puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #293 from ghoneycutt/add_revoked_keys_option

Browse Source 
Add RevokedKeys option to sshd_config
This commit is contained in:
Garrett Honeycutt 2018-10-08 15:51:35 -04:00 committed by GitHub
commit 382061bc2e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -613,6 +613,12 @@ Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use wit
- *Default*: undefined - *Default*: undefined
sshd_config_key_revocation_list
-----------------------------
Absolute path to a key revocation list (RevokedKeys) for use with SSH CA Validation for Users or the string 'none'.
- *Default*: undefined
sshd_config_authorized_principals_file sshd_config_authorized_principals_file
-------------------------------------- --------------------------------------
String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config` String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config`

12
manifests/init.pp
View File

@ -119,6 +119,7 @@ class ssh (
$sshd_config_permittunnel = undef, $sshd_config_permittunnel = undef,
$sshd_config_hostcertificate = undef, $sshd_config_hostcertificate = undef,
$sshd_config_trustedusercakeys = undef, $sshd_config_trustedusercakeys = undef,
$sshd_config_key_revocation_list = undef,
$sshd_config_authorized_principals_file = undef, $sshd_config_authorized_principals_file = undef,
$sshd_config_allowagentforwarding = undef, $sshd_config_allowagentforwarding = undef,
) { ) {
@ -508,6 +509,11 @@ class ssh (
default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys } default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
} }
case $sshd_config_key_revocation_list {
'unset', undef: { $sshd_config_key_revocation_list_real = undef }
default: { $sshd_config_key_revocation_list_real = $sshd_config_key_revocation_list }
}
case $sshd_config_authorized_principals_file { case $sshd_config_authorized_principals_file {
'unset', undef: { $sshd_config_authorized_principals_file_real = undef } 'unset', undef: { $sshd_config_authorized_principals_file_real = undef }
default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file } default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file }
@ -871,6 +877,12 @@ class ssh (
validate_absolute_path($sshd_config_trustedusercakeys_real) validate_absolute_path($sshd_config_trustedusercakeys_real)
} }
} }
if $sshd_config_key_revocation_list_real != undef {
# RevokedKeys may be a path to the key revocation list or 'none'
if $sshd_config_key_revocation_list_real != 'none' {
validate_absolute_path($sshd_config_key_revocation_list)
}
}
if $sshd_config_authorized_principals_file_real != undef { if $sshd_config_authorized_principals_file_real != undef {
validate_string($sshd_config_authorized_principals_file_real) validate_string($sshd_config_authorized_principals_file_real)

26
spec/classes/init_spec.rb
View File

@ -488,6 +488,7 @@ describe 'ssh' do
:sshd_config_use_privilege_separation => 'no', :sshd_config_use_privilege_separation => 'no',
:sshd_config_permittunnel => 'no', :sshd_config_permittunnel => 'no',
:sshd_config_allowagentforwarding => 'no', :sshd_config_allowagentforwarding => 'no',
:sshd_config_key_revocation_list => '/path/to/revocation_list',
} }
end end
@ -562,6 +563,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) } it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) } it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) }
it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) } it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) }
it { should contain_file('sshd_config').with_content(/^RevokedKeys \/path\/to\/revocation_list$/) }
it { it {
should contain_file('sshd_banner').with({ should contain_file('sshd_banner').with({
@ -1088,6 +1090,30 @@ describe 'sshd_config_print_last_log param' do
end end
end end
describe 'sshd_config_key_revocation_list param' do
['/path/to','unset'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_key_revocation_list => value } }
if value == 'unset'
it { should contain_file('sshd_config').without_content(/^\s*RevokedKeys/) }
else
it { should contain_file('sshd_config').with_content(/^RevokedKeys #{value}$/) }
end
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_key_revocation_list => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/while evaluating a Function Call|is not an absolute path/)
end
end
end
describe 'sshd_config_hostcertificate param' do describe 'sshd_config_hostcertificate param' do
context 'unset value' do context 'unset value' do
let(:params) { { :sshd_config_hostcertificate => 'unset' } } let(:params) { { :sshd_config_hostcertificate => 'unset' } }

3
templates/sshd_config.erb
View File

@ -261,6 +261,9 @@ AllowUsers <%= @sshd_config_allowusers_real.join(' ') %>
<% if @sshd_config_allowgroups_real != [] -%> <% if @sshd_config_allowgroups_real != [] -%>
AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %> AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %>
<% end -%> <% end -%>
<% if @sshd_config_key_revocation_list_real -%>
RevokedKeys <%= @sshd_config_key_revocation_list_real %>
<% end -%>
<% if @sshd_config_match -%> <% if @sshd_config_match -%>
<% @sshd_config_match.sort.each do |key, hash| -%> <% @sshd_config_match.sort.each do |key, hash| -%>