Merge pull request #225 from Mears148/master
Add PrintLastLog, UsePrivilegeSeparation and Compression params
This commit is contained in:
Garrett Honeycutt
GitHub
commit
32c66844f9
25
README.md
25
README.md
@ -257,6 +257,15 @@ PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environme
|
||||
Valid values are 'yes' and 'no'.
|
||||
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
sshd_config_compression
|
||||
---------------------------------
|
||||
Compression option in sshd_config.
|
||||
Specifies whether compression is allowed in an SSH connection prior to authentication.
|
||||
If specified, valid values are 'yes', 'no' and 'delayed'.
|
||||
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
sshd_config_port
|
||||
@ -298,6 +307,14 @@ PrintMotd option in sshd_config.
|
||||
|
||||
- *Default*: 'yes'
|
||||
|
||||
sshd_config_print_lastlog
|
||||
----------------------
|
||||
PrintLastLog option in sshd_config.
|
||||
Verify SSH provides users with feedback on when account accesses last occurred.
|
||||
If specified, valid values are 'yes' and 'no'.
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
sshd_config_use_dns
|
||||
-------------------
|
||||
UseDNS option in sshd_config. The default is 'yes' on Linux.
|
||||
@ -470,6 +487,14 @@ On Solaris the default is to not add this parameter to the configuration file.
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
sshd_config_use_privilege_separation
|
||||
----------------------
|
||||
UsePrivilegeSeparation in sshd_config.
|
||||
Causes the SSH process to drop root privileges when not needed.
|
||||
If specified, valid values are 'yes', 'no' and 'sandbox'.
|
||||
|
||||
- *Default*: undef
|
||||
|
||||
sshd_config_permittunnel
|
||||
-----------------------
|
||||
PermitTunnel in sshd_config.
|
||||
|
||||
@ -38,12 +38,14 @@ class ssh (
|
||||
$sshd_config_mode = 'USE_DEFAULTS',
|
||||
$sshd_config_permitemptypasswords = undef,
|
||||
$sshd_config_permituserenvironment = undef,
|
||||
$sshd_config_compression = undef,
|
||||
$sshd_config_port = '22',
|
||||
$sshd_config_syslog_facility = 'AUTH',
|
||||
$sshd_config_template = 'ssh/sshd_config.erb',
|
||||
$sshd_config_login_grace_time = '120',
|
||||
$sshd_config_challenge_resp_auth = 'yes',
|
||||
$sshd_config_print_motd = 'yes',
|
||||
$sshd_config_print_last_log = undef,
|
||||
$sshd_config_use_dns = 'USE_DEFAULTS',
|
||||
$sshd_config_authkey_location = undef,
|
||||
$sshd_config_strictmodes = undef,
|
||||
@ -111,6 +113,7 @@ class ssh (
|
||||
$manage_root_ssh_config = false,
|
||||
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
|
||||
$sshd_config_tcp_keepalive = undef,
|
||||
$sshd_config_use_privilege_separation = undef,
|
||||
$sshd_config_permittunnel = undef,
|
||||
$sshd_config_hostcertificate = undef,
|
||||
$sshd_config_trustedusercakeys = undef,
|
||||
@ -531,6 +534,9 @@ class ssh (
|
||||
if $sshd_config_permituserenvironment != undef {
|
||||
validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.")
|
||||
}
|
||||
if $sshd_config_compression != undef {
|
||||
validate_re($sshd_config_compression, '^(yes|no|delayed)$', "ssh::sshd_config_compression may be either 'yes', 'no' or 'delayed' and is set to <${sshd_config_compression}>.")
|
||||
}
|
||||
case type3x($sshd_config_port) {
|
||||
'string': {
|
||||
validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
|
||||
@ -554,6 +560,9 @@ class ssh (
|
||||
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
|
||||
validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
|
||||
validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.")
|
||||
if $sshd_config_print_last_log != undef {
|
||||
validate_re($sshd_config_print_last_log, '^(yes|no)$', "ssh::sshd_config_print_last_log may be either 'yes' or 'no' and is set to <${sshd_config_print_last_log}>.")
|
||||
}
|
||||
if $sshd_use_pam_real != undef {
|
||||
validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
|
||||
}
|
||||
@ -821,6 +830,10 @@ class ssh (
|
||||
validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.")
|
||||
}
|
||||
|
||||
if $sshd_config_use_privilege_separation != undef {
|
||||
validate_re($sshd_config_use_privilege_separation, '^(yes|no|sandbox)$', "ssh::sshd_config_use_privilege_separation may be either 'yes', 'no' or 'sandbox' and is set to <${sshd_config_use_privilege_separation}>.")
