puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add PrintLastLog, UsePrivilegeSeparation, and Compression

Browse Source
This commit is contained in:
Mears148 2017-05-17 09:58:14 -04:00
parent 31e1f2815c
commit 5368e52b30
4 changed files with 289 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -257,6 +257,15 @@ PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environme
Valid values are 'yes' and 'no'. Valid values are 'yes' and 'no'.
- *Default*: undef
sshd_config_compression
---------------------------------
Compression option in sshd_config.
Specifies whether compression is allowed in an SSH connection prior to authentication.
If specified, valid values are 'yes', 'no' and 'delayed'.
- *Default*: undef - *Default*: undef
sshd_config_port sshd_config_port
@ -298,6 +307,14 @@ PrintMotd option in sshd_config.
- *Default*: 'yes' - *Default*: 'yes'
sshd_config_print_lastlog
----------------------
PrintLastLog option in sshd_config.
Verify SSH provides users with feedback on when account accesses last occurred.
If specified, valid values are 'yes' and 'no'.
- *Default*: undef
sshd_config_use_dns sshd_config_use_dns
------------------- -------------------
UseDNS option in sshd_config. The default is 'yes' on Linux. UseDNS option in sshd_config. The default is 'yes' on Linux.
@ -470,6 +487,14 @@ On Solaris the default is to not add this parameter to the configuration file.
- *Default*: undef - *Default*: undef
sshd_config_use_privilege_separation
----------------------
UsePrivilegeSeparation in sshd_config.
Causes the SSH process to drop root privileges when not needed.
If specified, valid values are 'yes', 'no' and 'sandbox'.
- *Default*: undef
sshd_config_permittunnel sshd_config_permittunnel
----------------------- -----------------------
PermitTunnel in sshd_config. PermitTunnel in sshd_config.

235
manifests/init.pp
View File

@ -3,117 +3,120 @@
# Manage ssh client and server # Manage ssh client and server
# #
class ssh ( class ssh (
$hiera_merge = false, $hiera_merge = false,
$packages = 'USE_DEFAULTS', $packages = 'USE_DEFAULTS',
$permit_root_login = 'yes', $permit_root_login = 'yes',
$purge_keys = true, $purge_keys = true,
$manage_firewall = false, $manage_firewall = false,
$ssh_package_source = 'USE_DEFAULTS', $ssh_package_source = 'USE_DEFAULTS',
$ssh_package_adminfile = 'USE_DEFAULTS', $ssh_package_adminfile = 'USE_DEFAULTS',
$ssh_config_hash_known_hosts = 'USE_DEFAULTS', $ssh_config_hash_known_hosts = 'USE_DEFAULTS',
$ssh_config_path = '/etc/ssh/ssh_config', $ssh_config_path = '/etc/ssh/ssh_config',
$ssh_config_owner = 'root', $ssh_config_owner = 'root',
$ssh_config_group = 'root', $ssh_config_group = 'root',
$ssh_config_mode = '0644', $ssh_config_mode = '0644',
$ssh_config_forward_x11 = undef, $ssh_config_forward_x11 = undef,
$ssh_config_forward_x11_trusted = 'USE_DEFAULTS', $ssh_config_forward_x11_trusted = 'USE_DEFAULTS',
$ssh_config_forward_agent = undef, $ssh_config_forward_agent = undef,
$ssh_config_server_alive_interval = undef, $ssh_config_server_alive_interval = undef,
$ssh_config_sendenv_xmodifiers = false, $ssh_config_sendenv_xmodifiers = false,
$ssh_hostbasedauthentication = undef, $ssh_hostbasedauthentication = undef,
$ssh_config_proxy_command = undef, $ssh_config_proxy_command = undef,
$ssh_strict_host_key_checking = undef, $ssh_strict_host_key_checking = undef,
$ssh_config_ciphers = undef, $ssh_config_ciphers = undef,
