diff --git a/README.md b/README.md index f068fd3..6d63949 100644 --- a/README.md +++ b/README.md @@ -736,6 +736,12 @@ String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' an - *Default*: 'no' +sshd_config_authenticationmethods +------------------------- +Array of AuthenticationMethods in sshd_config. + +- *Default*: undef + sshd_ignorerhosts ------------------------- String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. diff --git a/manifests/init.pp b/manifests/init.pp index ad33018..ea9f5c6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -93,6 +93,7 @@ class ssh ( $sshd_pubkeyauthentication = 'yes', $sshd_ignoreuserknownhosts = 'no', $sshd_ignorerhosts = 'yes', + $sshd_config_authenticationmethods = undef, $manage_service = true, $sshd_addressfamily = 'USE_DEFAULTS', $service_ensure = 'running', @@ -670,6 +671,10 @@ class ssh ( validate_array($sshd_pubkeyacceptedkeytypes) } + if $sshd_config_authenticationmethods != undef { + validate_array($sshd_config_authenticationmethods) + } + validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.") validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.") diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 2e96204..0c84210 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -419,6 +419,9 @@ describe 'ssh' do 'ssh-ed25519', 'ssh-rsa', ], + :sshd_config_authenticationmethods => [ 'publickey', + 'keyboard-interactive', + ], :sshd_pubkeyauthentication => 'no', :sshd_allow_tcp_forwarding => 'no', :sshd_x11_forwarding => 'no', @@ -527,6 +530,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa$/) } + it { should contain_file('sshd_config').with_content(/^AuthenticationMethods publickey,keyboard-interactive$/) } it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) } @@ -2422,6 +2426,18 @@ describe 'sshd_config_print_last_log param' do end end + [true,'invalid'].each do |authenticationmethods| + context "with sshd_config_authenticationmethods set to invalid value #{authenticationmethods}" do + let(:params) { { :sshd_config_authenticationmethods => authenticationmethods } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/is not/) + end + end + end + describe 'with parameter sshd_pubkeyauthentication' do ['yes','no'].each do |value| context "specified as valid #{value} (as #{value.class})" do diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 53e1f28..dcf1779 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -98,6 +98,9 @@ IgnoreUserKnownHosts <%= @sshd_ignoreuserknownhosts %> #IgnoreRhosts yes IgnoreRhosts <%= @sshd_ignorerhosts %> +<%- if @sshd_config_authenticationmethods -%> +AuthenticationMethods <%= @sshd_config_authenticationmethods.join(',') %> +<%- end -%> # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PasswordAuthentication <%= @sshd_password_authentication %>