diff --git a/README.md b/README.md index 978f40a..aef2f57 100644 --- a/README.md +++ b/README.md @@ -163,6 +163,11 @@ String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' - *Default*: undef +ssh_config_proxy_command +------------------------- +String for ProxyCommand option in ssh_config. + +- *Default*: undef ssh_strict_host_key_checking ----------------------------- diff --git a/manifests/init.pp b/manifests/init.pp index 830bb3d..bf3fc6a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,7 @@ class ssh ( $ssh_config_server_alive_interval = undef, $ssh_config_sendenv_xmodifiers = false, $ssh_hostbasedauthentication = undef, + $ssh_config_proxy_command = undef, $ssh_strict_host_key_checking = undef, $ssh_config_ciphers = undef, $ssh_config_kexalgorithms = undef, @@ -557,6 +558,10 @@ class ssh ( validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.") } + if $ssh_config_proxy_command != undef { + validate_string($ssh_config_proxy_command) + } + if $ssh_enable_ssh_keysign != undef { validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.") } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 02db828..5d1a66e 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -332,6 +332,7 @@ describe 'ssh' do :ssh_config_macs => [ 'hmac-md5-etm@openssh.com', 'hmac-sha1-etm@openssh.com', ], + :ssh_config_proxy_command => 'ssh -W %h:%p firewall.example.org', :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2', :ssh_config_global_known_hosts_list => [ '/etc/ssh/ssh_known_hosts3', '/etc/ssh/ssh_known_hosts4', @@ -371,6 +372,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } + it { should contain_file('ssh_config').with_content(/^\s*ProxyCommand ssh -W %h:%p firewall\.example\.org$/) } it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2 \/etc\/ssh\/ssh_known_hosts3 \/etc\/ssh\/ssh_known_hosts4$/) } it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) } it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) } @@ -790,6 +792,18 @@ describe 'ssh' do end end + [true, ['not','a','string']].each do |proxy_command| + context "with ssh_config_proxy_command set to invalid value #{proxy_command}" do + let(:params) { { :ssh_config_proxy_command => proxy_command } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do let(:params) { { :ssh_config_hash_known_hosts => 'invalid' } } diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 7c58bab..9cb65e3 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -63,6 +63,9 @@ <% if @ssh_config_global_known_hosts_list_real -%> GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_list_real.join(' ') %> <% end -%> +<% if @ssh_config_proxy_command -%> + ProxyCommand <%= @ssh_config_proxy_command %> +<% end -%> Host * # GSSAPIAuthentication yes GSSAPIAuthentication <%= @ssh_gssapiauthentication %>