puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #213 from Phil-Friderici/fix_solaris

Browse Source 
Fix parameters not compatible with Solaris
This commit is contained in:
Garrett Honeycutt 2017-02-27 12:10:51 -05:00 committed by GitHub
commit 3708935588
6 changed files with 132 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.travis.yml
View File

@ -28,6 +28,7 @@ env:
- PUPPET_GEM_VERSION="~> 4.6.0" - PUPPET_GEM_VERSION="~> 4.6.0"
- PUPPET_GEM_VERSION="~> 4.7.0" - PUPPET_GEM_VERSION="~> 4.7.0"
- PUPPET_GEM_VERSION="~> 4.8.0" - PUPPET_GEM_VERSION="~> 4.8.0"
- PUPPET_GEM_VERSION="~> 4.9.0"
- PUPPET_GEM_VERSION="~> 4" - PUPPET_GEM_VERSION="~> 4"
sudo: false sudo: false
@ -66,6 +67,16 @@ matrix:
- rvm: 1.8.7 - rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4.8.0" env: PUPPET_GEM_VERSION="~> 4.8.0"
- rvm: 1.8.7 - rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4.9.0"
- rvm: 1.9.3
env: PUPPET_GEM_VERSION="~> 4.9.0"
- rvm: 2.0.0
env: PUPPET_GEM_VERSION="~> 4.9.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4"
- rvm: 1.9.3
env: PUPPET_GEM_VERSION="~> 4"
- rvm: 2.0.0
env: PUPPET_GEM_VERSION="~> 4" env: PUPPET_GEM_VERSION="~> 4"
- rvm: 2.3.1 - rvm: 2.3.1
env: PUPPET_GEM_VERSION="~> 3.1.0" env: PUPPET_GEM_VERSION="~> 3.1.0"

34
README.md
View File

@ -37,6 +37,14 @@ only), 1.9.3, 2.0.0, 2.1.0 and 2.3.1 (Puppet v4 only).
* Solaris 10 * Solaris 10
* Solaris 11 * Solaris 11
If you use the Sun Solaris SSH, please keep in mind that not all parameters can be used.
Unsupported parameters for ssh_config:
AddressFamily, Tunnel, TunnelDevice, PermitLocalCommand, HashKnownHosts
Unsupported parameters for sshd_config:
KerberosOrLocalPasswd, KerberosTicketCleanup, KerberosGetAFSToken, TCPKeepAlive, ShowPatchLevel, MaxSessions, PermitTunnel
=== ===
# Parameters # Parameters
@ -63,6 +71,8 @@ Note that existing names and addresses in known hosts files will not be converte
but may be manually hashed using ssh-keygen. Use of this option may break facilities such as but may be manually hashed using ssh-keygen. Use of this option may break facilities such as
tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts. tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts.
A value of 'unset' will not add this parameter to the configuration file.
- *Default*: 'USE_DEFAULTS' - *Default*: 'USE_DEFAULTS'
ssh_config_path ssh_config_path
@ -451,22 +461,29 @@ are sent, death of the connection or crash of one of the machines will be proper
However, this means that connections will die if the route is down temporarily, and some However, this means that connections will die if the route is down temporarily, and some
people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may
hang indefinitely on the server, leaving ``ghost'' users and consuming server resources. hang indefinitely on the server, leaving ``ghost'' users and consuming server resources.
The default is ``yes'' (to send TCP keepalive messages), and the server will notice if the A value of 'unset' will not add this parameter to the configuration file.
network goes down or the client host crashes. This avoids infinitely hanging sessions.
- *Default*: 'yes' On Linux the default is set to ``yes'' (to send TCP keepalive messages), and the server will
notice if the network goes down or the client host crashes. This avoids infinitely hanging
sessions.
On Solaris the default is to not add this parameter to the configuration file.
- *Default*: undef
sshd_config_permittunnel sshd_config_permittunnel
----------------------- -----------------------
PermitTunnel in sshd_config. PermitTunnel in sshd_config.
Specifies whether tun(4) device forwarding is allowed. The argument must be Specifies whether tun(4) device forwarding is allowed. The argument must be 'yes',
'yes', 'point-to-point' (layer 3), 'ethernet' (layer 2), or 'no'. 'point-to-point' (layer 3), 'ethernet' (layer 2), 'no', or 'unset' (parameter not used).
Specifying 'yes' permits both 'point-to-point' and 'ethernet'. The Specifying 'yes' permits both 'point-to-point' and 'ethernet'.
default is 'no'.
Independent of this setting, the permissions of the selected tun(4) device must Independent of this setting, the permissions of the selected tun(4) device must
allow access to the user. allow access to the user.
A value of 'unset' will not add this parameter to the configuration file.
- *Default*: 'no' On Linux the default is set to ``no''.
On Solaris the default is to not add this parameter to the configuration file.
- *Default*: undef
sshd_config_ciphers sshd_config_ciphers
------------------- -------------------
@ -519,6 +536,7 @@ Specifies the maximum number of concurrent unauthenticated connections to the SS
sshd_config_maxsessions sshd_config_maxsessions
----------------------- -----------------------
Specifies the maximum number of open sessions permitted per network connection. Specifies the maximum number of open sessions permitted per network connection.
A value of 'unset' or undef will not add this parameter to the configuration file.
- *Default*: undef - *Default*: undef

