From 5368e52b30033b0013e61babb944b7e5e31d22f2 Mon Sep 17 00:00:00 2001 From: Mears148 Date: Wed, 17 May 2017 09:58:14 -0400 Subject: [PATCH] Add PrintLastLog, UsePrivilegeSeparation, and Compression --- README.md | 25 ++++ manifests/init.pp | 235 ++++++++++++++++++++------------------ spec/classes/init_spec.rb | 196 ++++++++++++++++++++----------- templates/sshd_config.erb | 9 ++ 4 files changed, 289 insertions(+), 176 deletions(-) diff --git a/README.md b/README.md index 07797c2..804e4a3 100644 --- a/README.md +++ b/README.md @@ -257,6 +257,15 @@ PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environme Valid values are 'yes' and 'no'. +- *Default*: undef + +sshd_config_compression +--------------------------------- +Compression option in sshd_config. +Specifies whether compression is allowed in an SSH connection prior to authentication. +If specified, valid values are 'yes', 'no' and 'delayed'. + + - *Default*: undef sshd_config_port @@ -298,6 +307,14 @@ PrintMotd option in sshd_config. - *Default*: 'yes' +sshd_config_print_lastlog +---------------------- +PrintLastLog option in sshd_config. +Verify SSH provides users with feedback on when account accesses last occurred. +If specified, valid values are 'yes' and 'no'. + +- *Default*: undef + sshd_config_use_dns ------------------- UseDNS option in sshd_config. The default is 'yes' on Linux. @@ -470,6 +487,14 @@ On Solaris the default is to not add this parameter to the configuration file. - *Default*: undef +sshd_config_use_privilege_separation +---------------------- +UsePrivilegeSeparation in sshd_config. +Causes the SSH process to drop root privileges when not needed. +If specified, valid values are 'yes', 'no' and 'sandbox'. + +- *Default*: undef + sshd_config_permittunnel ----------------------- PermitTunnel in sshd_config. diff --git a/manifests/init.pp b/manifests/init.pp index 5c50be9..eee805e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,117 +3,120 @@ # Manage ssh client and server # class ssh ( - $hiera_merge = false, - $packages = 'USE_DEFAULTS', - $permit_root_login = 'yes', - $purge_keys = true, - $manage_firewall = false, - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $ssh_config_hash_known_hosts = 'USE_DEFAULTS', - $ssh_config_path = '/etc/ssh/ssh_config', - $ssh_config_owner = 'root', - $ssh_config_group = 'root', - $ssh_config_mode = '0644', - $ssh_config_forward_x11 = undef, - $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', - $ssh_config_forward_agent = undef, - $ssh_config_server_alive_interval = undef, - $ssh_config_sendenv_xmodifiers = false, - $ssh_hostbasedauthentication = undef, - $ssh_config_proxy_command = undef, - $ssh_strict_host_key_checking = undef, - $ssh_config_ciphers = undef, - $ssh_config_kexalgorithms = undef, - $ssh_config_macs = undef, - $ssh_config_use_roaming = 'USE_DEFAULTS', - $ssh_config_template = 'ssh/ssh_config.erb', - $ssh_sendenv = 'USE_DEFAULTS', - $ssh_gssapiauthentication = 'yes', - $ssh_gssapidelegatecredentials = undef, - $sshd_config_path = '/etc/ssh/sshd_config', - $sshd_config_owner = 'root', - $sshd_config_group = 'root', - $sshd_config_loglevel = 'INFO', - $sshd_config_mode = 'USE_DEFAULTS', - $sshd_config_permitemptypasswords = undef, - $sshd_config_permituserenvironment = undef, - $sshd_config_port = '22', - $sshd_config_syslog_facility = 'AUTH', - $sshd_config_template = 'ssh/sshd_config.erb', - $sshd_config_login_grace_time = '120', - $sshd_config_challenge_resp_auth = 'yes', - $sshd_config_print_motd = 'yes', - $sshd_config_use_dns = 'USE_DEFAULTS', - $sshd_config_authkey_location = undef, - $sshd_config_strictmodes = undef, - $sshd_config_serverkeybits = 'USE_DEFAULTS', - $sshd_config_banner = 'none', - $sshd_config_ciphers = undef, - $sshd_config_kexalgorithms = undef, - $sshd_config_macs = undef, - $ssh_enable_ssh_keysign = undef, - $sshd_config_allowgroups = [], - $sshd_config_allowusers = [], - $sshd_config_denygroups = [], - $sshd_config_denyusers = [], - $sshd_config_maxauthtries = undef, - $sshd_config_maxstartups = undef, - $sshd_config_maxsessions = undef, - $sshd_config_chrootdirectory = undef, - $sshd_config_forcecommand = undef, - $sshd_config_match = undef, - $sshd_authorized_keys_command = undef, - $sshd_authorized_keys_command_user = undef, - $sshd_banner_content = undef, - $sshd_banner_owner = 'root', - $sshd_banner_group = 'root', - $sshd_banner_mode = '0644', - $sshd_config_xauth_location = 'USE_DEFAULTS', - $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_kerberos_authentication = undef, - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_x11_use_localhost = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_count_max = '3', - $sshd_client_alive_interval = '0', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $sshd_acceptenv = 'USE_DEFAULTS', - $sshd_config_hostkey = 'USE_DEFAULTS', - $sshd_listen_address = undef, - $sshd_hostbasedauthentication = 'no', - $sshd_pubkeyacceptedkeytypes = undef, - $sshd_pubkeyauthentication = 'yes', - $sshd_ignoreuserknownhosts = 'no', - $sshd_ignorerhosts = 'yes', - $manage_service = true, - $sshd_addressfamily = 'USE_DEFAULTS', - $service_ensure = 'running', - $service_name = 'USE_DEFAULTS', - $service_enable = true, - $service_hasrestart = true, - $service_hasstatus = 'USE_DEFAULTS', - $ssh_key_ensure = 'present', - $ssh_key_import = true, - $ssh_key_type = 'ssh-rsa', - $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', - $ssh_config_global_known_hosts_list = undef, - $ssh_config_global_known_hosts_owner = 'root', - $ssh_config_global_known_hosts_group = 'root', - $ssh_config_global_known_hosts_mode = '0644', - $ssh_config_user_known_hosts_file = undef, - $keys = undef, - $manage_root_ssh_config = false, - $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", - $sshd_config_tcp_keepalive = undef, - $sshd_config_permittunnel = undef, - $sshd_config_hostcertificate = undef, - $sshd_config_trustedusercakeys = undef, + $hiera_merge = false, + $packages = 'USE_DEFAULTS', + $permit_root_login = 'yes', + $purge_keys = true, + $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', + $ssh_config_path = '/etc/ssh/ssh_config', + $ssh_config_owner = 'root', + $ssh_config_group = 'root', + $ssh_config_mode = '0644', + $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', + $ssh_config_forward_agent = undef, + $ssh_config_server_alive_interval = undef, + $ssh_config_sendenv_xmodifiers = false, + $ssh_hostbasedauthentication = undef, + $ssh_config_proxy_command = undef, + $ssh_strict_host_key_checking = undef, + $ssh_config_ciphers = undef, + $ssh_config_kexalgorithms = undef, + $ssh_config_macs = undef, + $ssh_config_use_roaming = 'USE_DEFAULTS', + $ssh_config_template = 'ssh/ssh_config.erb', + $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapiauthentication = 'yes', + $ssh_gssapidelegatecredentials = undef, + $sshd_config_path = '/etc/ssh/sshd_config', + $sshd_config_owner = 'root', + $sshd_config_group = 'root', + $sshd_config_loglevel = 'INFO', + $sshd_config_mode = 'USE_DEFAULTS', + $sshd_config_permitemptypasswords = undef, + $sshd_config_permituserenvironment = undef, + $sshd_config_compression = undef, + $sshd_config_port = '22', + $sshd_config_syslog_facility = 'AUTH', + $sshd_config_template = 'ssh/sshd_config.erb', + $sshd_config_login_grace_time = '120', + $sshd_config_challenge_resp_auth = 'yes', + $sshd_config_print_motd = 'yes', + $sshd_config_print_last_log = undef, + $sshd_config_use_dns = 'USE_DEFAULTS', + $sshd_config_authkey_location = undef, + $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', + $sshd_config_banner = 'none', + $sshd_config_ciphers = undef, + $sshd_config_kexalgorithms = undef, + $sshd_config_macs = undef, + $ssh_enable_ssh_keysign = undef, + $sshd_config_allowgroups = [], + $sshd_config_allowusers = [], + $sshd_config_denygroups = [], + $sshd_config_denyusers = [], + $sshd_config_maxauthtries = undef, + $sshd_config_maxstartups = undef, + $sshd_config_maxsessions = undef, + $sshd_config_chrootdirectory = undef, + $sshd_config_forcecommand = undef, + $sshd_config_match = undef, + $sshd_authorized_keys_command = undef, + $sshd_authorized_keys_command_user = undef, + $sshd_banner_content = undef, + $sshd_banner_owner = 'root', + $sshd_banner_group = 'root', + $sshd_banner_mode = '0644', + $sshd_config_xauth_location = 'USE_DEFAULTS', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_kerberos_authentication = undef, + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_x11_use_localhost = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', + $sshd_config_hostkey = 'USE_DEFAULTS', + $sshd_listen_address = undef, + $sshd_hostbasedauthentication = 'no', + $sshd_pubkeyacceptedkeytypes = undef, + $sshd_pubkeyauthentication = 'yes', + $sshd_ignoreuserknownhosts = 'no', + $sshd_ignorerhosts = 'yes', + $manage_service = true, + $sshd_addressfamily = 'USE_DEFAULTS', + $service_ensure = 'running', + $service_name = 'USE_DEFAULTS', + $service_enable = true, + $service_hasrestart = true, + $service_hasstatus = 'USE_DEFAULTS', + $ssh_key_ensure = 'present', + $ssh_key_import = true, + $ssh_key_type = 'ssh-rsa', + $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_list = undef, + $ssh_config_global_known_hosts_owner = 'root', + $ssh_config_global_known_hosts_group = 'root', + $ssh_config_global_known_hosts_mode = '0644', + $ssh_config_user_known_hosts_file = undef, + $keys = undef, + $manage_root_ssh_config = false, + $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $sshd_config_tcp_keepalive = undef, + $sshd_config_use_privilege_separation = undef, + $sshd_config_permittunnel = undef, + $sshd_config_hostcertificate = undef, + $sshd_config_trustedusercakeys = undef, ) { case $::osfamily { @@ -531,6 +534,9 @@ class ssh ( if $sshd_config_permituserenvironment != undef { validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.") } + if $sshd_config_compression != undef { + validate_re($sshd_config_compression, '^(yes|no|delayed)$', "ssh::sshd_config_compression may be either 'yes', 'no' or 'delayed' and is set to <${sshd_config_compression}>.") + } case type3x($sshd_config_port) { 'string': { validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") @@ -554,6 +560,9 @@ class ssh ( validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.") + if $sshd_config_print_last_log != undef { + validate_re($sshd_config_print_last_log, '^(yes|no)$', "ssh::sshd_config_print_last_log may be either 'yes' or 'no' and is set to <${sshd_config_print_last_log}>.") + } if $sshd_use_pam_real != undef { validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") } @@ -821,6 +830,10 @@ class ssh ( validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.") } + if $sshd_config_use_privilege_separation != undef { + validate_re($sshd_config_use_privilege_separation, '^(yes|no|sandbox)$', "ssh::sshd_config_use_privilege_separation may be either 'yes', 'no' or 'sandbox' and is set to <${sshd_config_use_privilege_separation}>.") + } + if $sshd_config_permittunnel_real != undef { validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.") } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 909a7d0..bf9134c 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -389,82 +389,85 @@ describe 'ssh' do context 'with params used in sshd_config set on valid osfamily' do let(:params) do { - :sshd_config_port => '22222', - :sshd_config_syslog_facility => 'DAEMON', - :sshd_config_login_grace_time => '60', - :permit_root_login => 'no', - :sshd_config_chrootdirectory => '/chrootdir', - :sshd_config_forcecommand => '/force/command --with-parameter 242', - :sshd_config_match => { 'User JohnDoe' => [ 'AllowTcpForwarding yes', ], }, - :sshd_config_challenge_resp_auth => 'no', - :sshd_config_print_motd => 'no', - :sshd_config_use_dns => 'no', - :sshd_config_banner => '/etc/sshd_banner', - :sshd_authorized_keys_command => '/path/to/command', - :sshd_authorized_keys_command_user => 'asdf', - :sshd_banner_content => 'textinbanner', - :sshd_config_xauth_location => '/opt/ssh/bin/xauth', - :sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp', - :sshd_kerberos_authentication => 'no', - :sshd_password_authentication => 'no', - :sshd_config_permitemptypasswords => 'no', - :sshd_config_permituserenvironment => 