From 5971660ec38f21973c07c867ad16ad475b1df1df Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Thu, 31 Oct 2013 20:13:05 +0100 Subject: [PATCH] Release v3.0.0 Remove sshd_config_sendenv_xmodifiers parameter which introduced a bug that would prevent sshd from running. Change default behvior of sshd to permit root to login. This is done to be in line with the standard default of sshd. If you want to block root from logging in by default, set the following in hiera. ssh::permit_root_login: false --- .gitignore | 1 + Modulefile | 4 +-- README.md | 16 ++++-------- manifests/init.pp | 15 +---------- spec/classes/init_spec.rb | 55 ++++++++------------------------------- templates/sshd_config.erb | 4 --- 6 files changed, 20 insertions(+), 75 deletions(-) diff --git a/.gitignore b/.gitignore index ab2d950..4bc8945 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ doc/ metadata.json coverage/ spec/fixtures/modules/* +Gemfile.lock diff --git a/Modulefile b/Modulefile index 16b6ef2..17bae04 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'ghoneycutt-ssh' -version '2.5.0' +version '3.0.0' source 'git://github.com/ghoneycutt/puppet-module-ssh.git' author 'ghoneycutt' license 'Apache License, Version 2.0' @@ -8,5 +8,5 @@ description 'Manage SSH' project_page 'https://github.com/ghoneycutt/puppet-module-ssh' dependency 'puppetlabs/stdlib', '3.2.x' -dependency 'ghoneycutt/common', '1.0.0' +dependency 'ghoneycutt/common', '1.0.2' dependency 'puppetlabs/firewall' diff --git a/README.md b/README.md index 5f530a5..6148fef 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ ServerAliveInterval option in ssh_config. Not set by default. ssh_config_sendenv_xmodifiers ----------------------- -Set 'SendEnv XMODIFIERS' in ssh_config. +Boolean to set 'SendEnv XMODIFIERS' in ssh_config. - *Default*: false @@ -180,12 +180,6 @@ This option applies to protocol version 2 only. - *Default*: '0' -sshd_config_sendenv_xmodifiers ------------------------ -Set 'SendEnv XMODIFIERS' in sshd_config. - -- *Default*: false - keys ---- Hash of keys for user's ~/.ssh/authorized_keys @@ -196,13 +190,13 @@ packages -------- Array of package names used for installation. -- *Default*: 'openssh-server', 'openssh-server', 'openssh-clients' +- *Default*: Based on OS permit_root_login ----------------- -Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'. +Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', and 'no'. -- *Default*: no +- *Default*: yes purge_keys ---------- @@ -226,7 +220,7 @@ service_name ------------ Name of the SSH service. -- *Default*: 'sshd' +- *Default*: Based on OS service_enable -------------- diff --git a/manifests/init.pp b/manifests/init.pp index 3ea44e8..9549efd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,7 +4,7 @@ # class ssh ( $packages = 'USE_DEFAULTS', - $permit_root_login = 'no', + $permit_root_login = 'yes', $purge_keys = 'true', $manage_firewall = false, $ssh_config_path = '/etc/ssh/ssh_config', @@ -27,7 +27,6 @@ class ssh ( $sshd_config_banner = 'none', $sshd_config_xauth_location = '/usr/bin/xauth', $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_config_sendenv_xmodifiers = false, $service_ensure = 'running', $service_name = 'USE_DEFAULTS', $service_enable = 'true', @@ -64,18 +63,6 @@ class ssh ( } } - case type($sshd_config_sendenv_xmodifiers) { - 'string': { - $sshd_config_sendenv_xmodifiers_real = str2bool($sshd_config_sendenv_xmodifiers) - } - 'boolean': { - $sshd_config_sendenv_xmodifiers_real = $sshd_config_sendenv_xmodifiers - } - default: { - fail("sshd_config_sendenv_xmodifiers type must be true or false.") - } - } - case $permit_root_login { 'no', 'yes', 'without-password', 'forced-commands-only': { # noop diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 78f5f80..2da6a95 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -32,6 +32,7 @@ describe 'ssh' do } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -50,7 +51,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } - it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } @@ -130,6 +131,7 @@ describe 'ssh' do } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -148,7 +150,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } - it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } @@ -211,6 +213,7 @@ describe 'ssh' do } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -229,7 +232,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } - it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } @@ -292,6 +295,7 @@ describe 'ssh' do } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -310,7 +314,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } - it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } @@ -370,6 +374,7 @@ describe 'ssh' do } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) } it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } @@ -388,7 +393,7 @@ describe 'ssh' do { :sshd_config_syslog_facility => 'DAEMON', :sshd_config_login_grace_time => '60', - :permit_root_login => 'yes', + :permit_root_login => 'no', :sshd_config_challenge_resp_auth => 'yes', :sshd_config_print_motd => 'no', :sshd_config_use_dns => 'no', @@ -400,7 +405,6 @@ describe 'ssh' do :sshd_x11_forwarding => 'no', :sshd_use_pam => 'no', :sshd_client_alive_interval => '242', - :sshd_config_sendenv_xmodifiers => true, } end @@ -417,7 +421,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^SyslogFacility DAEMON$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 60$/) } - it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) } it { should contain_file('sshd_config').with_content(/^UseDNS no$/) } @@ -429,7 +433,6 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } - it { should contain_file('sshd_config').with_content(/^SendEnv XMODIFIERS$/) } end context 'with manage_root_ssh_config set to \'true\' on valid osfamily' do @@ -622,42 +625,6 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } end - context 'with sshd_config_sendenv_xmodifiers set to invalid type, array' do - let :facts do - { - :fqdn => 'monkey.example.com', - :osfamily => 'RedHat', - :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' - } - end - let :params do - { :sshd_config_sendenv_xmodifiers => ['invalid','type'] } - end - - it 'should fail' do - expect { - should include_class('ssh') - }.to raise_error(Puppet::Error,/sshd_config_sendenv_xmodifiers type must be true or false./) - end - end - - context 'with sshd_config_sendenv_xmodifiers set to stringified true' do - let :facts do - { - :fqdn => 'monkey.example.com', - :osfamily => 'RedHat', - :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' - } - end - let :params do - { - :sshd_config_sendenv_xmodifiers => 'true', - } - end - - it { should contain_file('sshd_config').with_content(/^SendEnv XMODIFIERS$/) } - end - context 'with manage_firewall set to true on valid osfamily' do let :facts do { diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 8535d45..3595f50 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -130,7 +130,3 @@ XAuthLocation <%= @sshd_config_xauth_location %> # override default of no subsystems Subsystem sftp <%= @sshd_config_subsystem_sftp_real %> -<% if @sshd_config_sendenv_xmodifiers_real == true -%> - -SendEnv XMODIFIERS -<% end -%>