55
manifests/init.pp
View File

@ -109,8 +109,8 @@ class ssh (
$keys = undef, $keys = undef,
$manage_root_ssh_config = false, $manage_root_ssh_config = false,
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
$sshd_config_tcp_keepalive = 'yes', $sshd_config_tcp_keepalive = undef,
$sshd_config_permittunnel = 'no', $sshd_config_permittunnel = undef,
) { ) {
case $::osfamily { case $::osfamily {
@ -136,6 +136,8 @@ class ssh (
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
} }
'Suse': { 'Suse': {
$default_packages = 'openssh' $default_packages = 'openssh'
@ -157,6 +159,8 @@ class ssh (
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
case $::architecture { case $::architecture {
'x86_64': { 'x86_64': {
if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) { if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) {
@ -207,6 +211,8 @@ class ssh (
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
} }
'Solaris': { 'Solaris': {
$default_ssh_config_hash_known_hosts = undef $default_ssh_config_hash_known_hosts = undef
@ -225,6 +231,8 @@ class ssh (
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
$default_sshd_addressfamily = undef $default_sshd_addressfamily = undef
$default_sshd_config_tcp_keepalive = undef
$default_sshd_config_permittunnel = undef
case $::kernelrelease { case $::kernelrelease {
'5.11': { '5.11': {
$default_packages = ['network/ssh', $default_packages = ['network/ssh',
@ -285,10 +293,10 @@ class ssh (
$packages_real = $packages $packages_real = $packages
} }
if $ssh_config_hash_known_hosts == 'USE_DEFAULTS' { case $ssh_config_hash_known_hosts {
$ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts 'unset': { $ssh_config_hash_known_hosts_real = undef }
} else { 'USE_DEFAULTS': { $ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts }
$ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts default: { $ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts }
} }
if $service_name == 'USE_DEFAULTS' { if $service_name == 'USE_DEFAULTS' {
@ -459,6 +467,23 @@ class ssh (
$sshd_addressfamily_real = $sshd_addressfamily $sshd_addressfamily_real = $sshd_addressfamily
} }
case $sshd_config_maxsessions {
'unset', undef: { $sshd_config_maxsessions_integer = undef }
default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) }
}
case $sshd_config_tcp_keepalive {
'unset': { $sshd_config_tcp_keepalive_real = undef }
undef: { $sshd_config_tcp_keepalive_real = $default_sshd_config_tcp_keepalive }
default: { $sshd_config_tcp_keepalive_real = $sshd_config_tcp_keepalive }
}
case $sshd_config_permittunnel {
'unset': { $sshd_config_permittunnel_real = undef }
undef: { $sshd_config_permittunnel_real = $default_sshd_config_permittunnel }
default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel }
}
# validate params # validate params
if $ssh_config_ciphers != undef { if $ssh_config_ciphers != undef {
validate_array($ssh_config_ciphers) validate_array($ssh_config_ciphers)
@ -485,7 +510,7 @@ class ssh (
} }
if $ssh_config_hash_known_hosts_real != undef { if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes', 'no' or 'unset' and is set to <${ssh_config_hash_known_hosts_real}>.")
} }
if $sshd_config_permitemptypasswords != undef { if $sshd_config_permitemptypasswords != undef {
validate_re($sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.") validate_re($sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.")
@ -582,13 +607,6 @@ class ssh (
"ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.") "ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.")
} }
if $sshd_config_maxsessions != undef {
$is_int_sshd_config_maxsessions = is_integer($sshd_config_maxsessions)
if $is_int_sshd_config_maxsessions == false {
fail("sshd_config_maxsessions must be an integer. Detected value is ${sshd_config_maxsessions}.")
}
}
if $sshd_config_chrootdirectory != undef { if $sshd_config_chrootdirectory != undef {
validate_absolute_path($sshd_config_chrootdirectory) validate_absolute_path($sshd_config_chrootdirectory)
} }
@ -781,9 +799,14 @@ class ssh (
validate_array($sshd_config_allowgroups_real) validate_array($sshd_config_allowgroups_real)
} }
validate_re($sshd_config_tcp_keepalive, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes' or 'no' and is set to <${sshd_config_tcp_keepalive}>.")
validate_re($sshd_config_permittunnel, '^(yes|no|point-to-point|ethernet)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet' or 'no' and is set to <${sshd_config_permittunnel}>.") if $sshd_config_tcp_keepalive_real != undef {
validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.")
}
if $sshd_config_permittunnel_real != undef {
validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
}
package { $packages_real: package { $packages_real:
ensure => installed, ensure => installed,

