Merge pull request #293 from ghoneycutt/add_revoked_keys_option
Add RevokedKeys option to sshd_config
This commit is contained in:
Garrett Honeycutt
GitHub
commit
382061bc2e
@ -613,6 +613,12 @@ Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use wit
|
||||
|
||||
- *Default*: undefined
|
||||
|
||||
sshd_config_key_revocation_list
|
||||
-----------------------------
|
||||
Absolute path to a key revocation list (RevokedKeys) for use with SSH CA Validation for Users or the string 'none'.
|
||||
|
||||
- *Default*: undefined
|
||||
|
||||
sshd_config_authorized_principals_file
|
||||
--------------------------------------
|
||||
String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config`
|
||||
|
||||
@ -119,6 +119,7 @@ class ssh (
|
||||
$sshd_config_permittunnel = undef,
|
||||
$sshd_config_hostcertificate = undef,
|
||||
$sshd_config_trustedusercakeys = undef,
|
||||
$sshd_config_key_revocation_list = undef,
|
||||
$sshd_config_authorized_principals_file = undef,
|
||||
$sshd_config_allowagentforwarding = undef,
|
||||
) {
|
||||
@ -508,6 +509,11 @@ class ssh (
|
||||
default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
|
||||
}
|
||||
|
||||
case $sshd_config_key_revocation_list {
|
||||
'unset', undef: { $sshd_config_key_revocation_list_real = undef }
|
||||
default: { $sshd_config_key_revocation_list_real = $sshd_config_key_revocation_list }
|
||||
}
|
||||
|
||||
case $sshd_config_authorized_principals_file {
|
||||
'unset', undef: { $sshd_config_authorized_principals_file_real = undef }
|
||||
default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file }
|
||||
@ -871,6 +877,12 @@ class ssh (
|
||||
validate_absolute_path($sshd_config_trustedusercakeys_real)
|
||||
}
|
||||
}
|
||||
if $sshd_config_key_revocation_list_real != undef {
|
||||
# RevokedKeys may be a path to the key revocation list or 'none'
|
||||
if $sshd_config_key_revocation_list_real != 'none' {
|
||||
validate_absolute_path($sshd_config_key_revocation_list)
|
||||
}
|
||||
}
|
||||
|
||||
if $sshd_config_authorized_principals_file_real != undef {
|
||||
validate_string($sshd_config_authorized_principals_file_real)
|
||||
|
||||
@ -488,6 +488,7 @@ describe 'ssh' do
|
||||
:sshd_config_use_privilege_separation => 'no',
|
||||
:sshd_config_permittunnel => 'no',
|
||||
:sshd_config_allowagentforwarding => 'no',
|
||||
:sshd_config_key_revocation_list => '/path/to/revocation_list',
|
||||
}
|
||||
end
|
||||
|
||||
@ -562,6 +563,7 @@ describe 'ssh' do
|
||||
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^RevokedKeys \/path\/to\/revocation_list$/) }
|
||||
|
||||
it {
|
||||
should contain_file('sshd_banner').with({
|
||||
@ -1088,6 +1090,30 @@ describe 'sshd_config_print_last_log param' do
|
||||
end
|
||||
end
|
||||
|
||||
describe 'sshd_config_key_revocation_list param' do
|
||||
['/path/to','unset'].each do |value|
|
||||
context "set to #{value}" do
|
||||
let (:params) { { :sshd_config_key_revocation_list => value } }
|
||||
|
||||
if value == 'unset'
|
||||
it { should contain_file('sshd_config').without_content(/^\s*RevokedKeys/) }
|
||||
else
|
||||
it { should contain_file('sshd_config').with_content(/^RevokedKeys #{value}$/) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when set to an invalid value' do
|
||||
let (:params) { { :sshd_config_key_revocation_list => 'invalid' } }
|
||||
|
||||
it 'should fail' do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/while evaluating a Function Call|is not an absolute path/)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'sshd_config_hostcertificate param' do
|
||||
context 'unset value' do
|
||||
let(:params) { { :sshd_config_hostcertificate => 'unset' } }
|
||||
|
||||
@ -261,6 +261,9 @@ AllowUsers <%= @sshd_config_allowusers_real.join(' ') %>
|
||||
<% if @sshd_config_allowgroups_real != [] -%>
|
||||
AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %>
|
||||
<% end -%>
|
||||
<% if @sshd_config_key_revocation_list_real -%>
|
||||
RevokedKeys <%= @sshd_config_key_revocation_list_real %>
|
||||
<% end -%>
|
||||
<% if @sshd_config_match -%>
|
||||
|
||||
<% @sshd_config_match.sort.each do |key, hash| -%>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user