$ssh_config_kexalgorithms = undef, $ssh_config_kexalgorithms = undef,
$ssh_config_macs = undef, $ssh_config_macs = undef,
$ssh_config_use_roaming = 'USE_DEFAULTS', $ssh_config_use_roaming = 'USE_DEFAULTS',
$ssh_config_template = 'ssh/ssh_config.erb', $ssh_config_template = 'ssh/ssh_config.erb',
$ssh_sendenv = 'USE_DEFAULTS', $ssh_sendenv = 'USE_DEFAULTS',
$ssh_gssapiauthentication = 'yes', $ssh_gssapiauthentication = 'yes',
$ssh_gssapidelegatecredentials = undef, $ssh_gssapidelegatecredentials = undef,
$sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_path = '/etc/ssh/sshd_config',
$sshd_config_owner = 'root', $sshd_config_owner = 'root',
$sshd_config_group = 'root', $sshd_config_group = 'root',
$sshd_config_loglevel = 'INFO', $sshd_config_loglevel = 'INFO',
$sshd_config_mode = 'USE_DEFAULTS', $sshd_config_mode = 'USE_DEFAULTS',
$sshd_config_permitemptypasswords = undef, $sshd_config_permitemptypasswords = undef,
$sshd_config_permituserenvironment = undef, $sshd_config_permituserenvironment = undef,
$sshd_config_port = '22', $sshd_config_compression = undef,
$sshd_config_syslog_facility = 'AUTH', $sshd_config_port = '22',
$sshd_config_template = 'ssh/sshd_config.erb', $sshd_config_syslog_facility = 'AUTH',
$sshd_config_login_grace_time = '120', $sshd_config_template = 'ssh/sshd_config.erb',
$sshd_config_challenge_resp_auth = 'yes', $sshd_config_login_grace_time = '120',
$sshd_config_print_motd = 'yes', $sshd_config_challenge_resp_auth = 'yes',
$sshd_config_use_dns = 'USE_DEFAULTS', $sshd_config_print_motd = 'yes',
$sshd_config_authkey_location = undef, $sshd_config_print_last_log = undef,
$sshd_config_strictmodes = undef, $sshd_config_use_dns = 'USE_DEFAULTS',
$sshd_config_serverkeybits = 'USE_DEFAULTS', $sshd_config_authkey_location = undef,
$sshd_config_banner = 'none', $sshd_config_strictmodes = undef,
$sshd_config_ciphers = undef, $sshd_config_serverkeybits = 'USE_DEFAULTS',
$sshd_config_kexalgorithms = undef, $sshd_config_banner = 'none',
$sshd_config_macs = undef, $sshd_config_ciphers = undef,
$ssh_enable_ssh_keysign = undef, $sshd_config_kexalgorithms = undef,
$sshd_config_allowgroups = [], $sshd_config_macs = undef,
$sshd_config_allowusers = [], $ssh_enable_ssh_keysign = undef,
$sshd_config_denygroups = [], $sshd_config_allowgroups = [],
$sshd_config_denyusers = [], $sshd_config_allowusers = [],
$sshd_config_maxauthtries = undef, $sshd_config_denygroups = [],
$sshd_config_maxstartups = undef, $sshd_config_denyusers = [],
$sshd_config_maxsessions = undef, $sshd_config_maxauthtries = undef,
$sshd_config_chrootdirectory = undef, $sshd_config_maxstartups = undef,
$sshd_config_forcecommand = undef, $sshd_config_maxsessions = undef,
$sshd_config_match = undef, $sshd_config_chrootdirectory = undef,
$sshd_authorized_keys_command = undef, $sshd_config_forcecommand = undef,
$sshd_authorized_keys_command_user = undef, $sshd_config_match = undef,
$sshd_banner_content = undef, $sshd_authorized_keys_command = undef,
$sshd_banner_owner = 'root', $sshd_authorized_keys_command_user = undef,
$sshd_banner_group = 'root', $sshd_banner_content = undef,
$sshd_banner_mode = '0644', $sshd_banner_owner = 'root',
$sshd_config_xauth_location = 'USE_DEFAULTS', $sshd_banner_group = 'root',
$sshd_config_subsystem_sftp = 'USE_DEFAULTS', $sshd_banner_mode = '0644',
$sshd_kerberos_authentication = undef, $sshd_config_xauth_location = 'USE_DEFAULTS',
$sshd_password_authentication = 'yes', $sshd_config_subsystem_sftp = 'USE_DEFAULTS',
