diff --git a/README.md b/README.md index a283da9..8174610 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,12 @@ Array of ciphers to be used with the Ciphers option in ssh_config. - *Default*: undef +ssh_config_macs +--------------- +Array of ciphers to be used with the MACs option in ssh_config. + +- *Default*: undef + ssh_sendenv ------------- Boolean to enable SendEnv options for specifying environment variables. Default is set to true on Linux. @@ -288,6 +294,12 @@ Array of ciphers for the Ciphers setting in sshd_config. - *Default*: undef +sshd_config_macs +---------------- +Array of macs for the MACs setting in sshd_config. + +- *Default*: undef + keys ---- Hash of keys for user's ~/.ssh/authorized_keys diff --git a/manifests/init.pp b/manifests/init.pp index b81ed94..a65598b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,7 @@ class ssh ( $ssh_config_server_alive_interval = undef, $ssh_config_sendenv_xmodifiers = false, $ssh_config_ciphers = undef, + $ssh_config_macs = undef, $ssh_sendenv = 'USE_DEFAULTS', $sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_owner = 'root', @@ -37,6 +38,7 @@ class ssh ( $sshd_config_serverkeybits = 'USE_DEFAULTS', $sshd_config_banner = 'none', $sshd_config_ciphers = undef, + $sshd_config_macs = undef, $sshd_banner_content = undef, $sshd_banner_owner = 'root', $sshd_banner_group = 'root', @@ -337,6 +339,14 @@ class ssh ( validate_array($sshd_config_ciphers) } + if $ssh_config_macs != undef { + validate_array($ssh_config_macs) + } + + if $sshd_config_macs != undef { + validate_array($sshd_config_macs) + } + if $ssh_config_hash_known_hosts_real != undef { validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 6f39e0c..4e3af10 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -40,6 +40,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -82,6 +83,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } + it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_service('sshd_service').with({ @@ -164,6 +166,7 @@ describe 'ssh' do it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').with({ @@ -194,6 +197,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } + it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_service('sshd_service').with({ @@ -258,6 +262,7 @@ describe 'ssh' do it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').with({ @@ -288,6 +293,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } + it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_service('sshd_service').with({ @@ -351,6 +357,7 @@ describe 'ssh' do it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').with({ @@ -381,6 +388,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } + it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_service('sshd_service').with({ @@ -443,6 +451,7 @@ describe 'ssh' do it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').with({ @@ -481,6 +490,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_service('sshd_service').with({ @@ -543,6 +553,7 @@ describe 'ssh' do it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').with({ @@ -581,6 +592,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } + it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_service('sshd_service').with({ @@ -643,6 +655,7 @@ describe 'ssh' do it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } + it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').with({ @@ -681,6 +694,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } + it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_service('sshd_service').with({ @@ -743,6 +757,9 @@ describe 'ssh' do 'aes192-cbc', 'aes256-cbc', ], + :ssh_config_macs => [ 'hmac-md5-etm@openssh.com', + 'hmac-sha1-etm@openssh.com', + ], } end @@ -768,6 +785,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } + it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } end context 'with params used in sshd_config set on valid osfamily' do @@ -808,6 +826,9 @@ describe 'ssh' do 'aes192-cbc', 'aes256-cbc', ], + :sshd_config_macs => [ 'hmac-md5-etm@openssh.com', + 'hmac-sha1-etm@openssh.com', + ], } end @@ -850,6 +871,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } + it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('sshd_banner').with({ @@ -925,6 +947,26 @@ describe 'ssh' do end end + [true,'invalid'].each do |macs| + context "with ssh_config_macs set to invalid value #{macs}" do + let(:params) { { :ssh_config_macs => macs } } + + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do let :facts do { @@ -964,6 +1006,26 @@ describe 'ssh' do end end + [true,'invalid'].each do |macs| + context "with sshd_config_macs set to invalid value #{macs}" do + let(:params) { { :sshd_config_macs => macs } } + + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + context 'with sshd_config_port not being a valid number' do let :facts do { diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index ada5d87..ce69790 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -77,3 +77,6 @@ Host * SendEnv XMODIFIERS <% end -%> <% end -%> +<% if @ssh_config_macs -%> + MACs <%= @ssh_config_macs.join(',') %> +<% end -%> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index ae253e1..d24343c 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -162,3 +162,6 @@ Subsystem sftp <%= @sshd_config_subsystem_sftp_real %> <% if @sshd_config_ciphers -%> Ciphers <%= @sshd_config_ciphers.join(',') %> <% end -%> +<% if @sshd_config_macs -%> +MACs <%= @sshd_config_macs.join(',') %> +<% end -%>