puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #225 from Mears148/master

Browse Source 
Add PrintLastLog, UsePrivilegeSeparation and Compression params
This commit is contained in:
Garrett Honeycutt 2017-05-26 15:08:31 -04:00 committed by GitHub
commit 32c66844f9
4 changed files with 289 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -257,6 +257,15 @@ PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environme
Valid values are 'yes' and 'no'. Valid values are 'yes' and 'no'.
- *Default*: undef
sshd_config_compression
---------------------------------
Compression option in sshd_config.
Specifies whether compression is allowed in an SSH connection prior to authentication.
If specified, valid values are 'yes', 'no' and 'delayed'.
- *Default*: undef - *Default*: undef
sshd_config_port sshd_config_port
@ -298,6 +307,14 @@ PrintMotd option in sshd_config.
- *Default*: 'yes' - *Default*: 'yes'
sshd_config_print_lastlog
----------------------
PrintLastLog option in sshd_config.
Verify SSH provides users with feedback on when account accesses last occurred.
If specified, valid values are 'yes' and 'no'.
- *Default*: undef
sshd_config_use_dns sshd_config_use_dns
------------------- -------------------
UseDNS option in sshd_config. The default is 'yes' on Linux. UseDNS option in sshd_config. The default is 'yes' on Linux.
@ -470,6 +487,14 @@ On Solaris the default is to not add this parameter to the configuration file.
- *Default*: undef - *Default*: undef
sshd_config_use_privilege_separation
----------------------
UsePrivilegeSeparation in sshd_config.
Causes the SSH process to drop root privileges when not needed.
If specified, valid values are 'yes', 'no' and 'sandbox'.
- *Default*: undef
sshd_config_permittunnel sshd_config_permittunnel
----------------------- -----------------------
PermitTunnel in sshd_config. PermitTunnel in sshd_config.

13
manifests/init.pp
View File

@ -38,12 +38,14 @@ class ssh (
$sshd_config_mode = 'USE_DEFAULTS', $sshd_config_mode = 'USE_DEFAULTS',
$sshd_config_permitemptypasswords = undef, $sshd_config_permitemptypasswords = undef,
$sshd_config_permituserenvironment = undef, $sshd_config_permituserenvironment = undef,
$sshd_config_compression = undef,
$sshd_config_port = '22', $sshd_config_port = '22',
$sshd_config_syslog_facility = 'AUTH', $sshd_config_syslog_facility = 'AUTH',
$sshd_config_template = 'ssh/sshd_config.erb', $sshd_config_template = 'ssh/sshd_config.erb',
$sshd_config_login_grace_time = '120', $sshd_config_login_grace_time = '120',
$sshd_config_challenge_resp_auth = 'yes', $sshd_config_challenge_resp_auth = 'yes',
$sshd_config_print_motd = 'yes', $sshd_config_print_motd = 'yes',
$sshd_config_print_last_log = undef,
$sshd_config_use_dns = 'USE_DEFAULTS', $sshd_config_use_dns = 'USE_DEFAULTS',
$sshd_config_authkey_location = undef, $sshd_config_authkey_location = undef,
$sshd_config_strictmodes = undef, $sshd_config_strictmodes = undef,
@ -111,6 +113,7 @@ class ssh (
$manage_root_ssh_config = false, $manage_root_ssh_config = false,
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
$sshd_config_tcp_keepalive = undef, $sshd_config_tcp_keepalive = undef,
$sshd_config_use_privilege_separation = undef,
$sshd_config_permittunnel = undef, $sshd_config_permittunnel = undef,
$sshd_config_hostcertificate = undef, $sshd_config_hostcertificate = undef,
$sshd_config_trustedusercakeys = undef, $sshd_config_trustedusercakeys = undef,
@ -531,6 +534,9 @@ class ssh (
if $sshd_config_permituserenvironment != undef { if $sshd_config_permituserenvironment != undef {
validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.") validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.")
} }
if $sshd_config_compression != undef {
validate_re($sshd_config_compression, '^(yes|no|delayed)$', "ssh::sshd_config_compression may be either 'yes', 'no' or 'delayed' and is set to <${sshd_config_compression}>.")
}
case type3x($sshd_config_port) { case type3x($sshd_config_port) {
'string': { 'string': {
validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
@ -554,6 +560,9 @@ class ssh (
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.") validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.")
if $sshd_config_print_last_log != undef {
validate_re($sshd_config_print_last_log, '^(yes|no)$', "ssh::sshd_config_print_last_log may be either 'yes' or 'no' and is set to <${sshd_config_print_last_log}>.")
}
if $sshd_use_pam_real != undef { if $sshd_use_pam_real != undef {
validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
} }
@ -821,6 +830,10 @@ class ssh (
validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.") validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.")
} }
if $sshd_config_use_privilege_separation != undef {
validate_re($sshd_config_use_privilege_separation, '^(yes|no|sandbox)$', "ssh::sshd_config_use_privilege_separation may be either 'yes', 'no' or 'sandbox' and is set to <${sshd_config_use_privilege_separation}>.")
}
if $sshd_config_permittunnel_real != undef { if $sshd_config_permittunnel_real != undef {
validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.") validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
} }