'no', - :sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256', - 'ecdsa-sha2-nistp384', - 'ecdsa-sha2-nistp521', - 'ssh-ed25519', - 'ssh-rsa', + :sshd_config_port => '22222', + :sshd_config_syslog_facility => 'DAEMON', + :sshd_config_login_grace_time => '60', + :permit_root_login => 'no', + :sshd_config_chrootdirectory => '/chrootdir', + :sshd_config_forcecommand => '/force/command --with-parameter 242', + :sshd_config_match => { 'User JohnDoe' => [ 'AllowTcpForwarding yes', ], }, + :sshd_config_challenge_resp_auth => 'no', + :sshd_config_print_motd => 'no', + :sshd_config_print_last_log => 'no', + :sshd_config_use_dns => 'no', + :sshd_config_banner => '/etc/sshd_banner', + :sshd_authorized_keys_command => '/path/to/command', + :sshd_authorized_keys_command_user => 'asdf', + :sshd_banner_content => 'textinbanner', + :sshd_config_xauth_location => '/opt/ssh/bin/xauth', + :sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp', + :sshd_kerberos_authentication => 'no', + :sshd_password_authentication => 'no', + :sshd_config_permitemptypasswords => 'no', + :sshd_config_permituserenvironment => 'no', + :sshd_config_compression => 'no', + :sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256', + 'ecdsa-sha2-nistp384', + 'ecdsa-sha2-nistp521', + 'ssh-ed25519', + 'ssh-rsa', ], - :sshd_pubkeyauthentication => 'no', - :sshd_allow_tcp_forwarding => 'no', - :sshd_x11_forwarding => 'no', - :sshd_x11_use_localhost => 'no', - :sshd_use_pam => 'no', - :sshd_client_alive_interval => '242', - :sshd_config_serverkeybits => '1024', - :sshd_client_alive_count_max => '0', - :sshd_config_authkey_location => '.ssh/authorized_keys', - :sshd_config_hostkey => [ '/etc/ssh/ssh_host_rsa_key', + :sshd_pubkeyauthentication => 'no', + :sshd_allow_tcp_forwarding => 'no', + :sshd_x11_forwarding => 'no', + :sshd_x11_use_localhost => 'no', + :sshd_use_pam => 'no', + :sshd_client_alive_interval => '242', + :sshd_config_serverkeybits => '1024', + :sshd_client_alive_count_max => '0', + :sshd_config_authkey_location => '.ssh/authorized_keys', + :sshd_config_hostkey => [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', ], - :sshd_config_strictmodes => 'yes', - :sshd_config_ciphers => [ 'aes128-cbc', - '3des-cbc', - 'blowfish-cbc', - 'cast128-cbc', - 'arcfour', - 'aes192-cbc', - 'aes256-cbc', + :sshd_config_strictmodes => 'yes', + :sshd_config_ciphers => [ 'aes128-cbc', + '3des-cbc', + 'blowfish-cbc', + 'cast128-cbc', + 'arcfour', + 'aes192-cbc', + 'aes256-cbc', ], - :sshd_config_kexalgorithms => [ 'curve25519-sha256@libssh.org', - 'ecdh-sha2-nistp256', - 'ecdh-sha2-nistp384', - 'ecdh-sha2-nistp521', - 'diffie-hellman-group-exchange-sha256', - 'diffie-hellman-group-exchange-sha1', - 'diffie-hellman-group14-sha1', - 'diffie-hellman-group1-sha1', + :sshd_config_kexalgorithms => [ 'curve25519-sha256@libssh.org', + 'ecdh-sha2-nistp256', + 'ecdh-sha2-nistp384', + 'ecdh-sha2-nistp521', + 'diffie-hellman-group-exchange-sha256', + 'diffie-hellman-group-exchange-sha1', + 'diffie-hellman-group14-sha1', + 'diffie-hellman-group1-sha1', ], - :sshd_config_macs => [ 'hmac-md5-etm@openssh.com', - 'hmac-sha1-etm@openssh.com', + :sshd_config_macs => [ 'hmac-md5-etm@openssh.com', + 'hmac-sha1-etm@openssh.com', ], - :sshd_config_denyusers => [ 'root', - 'lusers', + :sshd_config_denyusers => [ 'root', + 'lusers', ], - :sshd_config_denygroups => [ 'nossh', - 'wheel', + :sshd_config_denygroups => [ 'nossh', + 'wheel', ], - :sshd_config_allowusers => [ 'foo', - 'bar', + :sshd_config_allowusers => [ 'foo', + 'bar', ], - :sshd_config_allowgroups => [ 'ssh', - 'security', + :sshd_config_allowgroups => [ 'ssh', + 'security', ], - :sshd_listen_address => [ '192.168.1.1', - '2001:db8::dead:f00d', + :sshd_listen_address => [ '192.168.1.1', + '2001:db8::dead:f00d', ], - :sshd_config_tcp_keepalive => 'yes', - :sshd_config_permittunnel => 'no', + :sshd_config_tcp_keepalive => 'yes', + :sshd_config_use_privilege_separation => 'no', + :sshd_config_permittunnel => 'no', } end @@ -488,6 +491,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) } + it { should contain_file('sshd_config').with_content(/^PrintLastLog