60
spec/classes/init_spec.rb
View File

@ -806,13 +806,27 @@ describe 'ssh' do
end end
end end
context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do describe 'with ssh_config_hash_known_hosts param' do
let(:params) { { :ssh_config_hash_known_hosts => 'invalid' } } ['yes','no','unset'].each do |value|
context "set to #{value}" do
let (:params) { { :ssh_config_hash_known_hosts => value } }
it 'should fail' do if value == 'unset'
expect { it { should contain_file('ssh_config').without_content(/^\s*HashKnownHosts/) }
should contain_class('ssh') else
}.to raise_error(Puppet::Error,/ssh::ssh_config_hash_known_hosts may be either \'yes\' or \'no\' and is set to <invalid>\./) it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts #{value}$/) }
end
end
end
context 'when set to an invalid value' do
let (:params) { { :ssh_config_hash_known_hosts => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::ssh_config_hash_known_hosts may be either \'yes\', \'no\' or \'unset\' and is set to <invalid>\./)
end
end end
end end
@ -971,11 +985,15 @@ describe 'ssh' do
end end
describe 'sshd_config_permittunnel param' do describe 'sshd_config_permittunnel param' do
['yes','point-to-point','ethernet','no'].each do |value| ['yes','point-to-point','ethernet','no','unset'].each do |value|
context "set to #{value}" do context "set to #{value}" do
let (:params) { { :sshd_config_permittunnel => value } } let (:params) { { :sshd_config_permittunnel => value } }
it { should contain_file('sshd_config').with_content(/^PermitTunnel #{value}$/) } if value == 'unset'
it { should contain_file('sshd_config').without_content(/^\s*PermitTunnel/) }
else
it { should contain_file('sshd_config').with_content(/^PermitTunnel #{value}$/) }
end
end end
end end
@ -985,7 +1003,7 @@ describe 'ssh' do
it 'should fail' do it 'should fail' do
expect { expect {
should contain_class('ssh') should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_permittunnel may be either \'yes\', \'point-to-point\', \'ethernet\' or \'no\' and is set to <invalid>\./) }.to raise_error(Puppet::Error,/ssh::sshd_config_permittunnel may be either \'yes\', \'point-to-point\', \'ethernet\', \'no\' or \'unset\' and is set to <invalid>\./)
end end
end end
end end
@ -1812,6 +1830,12 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^MaxSessions 10$/) } it { should contain_file('sshd_config').with_content(/^MaxSessions 10$/) }
end end
context 'as a valid string <unset>' do
let(:params) { { :sshd_config_maxsessions => 'unset' } }
it { should contain_file('sshd_config').without_content(/^\s*MaxSessions/) }
end
context 'as an invalid type' do context 'as an invalid type' do
let(:params) { { :sshd_config_maxsessions => 'BOGUS' } } let(:params) { { :sshd_config_maxsessions => 'BOGUS' } }
@ -2267,13 +2291,25 @@ describe 'ssh' do
end end
describe 'sshd_config_tcp_keepalive param' do describe 'sshd_config_tcp_keepalive param' do
context 'when set to invalid' do ['yes','no','unset'].each do |value|
let(:params) { { :sshd_config_tcp_keepalive => 'invalid' } } context "set to #{value}" do
let (:params) { { :sshd_config_tcp_keepalive => value } }
if value == 'unset'
it { should contain_file('sshd_config').without_content(/^\s*TCPKeepAlive/) }
else
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive #{value}$/) }
end
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_tcp_keepalive => 'invalid' } }
it 'should fail' do it 'should fail' do
expect { expect {
should contain_class('ssh') should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_tcp_keepalive may be either \'yes\' or \'no\' and is set to <invalid>\./) }.to raise_error(Puppet::Error,/ssh::sshd_config_tcp_keepalive may be either \'yes\', \'no\' or \'unset\' and is set to <invalid>\./)
end end
end end
end end