66
spec/classes/init_spec.rb
View File

@ -398,6 +398,7 @@ describe 'ssh' do
:sshd_config_match => { 'User JohnDoe' => [ 'AllowTcpForwarding yes', ], }, :sshd_config_match => { 'User JohnDoe' => [ 'AllowTcpForwarding yes', ], },
:sshd_config_challenge_resp_auth => 'no', :sshd_config_challenge_resp_auth => 'no',
:sshd_config_print_motd => 'no', :sshd_config_print_motd => 'no',
:sshd_config_print_last_log => 'no',
:sshd_config_use_dns => 'no', :sshd_config_use_dns => 'no',
:sshd_config_banner => '/etc/sshd_banner', :sshd_config_banner => '/etc/sshd_banner',
:sshd_authorized_keys_command => '/path/to/command', :sshd_authorized_keys_command => '/path/to/command',
@ -409,6 +410,7 @@ describe 'ssh' do
:sshd_password_authentication => 'no', :sshd_password_authentication => 'no',
:sshd_config_permitemptypasswords => 'no', :sshd_config_permitemptypasswords => 'no',
:sshd_config_permituserenvironment => 'no', :sshd_config_permituserenvironment => 'no',
:sshd_config_compression => 'no',
:sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256', :sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256',
'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp384',
'ecdsa-sha2-nistp521', 'ecdsa-sha2-nistp521',
@ -464,6 +466,7 @@ describe 'ssh' do
'2001:db8::dead:f00d', '2001:db8::dead:f00d',
], ],
:sshd_config_tcp_keepalive => 'yes', :sshd_config_tcp_keepalive => 'yes',
:sshd_config_use_privilege_separation => 'no',
:sshd_config_permittunnel => 'no', :sshd_config_permittunnel => 'no',
} }
end end
@ -488,6 +491,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) }
it { should contain_file('sshd_config').with_content(/^PrintLastLog no$/) }
it { should contain_file('sshd_config').with_content(/^UseDNS no$/) } it { should contain_file('sshd_config').with_content(/^UseDNS no$/) }
it { should contain_file('sshd_config').with_content(/^Banner \/etc\/sshd_banner$/) } it { should contain_file('sshd_config').with_content(/^Banner \/etc\/sshd_banner$/) }
it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) } it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) }
@ -511,6 +515,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) } it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) }
it { should contain_file('sshd_config').with_content(/^Compression no$/) }
it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) } it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) }
it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) } it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) } it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
@ -534,6 +539,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) } it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) } it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) } it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) }
it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) } it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) }
it { it {
@ -622,6 +628,26 @@ describe 'ssh' do
end end
describe 'sshd_config_print_last_log param' do
['yes','no'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_print_last_log => value } }
it { should contain_file('sshd_config').with_content(/^PrintLastLog #{value}$/) }
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_print_last_log => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_print_last_log may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
end
describe 'sshd_listen_address param' do describe 'sshd_listen_address param' do
context 'when set to an array' do context 'when set to an array' do
let(:params) { {'sshd_listen_address' => ['192.168.1.1','2001:db8::dead:f00d'] } } let(:params) { {'sshd_listen_address' => ['192.168.1.1','2001:db8::dead:f00d'] } }
@ -967,6 +993,26 @@ describe 'ssh' do
end end
end end
describe 'sshd_config_compression param' do
['yes','no','delayed'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_compression => value } }
it { should contain_file('sshd_config').with_content(/^Compression #{value}$/) }
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_compression => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_compression may be either \'yes\', \'no\' or \'delayed\' and is set to <invalid>\./)
end
end
end
describe 'sshd_config_port param' do describe 'sshd_config_port param' do
context 'when set to an array' do context 'when set to an array' do
let(:params) { {'sshd_config_port' => ['22222', '22223'] } } let(:params) { {'sshd_config_port' => ['22222', '22223'] } }
@ -2392,6 +2438,26 @@ describe 'ssh' do
end end
end end
describe 'sshd_config_use_privilege_separation param' do
['yes','no','sandbox'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_use_privilege_separation => value } }
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation #{value}$/) }
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_use_privilege_separation => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_use_privilege_separation may be either \'yes\', \'no\' or \'sandbox\' and is set to <invalid>\./)
end
end
end
describe 'with parameter sshd_addressfamily' do describe 'with parameter sshd_addressfamily' do
['any','inet','inet6'].each do |value| ['any','inet','inet6'].each do |value|
context "set to a valid entry of #{value}" do context "set to a valid entry of #{value}" do

