client_alive_interval %>
#ClientAliveCountMax 3 #ClientAliveCountMax 3
#ShowPatchLevel no #ShowPatchLevel no
<% if @sshd_config_use_dns_real != nil -%>
#UseDNS yes #UseDNS yes
UseDNS <%= @sshd_config_use_dns %> UseDNS <%= @sshd_config_use_dns_real %>
<% end -%>
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10 #MaxStartups 10
#PermitTunnel no #PermitTunnel no
@ -127,7 +146,7 @@ UseDNS <%= @sshd_config_use_dns %>
Banner <%= @sshd_config_banner %> Banner <%= @sshd_config_banner %>
#XAuthLocation /usr/bin/xauth #XAuthLocation /usr/bin/xauth
XAuthLocation <%= @sshd_config_xauth_location %> XAuthLocation <%= @sshd_config_xauth_location_real %>
# override default of no subsystems # override default of no subsystems
Subsystem sftp <%= @sshd_config_subsystem_sftp_real %> Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>