diff --git a/README.md b/README.md index 6c39538..e3d7b4e 100644 --- a/README.md +++ b/README.md @@ -613,6 +613,12 @@ Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use wit - *Default*: undefined +sshd_config_key_revocation_list +----------------------------- +Absolute path to a key revocation list (RevokedKeys) for use with SSH CA Validation for Users or the string 'none'. + +- *Default*: undefined + sshd_config_authorized_principals_file -------------------------------------- String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config` diff --git a/manifests/init.pp b/manifests/init.pp index af4213f..ed49124 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -119,6 +119,7 @@ class ssh ( $sshd_config_permittunnel = undef, $sshd_config_hostcertificate = undef, $sshd_config_trustedusercakeys = undef, + $sshd_config_key_revocation_list = undef, $sshd_config_authorized_principals_file = undef, $sshd_config_allowagentforwarding = undef, ) { @@ -508,6 +509,11 @@ class ssh ( default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys } } + case $sshd_config_key_revocation_list { + 'unset', undef: { $sshd_config_key_revocation_list_real = undef } + default: { $sshd_config_key_revocation_list_real = $sshd_config_key_revocation_list } + } + case $sshd_config_authorized_principals_file { 'unset', undef: { $sshd_config_authorized_principals_file_real = undef } default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file } @@ -871,6 +877,12 @@ class ssh ( validate_absolute_path($sshd_config_trustedusercakeys_real) } } + if $sshd_config_key_revocation_list_real != undef { + # RevokedKeys may be a path to the key revocation list or 'none' + if $sshd_config_key_revocation_list_real != 'none' { + validate_absolute_path($sshd_config_key_revocation_list) + } + } if $sshd_config_authorized_principals_file_real != undef { validate_string($sshd_config_authorized_principals_file_real) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 94f9c78..2763344 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -488,6 +488,7 @@ describe 'ssh' do :sshd_config_use_privilege_separation => 'no', :sshd_config_permittunnel => 'no', :sshd_config_allowagentforwarding => 'no', + :sshd_config_key_revocation_list => '/path/to/revocation_list', } end @@ -562,6 +563,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) } it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) } it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) } + it { should contain_file('sshd_config').with_content(/^RevokedKeys \/path\/to\/revocation_list$/) } it { should contain_file('sshd_banner').with({ @@ -1088,6 +1090,30 @@ describe 'sshd_config_print_last_log param' do end end + describe 'sshd_config_key_revocation_list param' do + ['/path/to','unset'].each do |value| + context "set to #{value}" do + let (:params) { { :sshd_config_key_revocation_list => value } } + + if value == 'unset' + it { should contain_file('sshd_config').without_content(/^\s*RevokedKeys/) } + else + it { should contain_file('sshd_config').with_content(/^RevokedKeys #{value}$/) } + end + end + end + + context 'when set to an invalid value' do + let (:params) { { :sshd_config_key_revocation_list => 'invalid' } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/while evaluating a Function Call|is not an absolute path/) + end + end + end + describe 'sshd_config_hostcertificate param' do context 'unset value' do let(:params) { { :sshd_config_hostcertificate => 'unset' } } diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index dcf1779..cf55d5f 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -261,6 +261,9 @@ AllowUsers <%= @sshd_config_allowusers_real.join(' ') %> <% if @sshd_config_allowgroups_real != [] -%> AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %> <% end -%> +<% if @sshd_config_key_revocation_list_real -%> +RevokedKeys <%= @sshd_config_key_revocation_list_real %> +<% end -%> <% if @sshd_config_match -%> <% @sshd_config_match.sort.each do |key, hash| -%>