add support for PubkeyAuthentication in sshd_config
This commit is contained in:
parent
b0b245e2ed
commit
49c799afb3
@ -556,6 +556,12 @@ String for HostbasedAuthentication option in sshd_config. Valid values are 'yes'
|
|||||||
|
|
||||||
- *Default*: 'no'
|
- *Default*: 'no'
|
||||||
|
|
||||||
|
sshd_pubkeyauthentication
|
||||||
|
-------------------------
|
||||||
|
String for PubkeyAuthentication option in sshd_config. Valid values are 'yes' and 'no'.
|
||||||
|
|
||||||
|
- *Default*: 'yes'
|
||||||
|
|
||||||
sshd_ignoreuserknownhosts
|
sshd_ignoreuserknownhosts
|
||||||
-------------------------
|
-------------------------
|
||||||
String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.
|
String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.
|
||||||
|
@ -81,6 +81,7 @@ class ssh (
|
|||||||
$sshd_config_hostkey = 'USE_DEFAULTS',
|
$sshd_config_hostkey = 'USE_DEFAULTS',
|
||||||
$sshd_listen_address = undef,
|
$sshd_listen_address = undef,
|
||||||
$sshd_hostbasedauthentication = 'no',
|
$sshd_hostbasedauthentication = 'no',
|
||||||
|
$sshd_pubkeyauthentication = 'yes',
|
||||||
$sshd_ignoreuserknownhosts = 'no',
|
$sshd_ignoreuserknownhosts = 'no',
|
||||||
$sshd_ignorerhosts = 'yes',
|
$sshd_ignorerhosts = 'yes',
|
||||||
$manage_service = true,
|
$manage_service = true,
|
||||||
@ -561,6 +562,8 @@ class ssh (
|
|||||||
|
|
||||||
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
|
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
|
||||||
|
|
||||||
|
validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.")
|
||||||
|
|
||||||
validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")
|
validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")
|
||||||
|
|
||||||
validate_re($sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.")
|
validate_re($sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.")
|
||||||
|
@ -391,6 +391,7 @@ describe 'ssh' do
|
|||||||
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
|
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
|
||||||
:sshd_kerberos_authentication => 'no',
|
:sshd_kerberos_authentication => 'no',
|
||||||
:sshd_password_authentication => 'no',
|
:sshd_password_authentication => 'no',
|
||||||
|
:sshd_pubkeyauthentication => 'no',
|
||||||
:sshd_allow_tcp_forwarding => 'no',
|
:sshd_allow_tcp_forwarding => 'no',
|
||||||
:sshd_x11_forwarding => 'no',
|
:sshd_x11_forwarding => 'no',
|
||||||
:sshd_use_pam => 'no',
|
:sshd_use_pam => 'no',
|
||||||
@ -478,6 +479,7 @@ describe 'ssh' do
|
|||||||
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
|
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
|
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||||
|
it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) }
|
it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) }
|
||||||
@ -2468,6 +2470,38 @@ describe 'ssh' do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'with parameter sshd_pubkeyauthentication' do
|
||||||
|
let :facts do
|
||||||
|
default_facts.merge(
|
||||||
|
{
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
['yes','no'].each do |value|
|
||||||
|
context "specified as valid #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :sshd_pubkeyauthentication => value } }
|
||||||
|
|
||||||
|
it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication #{value}$/) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||||
|
context "specified as invalid value #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :sshd_pubkeyauthentication => value } }
|
||||||
|
if value.is_a?(Array)
|
||||||
|
value = value.join
|
||||||
|
end
|
||||||
|
|
||||||
|
it do
|
||||||
|
expect {
|
||||||
|
should contain_class('ssh')
|
||||||
|
}.to raise_error(Puppet::Error,/ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to/)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'with parameter sshd_ignoreuserknownhosts' do
|
describe 'with parameter sshd_ignoreuserknownhosts' do
|
||||||
let :facts do
|
let :facts do
|
||||||
default_facts.merge(
|
default_facts.merge(
|
||||||
|
1
spec/fixtures/sshd_config_debian
vendored
1
spec/fixtures/sshd_config_debian
vendored
@ -49,6 +49,7 @@ PermitRootLogin yes
|
|||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
PubkeyAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
1
spec/fixtures/sshd_config_rhel
vendored
1
spec/fixtures/sshd_config_rhel
vendored
@ -49,6 +49,7 @@ PermitRootLogin yes
|
|||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
PubkeyAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
1
spec/fixtures/sshd_config_sles_12_x86_64
vendored
1
spec/fixtures/sshd_config_sles_12_x86_64
vendored
@ -49,6 +49,7 @@ PermitRootLogin yes
|
|||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
PubkeyAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
1
spec/fixtures/sshd_config_solaris
vendored
1
spec/fixtures/sshd_config_solaris
vendored
@ -47,6 +47,7 @@ PermitRootLogin yes
|
|||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
PubkeyAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
1
spec/fixtures/sshd_config_suse_i386
vendored
1
spec/fixtures/sshd_config_suse_i386
vendored
@ -49,6 +49,7 @@ PermitRootLogin yes
|
|||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
PubkeyAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
1
spec/fixtures/sshd_config_suse_x86_64
vendored
1
spec/fixtures/sshd_config_suse_x86_64
vendored
@ -49,6 +49,7 @@ PermitRootLogin yes
|
|||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
PubkeyAuthentication yes
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
@ -68,6 +68,7 @@ MaxAuthTries <%= @sshd_config_maxauthtries %>
|
|||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
PubkeyAuthentication <%= @sshd_pubkeyauthentication %>
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys
|
#AuthorizedKeysFile .ssh/authorized_keys
|
||||||
<% if @sshd_config_authkey_location -%>
|
<% if @sshd_config_authkey_location -%>
|
||||||
AuthorizedKeysFile <%= @sshd_config_authkey_location %>
|
AuthorizedKeysFile <%= @sshd_config_authkey_location %>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user