no$/) } it { should contain_file('sshd_config').with_content(/^UseDNS no$/) } it { should contain_file('sshd_config').with_content(/^Banner \/etc\/sshd_banner$/) } it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) } @@ -511,6 +515,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) } + it { should contain_file('sshd_config').with_content(/^Compression no$/) } it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) } it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) } it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) } @@ -534,6 +539,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) } it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) } it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) } + it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) } it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) } it { @@ -622,6 +628,26 @@ describe 'ssh' do end +describe 'sshd_config_print_last_log param' do + ['yes','no'].each do |value| + context "set to #{value}" do + let (:params) { { :sshd_config_print_last_log => value } } + + it { should contain_file('sshd_config').with_content(/^PrintLastLog #{value}$/) } + end + end + + context 'when set to an invalid value' do + let (:params) { { :sshd_config_print_last_log => 'invalid' } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::sshd_config_print_last_log may be either \'yes\' or \'no\' and is set to \./) + end + end + end + describe 'sshd_listen_address param' do context 'when set to an array' do let(:params) { {'sshd_listen_address' => ['192.168.1.1','2001:db8::dead:f00d'] } } @@ -966,6 +992,26 @@ describe 'ssh' do end end end + + describe 'sshd_config_compression param' do + ['yes','no','delayed'].each do |value| + context "set to #{value}" do + let (:params) { { :sshd_config_compression => value } } + + it { should contain_file('sshd_config').with_content(/^Compression #{value}$/) } + end + end + + context 'when set to an invalid value' do + let (:params) { { :sshd_config_compression => 'invalid' } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::sshd_config_compression may be either \'yes\', \'no\' or \'delayed\' and is set to \./) + end + end + end describe 'sshd_config_port param' do context 'when set to an array' do @@ -2391,6 +2437,26 @@ describe 'ssh' do end end end + + describe 'sshd_config_use_privilege_separation param' do + ['yes','no','sandbox'].each do |value| + context "set to #{value}" do + let (:params) { { :sshd_config_use_privilege_separation => value } } + + it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation #{value}$/) } + end + end + + context 'when set to an invalid value' do + let (:params) { { :sshd_config_use_privilege_separation => 'invalid' } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::sshd_config_use_privilege_separation may be either \'yes\', \'no\' or \'sandbox\' and is set to \./) + end + end + end describe 'with parameter sshd_addressfamily' do ['any','inet','inet6'].each do |value| diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index f65d97a..4e06f40 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -168,17 +168,26 @@ X11UseLocalhost <%= @sshd_x11_use_localhost %> #PrintMotd yes PrintMotd <%= @sshd_config_print_motd %> #PrintLastLog yes +<% if @sshd_config_print_last_log != nil -%> +PrintLastLog <%= @sshd_config_print_last_log %> +<% end -%> #TCPKeepAlive yes <% if @sshd_config_tcp_keepalive_real != nil -%> TCPKeepAlive <%= @sshd_config_tcp_keepalive_real %> <% end -%> #UseLogin no #UsePrivilegeSeparation yes +<% if @sshd_config_use_privilege_separation != nil -%> +UsePrivilegeSeparation <%= @sshd_config_use_privilege_separation %> +<% end -%> #PermitUserEnvironment no <% if @sshd_config_permituserenvironment != nil -%> PermitUserEnvironment <%= @sshd_config_permituserenvironment %> <% end -%> #Compression delayed +<% if @sshd_config_compression != nil -%> +Compression <%= @sshd_config_compression %> +<% end -%> #ClientAliveInterval 0 ClientAliveInterval <%= @sshd_client_alive_interval %> ClientAliveCountMax <%= @sshd_client_alive_count_max %>