2
spec/fixtures/sshd_config_solaris vendored
View File

@ -101,7 +101,6 @@ X11UseLocalhost yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
TCPKeepAlive yes
#UseLogin no #UseLogin no
#UsePrivilegeSeparation yes #UsePrivilegeSeparation yes
#PermitUserEnvironment no #PermitUserEnvironment no
@ -115,7 +114,6 @@ ClientAliveCountMax 3
#MaxSessions 10 #MaxSessions 10
#PermitTunnel no #PermitTunnel no
PermitTunnel no
#ChrootDirectory none #ChrootDirectory none
# no default banner path # no default banner path

12
templates/sshd_config.erb
View File

@ -166,7 +166,9 @@ X11UseLocalhost <%= @sshd_x11_use_localhost %>
PrintMotd <%= @sshd_config_print_motd %> PrintMotd <%= @sshd_config_print_motd %>
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
TCPKeepAlive <%= @sshd_config_tcp_keepalive %> <% if @sshd_config_tcp_keepalive_real != nil -%>
TCPKeepAlive <%= @sshd_config_tcp_keepalive_real %>
<% end -%>
#UseLogin no #UseLogin no
#UsePrivilegeSeparation yes #UsePrivilegeSeparation yes
#PermitUserEnvironment no #PermitUserEnvironment no
@ -188,14 +190,16 @@ MaxStartups <%= @sshd_config_maxstartups %>
<% else -%> <% else -%>
#MaxStartups 10:30:100 #MaxStartups 10:30:100
<% end -%> <% end -%>
<% if @sshd_config_maxsessions -%> <% if @sshd_config_maxsessions_integer != nil -%>
MaxSessions <%= @sshd_config_maxsessions %> MaxSessions <%= @sshd_config_maxsessions_integer %>
<% else -%> <% else -%>
#MaxSessions 10 #MaxSessions 10
<% end -%> <% end -%>
#PermitTunnel no #PermitTunnel no
PermitTunnel <%= @sshd_config_permittunnel %> <% if @sshd_config_permittunnel_real != nil -%>
PermitTunnel <%= @sshd_config_permittunnel_real %>
<% end -%>
<% if @sshd_config_chrootdirectory -%> <% if @sshd_config_chrootdirectory -%>
ChrootDirectory <%= @sshd_config_chrootdirectory %> ChrootDirectory <%= @sshd_config_chrootdirectory %>
<% else -%> <% else -%>