$sshd_allow_tcp_forwarding = 'yes', $sshd_kerberos_authentication = undef,
$sshd_x11_forwarding = 'yes', $sshd_password_authentication = 'yes',
$sshd_x11_use_localhost = 'yes', $sshd_allow_tcp_forwarding = 'yes',
$sshd_use_pam = 'USE_DEFAULTS', $sshd_x11_forwarding = 'yes',
$sshd_client_alive_count_max = '3', $sshd_x11_use_localhost = 'yes',
$sshd_client_alive_interval = '0', $sshd_use_pam = 'USE_DEFAULTS',
$sshd_gssapiauthentication = 'yes', $sshd_client_alive_count_max = '3',
$sshd_gssapikeyexchange = 'USE_DEFAULTS', $sshd_client_alive_interval = '0',
$sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', $sshd_gssapiauthentication = 'yes',
$sshd_gssapicleanupcredentials = 'USE_DEFAULTS', $sshd_gssapikeyexchange = 'USE_DEFAULTS',
$sshd_acceptenv = 'USE_DEFAULTS', $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS',
$sshd_config_hostkey = 'USE_DEFAULTS', $sshd_gssapicleanupcredentials = 'USE_DEFAULTS',
$sshd_listen_address = undef, $sshd_acceptenv = 'USE_DEFAULTS',
$sshd_hostbasedauthentication = 'no', $sshd_config_hostkey = 'USE_DEFAULTS',
$sshd_pubkeyacceptedkeytypes = undef, $sshd_listen_address = undef,
$sshd_pubkeyauthentication = 'yes', $sshd_hostbasedauthentication = 'no',
$sshd_ignoreuserknownhosts = 'no', $sshd_pubkeyacceptedkeytypes = undef,
$sshd_ignorerhosts = 'yes', $sshd_pubkeyauthentication = 'yes',
$manage_service = true, $sshd_ignoreuserknownhosts = 'no',
$sshd_addressfamily = 'USE_DEFAULTS', $sshd_ignorerhosts = 'yes',
$service_ensure = 'running', $manage_service = true,
$service_name = 'USE_DEFAULTS', $sshd_addressfamily = 'USE_DEFAULTS',
$service_enable = true, $service_ensure = 'running',
$service_hasrestart = true, $service_name = 'USE_DEFAULTS',
$service_hasstatus = 'USE_DEFAULTS', $service_enable = true,
$ssh_key_ensure = 'present', $service_hasrestart = true,
$ssh_key_import = true, $service_hasstatus = 'USE_DEFAULTS',
$ssh_key_type = 'ssh-rsa', $ssh_key_ensure = 'present',
$ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', $ssh_key_import = true,
$ssh_config_global_known_hosts_list = undef, $ssh_key_type = 'ssh-rsa',
$ssh_config_global_known_hosts_owner = 'root', $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts',
$ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_list = undef,
$ssh_config_global_known_hosts_mode = '0644', $ssh_config_global_known_hosts_owner = 'root',
$ssh_config_user_known_hosts_file = undef, $ssh_config_global_known_hosts_group = 'root',
$keys = undef, $ssh_config_global_known_hosts_mode = '0644',
$manage_root_ssh_config = false, $ssh_config_user_known_hosts_file = undef,
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $keys = undef,
$sshd_config_tcp_keepalive = undef, $manage_root_ssh_config = false,
$sshd_config_permittunnel = undef, $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
$sshd_config_hostcertificate = undef, $sshd_config_tcp_keepalive = undef,
$sshd_config_trustedusercakeys = undef, $sshd_config_use_privilege_separation = undef,
$sshd_config_permittunnel = undef,
$sshd_config_hostcertificate = undef,
$sshd_config_trustedusercakeys = undef,
) { ) {
case $::osfamily { case $::osfamily {
@ -531,6 +534,9 @@ class ssh (
if $sshd_config_permituserenvironment != undef { if $sshd_config_permituserenvironment != undef {
validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.") validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.")