9
templates/sshd_config.erb
View File

@ -168,17 +168,26 @@ X11UseLocalhost <%= @sshd_x11_use_localhost %>
#PrintMotd yes #PrintMotd yes
PrintMotd <%= @sshd_config_print_motd %> PrintMotd <%= @sshd_config_print_motd %>
#PrintLastLog yes #PrintLastLog yes
<% if @sshd_config_print_last_log != nil -%>
PrintLastLog <%= @sshd_config_print_last_log %>
<% end -%>
#TCPKeepAlive yes #TCPKeepAlive yes
<% if @sshd_config_tcp_keepalive_real != nil -%> <% if @sshd_config_tcp_keepalive_real != nil -%>
TCPKeepAlive <%= @sshd_config_tcp_keepalive_real %> TCPKeepAlive <%= @sshd_config_tcp_keepalive_real %>
<% end -%> <% end -%>
#UseLogin no #UseLogin no
#UsePrivilegeSeparation yes #UsePrivilegeSeparation yes
<% if @sshd_config_use_privilege_separation != nil -%>
UsePrivilegeSeparation <%= @sshd_config_use_privilege_separation %>
<% end -%>
#PermitUserEnvironment no #PermitUserEnvironment no
<% if @sshd_config_permituserenvironment != nil -%> <% if @sshd_config_permituserenvironment != nil -%>
PermitUserEnvironment <%= @sshd_config_permituserenvironment %> PermitUserEnvironment <%= @sshd_config_permituserenvironment %>
<% end -%> <% end -%>
#Compression delayed #Compression delayed
<% if @sshd_config_compression != nil -%>
Compression <%= @sshd_config_compression %>
<% end -%>
#ClientAliveInterval 0 #ClientAliveInterval 0
ClientAliveInterval <%= @sshd_client_alive_interval %> ClientAliveInterval <%= @sshd_client_alive_interval %>
ClientAliveCountMax <%= @sshd_client_alive_count_max %> ClientAliveCountMax <%= @sshd_client_alive_count_max %>