Add option to specify banner content

2013-12-05 12:11:36 +01:00 · 2013-12-05 12:11:36 +01:00 · 388ba4d147
commit 388ba4d147
parent 7b97397d20
3 changed files with 100 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -134,6 +134,30 @@ Banner option in sshd_config.

 - *Default*: 'none'

+sshd_banner_content
+-------------------
+Banner content in sshd_config_banner
+
+- *Default*: undef
+
+sshd_banner_owner
+-----------------
+sshd_config_banner owner
+
+- *Default*: 'root'
+
+sshd_banner_group
+-----------------
+sshd_config_banner group
+
+- *Default*: 'root'
+
+sshd_banner_mode
+----------------
+sshd_config_banner mode
+
+- *Default*: '0644'
+
 sshd_config_xauth_location
 --------------------------
 XAuthLocation option in sshd_config.
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -26,6 +26,10 @@ class ssh (
  $sshd_config_print_motd           = 'yes',
  $sshd_config_use_dns              = 'yes',
  $sshd_config_banner               = 'none',
+  $sshd_banner_content              = undef,
+  $sshd_banner_owner                = 'root',
+  $sshd_banner_group                = 'root',
+  $sshd_banner_mode                 = '0644',
  $sshd_config_xauth_location       = '/usr/bin/xauth',
  $sshd_config_subsystem_sftp       = 'USE_DEFAULTS',
  $service_ensure                   = 'running',
@ -53,6 +57,13 @@ class ssh (
  validate_re($sshd_use_pam, '^(yes|no)$', "sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.")
  if is_integer($sshd_client_alive_interval) == false { fail("sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }

+  if $sshd_config_banner != 'none' {
+    validate_absolute_path($sshd_config_banner)
+  }
+  if $sshd_banner_content != undef and $sshd_config_banner == 'none' {
+    fail("sshd_config_banner must be set to be able to use sshd_banner_content")
+  }
+
  case type($ssh_config_sendenv_xmodifiers) {
    'string': {
      $ssh_config_sendenv_xmodifiers_real = str2bool($ssh_config_sendenv_xmodifiers)
@ -171,6 +182,18 @@ class ssh (
    require => Package['ssh_packages'],
  }

+  if $sshd_config_banner != 'none' and $sshd_banner_content != undef {
+    file { 'sshd_banner' :
+      ensure => file,
+      path    => $sshd_config_banner,
+      mode    => $sshd_banner_mode,
+      owner   => $sshd_banner_owner,
+      group   => $sshd_banner_group,
+      content => $sshd_banner_content,
+      require => Package['ssh_packages'],
+    }
+  }
+
  case $manage_root_ssh_config {
    'true': {

--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@ -405,6 +405,7 @@ describe 'ssh' do
        :sshd_config_print_motd          => 'no',
        :sshd_config_use_dns             => 'no',
        :sshd_config_banner              => '/etc/sshd_banner',
+        :sshd_banner_content             => 'textinbanner',
        :sshd_config_xauth_location      => '/opt/ssh/bin/xauth',
        :sshd_config_subsystem_sftp      => '/opt/ssh/bin/sftp',
        :sshd_password_authentication    => 'no',
@ -441,6 +442,18 @@ describe 'ssh' do
    it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
    it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
    it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
+
+    it {
+      should contain_file('sshd_banner').with({
+        'ensure'  => 'file',
+        'path'    => '/etc/sshd_banner',
+        'owner'   => 'root',
+        'group'   => 'root',
+        'mode'    => '0644',
+        'content' => 'textinbanner',
+        'require' => 'Package[ssh_packages]',
+      })
+    }
  end

  context 'with manage_root_ssh_config set to \'true\' on valid osfamily' do
@ -616,6 +629,46 @@ describe 'ssh' do
    end
  end

+  context 'with sshd_config_banner set to invalid value on valid osfamily' do
+    let :facts do
+      {
+        :fqdn      => 'monkey.example.com',
+        :osfamily  => 'RedHat',
+        :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+      }
+    end
+    let :params do
+      { :sshd_config_banner => 'invalid/path' }
+    end
+
+    it 'should fail' do
+      expect {
+        should include_class('ssh')
+      }.to raise_error(Puppet::Error,/is not an absolute path/)
+    end
+  end
+  context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do
+    let :facts do
+      {
+        :fqdn      => 'monkey.example.com',
+        :osfamily  => 'RedHat',
+        :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+      }
+    end
+    let :params do
+      {
+        :sshd_banner_content => 'textinbanner'
+      }
+    end
+
+    it 'should fail' do
+      expect {
+        should include_class('ssh')
+      }.to raise_error(Puppet::Error,/sshd_config_banner must be set to be able to use sshd_banner_content/)
+    end
+  end
+
+
  context 'with ssh_config_sendenv_xmodifiers set to invalid type, array' do
    let :facts do
      {