|
||||
}
|
||||
|
||||
if $sshd_config_permittunnel_real != undef {
|
||||
validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
|
||||
}
|
||||
|
||||
@ -398,6 +398,7 @@ describe 'ssh' do
|
||||
:sshd_config_match => { 'User JohnDoe' => [ 'AllowTcpForwarding yes', ], },
|
||||
:sshd_config_challenge_resp_auth => 'no',
|
||||
:sshd_config_print_motd => 'no',
|
||||
:sshd_config_print_last_log => 'no',
|
||||
:sshd_config_use_dns => 'no',
|
||||
:sshd_config_banner => '/etc/sshd_banner',
|
||||
:sshd_authorized_keys_command => '/path/to/command',
|
||||
@ -409,6 +410,7 @@ describe 'ssh' do
|
||||
:sshd_password_authentication => 'no',
|
||||
:sshd_config_permitemptypasswords => 'no',
|
||||
:sshd_config_permituserenvironment => 'no',
|
||||
:sshd_config_compression => 'no',
|
||||
:sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256',
|
||||
'ecdsa-sha2-nistp384',
|
||||
'ecdsa-sha2-nistp521',
|
||||
@ -464,6 +466,7 @@ describe 'ssh' do
|
||||
'2001:db8::dead:f00d',
|
||||
],
|
||||
:sshd_config_tcp_keepalive => 'yes',
|
||||
:sshd_config_use_privilege_separation => 'no',
|
||||
:sshd_config_permittunnel => 'no',
|
||||
}
|
||||
end
|
||||
@ -488,6 +491,7 @@ describe 'ssh' do
|
||||
it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^PrintLastLog no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^UseDNS no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^Banner \/etc\/sshd_banner$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) }
|
||||
@ -511,6 +515,7 @@ describe 'ssh' do
|
||||
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
|
||||
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) }
|
||||
it { should contain_file('sshd_config').with_content(/^Compression no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
|
||||
@ -534,6 +539,7 @@ describe 'ssh' do
|
||||
it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) }
|
||||
|
||||
it {
|
||||
@ -622,6 +628,26 @@ describe 'ssh' do
|
||||
|
||||
end
|
||||
|
||||
describe 'sshd_config_print_last_log param' do
|
||||
['yes','no'].each do |value|
|
||||
context "set to #{value}" do
|
||||
let (:params) { { :sshd_config_print_last_log => value } }
|
||||
|
||||
it { should contain_file('sshd_config').with_content(/^PrintLastLog #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when set to an invalid value' do
|
||||
let (:params) { { :sshd_config_print_last_log => 'invalid' } }
|
||||
|
||||
it 'should fail' do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::sshd_config_print_last_log may be either \'yes\' or \'no\' and is set to <invalid>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'sshd_listen_address param' do
|
||||
context 'when set to an array' do
|
||||
let(:params) { {'sshd_listen_address' => ['192.168.1.1','2001:db8::dead:f00d'] } }
|
||||
@ -967,6 +993,26 @@ describe 'ssh' do
|
||||
end
|
||||
end
|
||||
|
||||
describe 'sshd_config_compression param' do
|
||||
['yes','no','delayed'].each do |value|
|
||||
context "set to #{value}" do
|
||||
let (:params) { { :sshd_config_compression => value } }
|
||||
|
||||
it { should contain_file('sshd_config').with_content(/^Compression #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when set to an invalid value' do
|
||||
let (:params) { { :sshd_config_compression => 'invalid' } }
|
||||
|
||||
it 'should fail' do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::sshd_config_compression may be either \'yes\', \'no\' or \'delayed\' and is set to <invalid>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'sshd_config_port param' do
|
||||
context 'when set to an array' do
|
||||
let(:params) { {'sshd_config_port' => ['22222', '22223'] } }
|
||||
@ -2392,6 +2438,26 @@ describe 'ssh' do
|
||||
end
|
||||
end
|
||||
|
||||
describe 'sshd_config_use_privilege_separation param' do
|
||||
['yes','no','sandbox'].each do |value|
|
||||
context "set to #{value}" do
|
||||
let (:params) { { :sshd_config_use_privilege_separation => value } }
|
||||
|
||||
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when set to an invalid value' do
|
||||
let (:params) { { :sshd_config_use_privilege_separation => 'invalid' } }
|
||||
|
||||
it 'should fail' do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::sshd_config_use_privilege_separation may be either \'yes\', \'no\' or \'sandbox\' and is set to <invalid>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with parameter sshd_addressfamily' do
|
||||
['any','inet','inet6'].each do |value|
|
||||
context "set to a valid entry of #{value}" do
|
||||
|
||||
@ -168,17 +168,26 @@ X11UseLocalhost <%= @sshd_x11_use_localhost %>
|
||||
#PrintMotd yes
|
||||
PrintMotd <%= @sshd_config_print_motd %>
|
||||
#PrintLastLog yes
|
||||
<% if @sshd_config_print_last_log != nil -%>
|
||||
PrintLastLog <%= @sshd_config_print_last_log %>
|
||||
<% end -%>
|
||||
#TCPKeepAlive yes
|
||||
<% if @sshd_config_tcp_keepalive_real != nil -%>
|
||||
TCPKeepAlive <%= @sshd_config_tcp_keepalive_real %>
|
||||
<% end -%>
|
||||
#UseLogin no
|
||||
#UsePrivilegeSeparation yes
|
||||
<% if @sshd_config_use_privilege_separation != nil -%>
|
||||
UsePrivilegeSeparation <%= @sshd_config_use_privilege_separation %>
|
||||
<% end -%>
|
||||
#PermitUserEnvironment no
|
||||
<% if @sshd_config_permituserenvironment != nil -%>
|
||||
PermitUserEnvironment <%= @sshd_config_permituserenvironment %>
|
||||
<% end -%>
|
||||
#Compression delayed
|
||||
<% if @sshd_config_compression != nil -%>
|
||||
Compression <%= @sshd_config_compression %>
|
||||
<% end -%>
|
||||
#ClientAliveInterval 0
|
||||
ClientAliveInterval <%= @sshd_client_alive_interval %>
|
||||
ClientAliveCountMax <%= @sshd_client_alive_count_max %>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user