puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add Allow/Deny options to sshd_config

Browse Source 
Add ability to specify DenyGroups, AllowGroups, and AllowUsers to
sshd_config.
This commit is contained in:
Garrett Honeycutt 2014-05-29 11:17:18 -04:00
parent 52b41829f2
commit 3f94bff707
4 changed files with 135 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -306,6 +306,24 @@ Array of users for the DenyUsers setting in sshd_config.
- *Default*: undef - *Default*: undef
sshd_config_denygroups
---------------------
Array of groups for the DenyGroups setting in sshd_config.
- *Default*: undef
sshd_config_allowgroups
-----------------------
Array of users for the AllowGroups setting in sshd_config.
- *Default*: undef
sshd_config_allowusers
-----------------------
Array of users for the AllowUsers setting in sshd_config.
- *Default*: undef
keys keys
---- ----
Hash of keys for user's ~/.ssh/authorized_keys Hash of keys for user's ~/.ssh/authorized_keys

15
manifests/init.pp
View File

@ -40,6 +40,9 @@ class ssh (
$sshd_config_ciphers = undef, $sshd_config_ciphers = undef,
$sshd_config_macs = undef, $sshd_config_macs = undef,
$sshd_config_denyusers = undef, $sshd_config_denyusers = undef,
$sshd_config_denygroups = undef,
$sshd_config_allowusers = undef,
$sshd_config_allowgroups = undef,
$sshd_banner_content = undef, $sshd_banner_content = undef,
$sshd_banner_owner = 'root', $sshd_banner_owner = 'root',
$sshd_banner_group = 'root', $sshd_banner_group = 'root',
@ -352,6 +355,18 @@ class ssh (
validate_array($sshd_config_denyusers) validate_array($sshd_config_denyusers)
} }
if $sshd_config_denygroups != undef {
validate_array($sshd_config_denygroups)
}
if $sshd_config_allowusers != undef {
validate_array($sshd_config_allowusers)
}
if $sshd_config_allowgroups != undef {
validate_array($sshd_config_allowgroups)
}
if $ssh_config_hash_known_hosts_real != undef { if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
} }

93
spec/classes/init_spec.rb
View File

@ -85,6 +85,9 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -200,6 +203,9 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -297,6 +303,9 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -393,6 +402,9 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -496,6 +508,9 @@ describe 'ssh' do
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it { should contain_file('ssh_config').without_content(/^\s*DenyUsers/) } it { should contain_file('ssh_config').without_content(/^\s*DenyUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -599,6 +614,9 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -702,6 +720,9 @@ describe 'ssh' do
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -839,6 +860,15 @@ describe 'ssh' do
:sshd_config_denyusers => [ 'root', :sshd_config_denyusers => [ 'root',
'lusers', 'lusers',
], ],
:sshd_config_denygroups => [ 'nossh',
'wheel',
],
:sshd_config_allowusers => [ 'foo',
'bar',
],
:sshd_config_allowgroups => [ 'ssh',
'security',
],
} }
end end
@ -883,6 +913,9 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) } it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) }
it { should contain_file('sshd_config').with_content(/^\s*DenyGroups nossh wheel$/) }
it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) }
it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
it { it {
should contain_file('sshd_banner').with({ should contain_file('sshd_banner').with({
@ -1037,6 +1070,66 @@ describe 'ssh' do
end end
end end
[true,'invalid'].each do |denygroups|
context "with sshd_config_denygroups set to invalid value #{denygroups}" do
let(:params) { { :sshd_config_denygroups => denygroups } }
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
[true,'invalid'].each do |allowusers|
context "with sshd_config_allowusers set to invalid value #{allowusers}" do
let(:params) { { :sshd_config_allowusers => allowusers } }
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
[true,'invalid'].each do |allowgroups|
context "with sshd_config_allowgroups set to invalid value #{allowgroups}" do
let(:params) { { :sshd_config_allowgroups => allowgroups } }
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
[true,'invalid'].each do |macs| [true,'invalid'].each do |macs|
context "with sshd_config_macs set to invalid value #{macs}" do context "with sshd_config_macs set to invalid value #{macs}" do
let(:params) { { :sshd_config_macs => macs } } let(:params) { { :sshd_config_macs => macs } }

9
templates/sshd_config.erb
View File

@ -168,3 +168,12 @@ MACs <%= @sshd_config_macs.join(',') %>
<% if @sshd_config_denyusers -%> <% if @sshd_config_denyusers -%>
DenyUsers <%= @sshd_config_denyusers.join(' ') %> DenyUsers <%= @sshd_config_denyusers.join(' ') %>
<% end -%> <% end -%>
<% if @sshd_config_denygroups -%>
DenyGroups <%= @sshd_config_denygroups.join(' ') %>
<% end -%>
<% if @sshd_config_allowusers -%>
AllowUsers <%= @sshd_config_allowusers.join(' ') %>
<% end -%>
<% if @sshd_config_allowgroups -%>
AllowGroups <%= @sshd_config_allowgroups.join(' ') %>
<% end -%>