Merge pull request #178 from jthiesfeld/jthiesfeld-permitemptypasswords

Adding two new options for sshd_config PermitEmptyPasswords and PermitUserEnvironment
This commit is contained in:
Garrett Honeycutt 2016-06-24 15:51:18 -04:00 committed by GitHub
commit 4e3920b820
4 changed files with 91 additions and 0 deletions

View File

@ -220,6 +220,21 @@ sshd_listen_address
------------------- -------------------
String or Array to specify address(es) for which sshd will bind. Corresponds to ListenAddress in sshd_config. String or Array to specify address(es) for which sshd will bind. Corresponds to ListenAddress in sshd_config.
- *Default*: undef
sshd_config_permitemptypasswords
--------------------------------
PermitEmptyPasswords option in sshd_config. When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
Valid values are 'yes' and 'no'.
- *Default*: undef
sshd_config_permituserenvironment
---------------------------------
PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is “no”. Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.
Valid values are 'yes' and 'no'.
- *Default*: undef - *Default*: undef
sshd_config_port sshd_config_port

View File

@ -34,6 +34,8 @@ class ssh (
$sshd_config_group = 'root', $sshd_config_group = 'root',
$sshd_config_loglevel = 'INFO', $sshd_config_loglevel = 'INFO',
$sshd_config_mode = 'USE_DEFAULTS', $sshd_config_mode = 'USE_DEFAULTS',
$sshd_config_permitemptypasswords = undef,
$sshd_config_permituserenvironment = undef,
$sshd_config_port = '22', $sshd_config_port = '22',
$sshd_config_syslog_facility = 'AUTH', $sshd_config_syslog_facility = 'AUTH',
$sshd_config_template = 'ssh/sshd_config.erb', $sshd_config_template = 'ssh/sshd_config.erb',
@ -459,6 +461,12 @@ class ssh (
if $ssh_config_hash_known_hosts_real != undef { if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
} }
if $sshd_config_permitemptypasswords != undef {
validate_re($sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.")
}
if $sshd_config_permituserenvironment != undef {
validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.")
}
case type3x($sshd_config_port) { case type3x($sshd_config_port) {
'string': { 'string': {
validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")

View File

@ -398,6 +398,8 @@ describe 'ssh' do
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp', :sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
:sshd_kerberos_authentication => 'no', :sshd_kerberos_authentication => 'no',
:sshd_password_authentication => 'no', :sshd_password_authentication => 'no',
:sshd_config_permitemptypasswords => 'no',
:sshd_config_permituserenvironment => 'no',
:sshd_pubkeyauthentication => 'no', :sshd_pubkeyauthentication => 'no',
:sshd_allow_tcp_forwarding => 'no', :sshd_allow_tcp_forwarding => 'no',
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
@ -480,6 +482,8 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) }
it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) }
it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) } it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) } it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
@ -977,6 +981,64 @@ describe 'ssh' do
end end
end end
describe 'with sshd_config_permitemptypasswords' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "set to #{value}" do
let (:params) {{ 'sshd_config_permitemptypasswords' => value }}
it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords #{value}$/) }
end
end
context 'set to invalid value on valid osfamily' do
let :params do
{ :sshd_config_permitemptypasswords => 'invalid' }
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_permitemptypasswords may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
end
describe 'with sshd_config_permituserenvironment' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "set to #{value}" do
let (:params) {{ 'sshd_config_permituserenvironment' => value }}
it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment #{value}$/) }
end
end
context 'set to invalid value on valid osfamily' do
let :params do
{ :sshd_config_permituserenvironment => 'invalid' }
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_permituserenvironment may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
end
describe 'sshd_config_port param' do describe 'sshd_config_port param' do
let :facts do let :facts do
default_facts.merge( default_facts.merge(

View File

@ -107,6 +107,9 @@ PasswordAuthentication <%= @sshd_password_authentication %>
PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %> PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %>
<% end -%> <% end -%>
#PermitEmptyPasswords no #PermitEmptyPasswords no
<% if @sshd_config_permitemptypasswords != nil -%>
PermitEmptyPasswords <%= @sshd_config_permitemptypasswords %>
<% end -%>
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes #ChallengeResponseAuthentication yes
@ -165,6 +168,9 @@ PrintMotd <%= @sshd_config_print_motd %>
#UseLogin no #UseLogin no
#UsePrivilegeSeparation yes #UsePrivilegeSeparation yes
#PermitUserEnvironment no #PermitUserEnvironment no
<% if @sshd_config_permituserenvironment != nil -%>
PermitUserEnvironment <%= @sshd_config_permituserenvironment %>
<% end -%>
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
ClientAliveInterval <%= @sshd_client_alive_interval %> ClientAliveInterval <%= @sshd_client_alive_interval %>