puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #224 from ghoneycutt/223_new_params

Browse Source 
new params for HostCertificate and TrustedUserCAKeys
This commit is contained in:
Garrett Honeycutt 2017-05-17 18:47:34 -04:00 committed by GitHub
commit 3e8c502a5b
5 changed files with 95 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -32,3 +32,9 @@ coverage/
spec/fixtures/manifests/* spec/fixtures/manifests/*
spec/fixtures/modules/* spec/fixtures/modules/*
Gemfile.lock Gemfile.lock
# JetBrains IDE
.idea/
# Rbenv
.ruby-version

12
README.md
View File

@ -570,6 +570,18 @@ ssh::sshd_config_match:
- 'PasswordAuthentication no' - 'PasswordAuthentication no'
``` ```
sshd_config_hostcertificate
---------------------------
Absolute path to the OpenSSH Host CA Certificate (HostCertificate) for use with SSH CA validation for Host Certificates.
- *Default*: undefined
sshd_config_trustedusercakeys
-----------------------------
Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users or the string 'none'.
- *Default*: undefined
keys keys
---- ----
Hash of keys for user's ~/.ssh/authorized_keys Hash of keys for user's ~/.ssh/authorized_keys

23
manifests/init.pp
View File

@ -112,6 +112,8 @@ class ssh (
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
$sshd_config_tcp_keepalive = undef, $sshd_config_tcp_keepalive = undef,
$sshd_config_permittunnel = undef, $sshd_config_permittunnel = undef,
$sshd_config_hostcertificate = undef,
$sshd_config_trustedusercakeys = undef,
) { ) {
case $::osfamily { case $::osfamily {
@ -485,6 +487,16 @@ class ssh (
default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel } default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel }
} }
case $sshd_config_hostcertificate {
'unset', undef: { $sshd_config_hostcertificate_real = undef }
default: { $sshd_config_hostcertificate_real = $sshd_config_hostcertificate }
}
case $sshd_config_trustedusercakeys {
'unset', undef: { $sshd_config_trustedusercakeys_real = undef }
default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
}
# validate params # validate params
if $ssh_config_ciphers != undef { if $ssh_config_ciphers != undef {
validate_array($ssh_config_ciphers) validate_array($ssh_config_ciphers)
@ -813,6 +825,17 @@ class ssh (
validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.") validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
} }
if $sshd_config_hostcertificate_real != undef {
validate_absolute_path($sshd_config_hostcertificate_real)
}
if $sshd_config_trustedusercakeys_real != undef {
# TrustedUserCAKeys may be a path to the keys or 'none'
if $sshd_config_trustedusercakeys_real != 'none' {
validate_absolute_path($sshd_config_trustedusercakeys_real)
}
}
package { $packages_real: package { $packages_real:
ensure => installed, ensure => installed,
source => $ssh_package_source_real, source => $ssh_package_source_real,

48
spec/classes/init_spec.rb
View File

@ -1015,6 +1015,54 @@ describe 'ssh' do
end end
end end
describe 'sshd_config_hostcertificate param' do
['unset', '/etc/ssh/ssh_host_key-cert.pub'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_hostcertificate => value } }
if value == 'unset'
it { should contain_file('sshd_config').without_content(/^\s*HostCertificate/) }
else
it { should contain_file('sshd_config').with_content(/^HostCertificate #{value}/) }
end
end
end
end
context 'with sshd_config_hostcertificate set to invalid value on valid osfamily' do
let(:params) { { :sshd_config_hostcertificate => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
end
end
describe 'sshd_config_trustedusercakeys param' do
['unset', '/etc/ssh/authorized_users_ca.pub', 'none'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_trustedusercakeys => value } }
if value == 'unset'
it { should contain_file('sshd_config').without_content(/^\s*TrustedUserCAKeys/) }
else
it { should contain_file('sshd_config').with_content(/^TrustedUserCAKeys #{value}/) }
end
end
end
end
context 'with sshd_config_trustedusercakeys set to invalid value on valid osfamily' do
let(:params) { { :sshd_config_trustedusercakeys => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
end
end
context 'with manage_root_ssh_config set to invalid value on valid osfamily' do context 'with manage_root_ssh_config set to invalid value on valid osfamily' do
let(:params) { { :manage_root_ssh_config => 'invalid' } } let(:params) { { :manage_root_ssh_config => 'invalid' } }

6
templates/sshd_config.erb
View File

@ -254,3 +254,9 @@ Match <%= key %>
<% end -%> <% end -%>
<% end -%> <% end -%>
<% end -%> <% end -%>
<% if @sshd_config_hostcertificate_real -%>
HostCertificate <%= @sshd_config_hostcertificate_real %>
<% end -%>
<% if @sshd_config_trustedusercakeys_real -%>
TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
<% end -%>