puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add support for PubkeyAuthentication in sshd_config

Browse Source
This commit is contained in:
Florian Faltermeier 2016-06-07 15:52:42 +02:00
parent b0b245e2ed
commit 49c799afb3
10 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -556,6 +556,12 @@ String for HostbasedAuthentication option in sshd_config. Valid values are 'yes'
- *Default*: 'no'
sshd_pubkeyauthentication
-------------------------
String for PubkeyAuthentication option in sshd_config. Valid values are 'yes' and 'no'.
- *Default*: 'yes'
sshd_ignoreuserknownhosts
-------------------------
String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.

3
manifests/init.pp
View File

@ -81,6 +81,7 @@ class ssh (
$sshd_config_hostkey = 'USE_DEFAULTS',
$sshd_listen_address = undef,
$sshd_hostbasedauthentication = 'no',
$sshd_pubkeyauthentication = 'yes',
$sshd_ignoreuserknownhosts = 'no',
$sshd_ignorerhosts = 'yes',
$manage_service = true,
@ -561,6 +562,8 @@ class ssh (
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.")
validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")
validate_re($sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.")

34
spec/classes/init_spec.rb
View File

@ -391,6 +391,7 @@ describe 'ssh' do
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
:sshd_kerberos_authentication => 'no',
:sshd_password_authentication => 'no',
:sshd_pubkeyauthentication => 'no',
:sshd_allow_tcp_forwarding => 'no',
:sshd_x11_forwarding => 'no',
:sshd_use_pam => 'no',
@ -478,6 +479,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) }
@ -2468,6 +2470,38 @@ describe 'ssh' do
end
end
describe 'with parameter sshd_pubkeyauthentication' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :sshd_pubkeyauthentication => value } }
it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :sshd_pubkeyauthentication => value } }
if value.is_a?(Array)
value = value.join
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to/)
end
end
end
end
describe 'with parameter sshd_ignoreuserknownhosts' do
let :facts do
default_facts.merge(

1
spec/fixtures/sshd_config_debian vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_rhel vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_sles_12_x86_64 vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_solaris vendored
View File

@ -47,6 +47,7 @@ PermitRootLogin yes
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_suse_i386 vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_suse_x86_64 vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
templates/sshd_config.erb
View File

@ -68,6 +68,7 @@ MaxAuthTries <%= @sshd_config_maxauthtries %>
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication <%= @sshd_pubkeyauthentication %>
#AuthorizedKeysFile .ssh/authorized_keys
<% if @sshd_config_authkey_location -%>
AuthorizedKeysFile <%= @sshd_config_authkey_location %>