} }
if $sshd_config_compression != undef {
validate_re($sshd_config_compression, '^(yes|no|delayed)$', "ssh::sshd_config_compression may be either 'yes', 'no' or 'delayed' and is set to <${sshd_config_compression}>.")
}
case type3x($sshd_config_port) { case type3x($sshd_config_port) {
'string': { 'string': {
validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
@ -554,6 +560,9 @@ class ssh (
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.") validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.")
if $sshd_config_print_last_log != undef {
validate_re($sshd_config_print_last_log, '^(yes|no)$', "ssh::sshd_config_print_last_log may be either 'yes' or 'no' and is set to <${sshd_config_print_last_log}>.")
}
if $sshd_use_pam_real != undef { if $sshd_use_pam_real != undef {
validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
} }
@ -821,6 +830,10 @@ class ssh (
validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.") validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.")
} }
if $sshd_config_use_privilege_separation != undef {
validate_re($sshd_config_use_privilege_separation, '^(yes|no|sandbox)$', "ssh::sshd_config_use_privilege_separation may be either 'yes', 'no' or 'sandbox' and is set to <${sshd_config_use_privilege_separation}>.")
}
if $sshd_config_permittunnel_real != undef { if $sshd_config_permittunnel_real != undef {
validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.") validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
} }

196
spec/classes/init_spec.rb
View File

@ -389,82 +389,85 @@ describe 'ssh' do
context 'with params used in sshd_config set on valid osfamily' do context 'with params used in sshd_config set on valid osfamily' do
let(:params) do let(:params) do
{ {
:sshd_config_port => '22222', :sshd_config_port => '22222',
:sshd_config_syslog_facility => 'DAEMON', :sshd_config_syslog_facility => 'DAEMON',
:sshd_config_login_grace_time => '60', :sshd_config_login_grace_time => '60',
:permit_root_login => 'no', :permit_root_login => 'no',
:sshd_config_chrootdirectory => '/chrootdir', :sshd_config_chrootdirectory => '/chrootdir',
:sshd_config_forcecommand => '/force/command --with-parameter 242', :sshd_config_forcecommand => '/force/command --with-parameter 242',
:sshd_config_match => { 'User JohnDoe' => [ 'AllowTcpForwarding yes', ], }, :sshd_config_match => { 'User JohnDoe' => [ 'AllowTcpForwarding yes', ], },
:sshd_config_challenge_resp_auth => 'no', :sshd_config_challenge_resp_auth => 'no',
:sshd_config_print_motd => 'no', :sshd_config_print_motd => 'no',
:sshd_config_use_dns => 'no', :sshd_config_print_last_log => 'no',
:sshd_config_banner => '/etc/sshd_banner', :sshd_config_use_dns => 'no',
:sshd_authorized_keys_command => '/path/to/command', :sshd_config_banner => '/etc/sshd_banner',
:sshd_authorized_keys_command_user => 'asdf', :sshd_authorized_keys_command => '/path/to/command',
:sshd_banner_content => 'textinbanner', :sshd_authorized_keys_command_user => 'asdf',
:sshd_config_xauth_location => '/opt/ssh/bin/xauth', :sshd_banner_content => 'textinbanner',
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp', :sshd_config_xauth_location => '/opt/ssh/bin/xauth',
:sshd_kerberos_authentication => 'no', :sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
:sshd_password_authentication => 'no', :sshd_kerberos_authentication => 'no',
:sshd_config_permitemptypasswords => 'no', :sshd_password_authentication => 'no',
:sshd_config_permituserenvironment => 'no', :sshd_config_permitemptypasswords => 'no',
:sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256', :sshd_config_permituserenvironment => 'no',
'ecdsa-sha2-nistp384', :sshd_config_compression => 'no',
'ecdsa-sha2-nistp521', :sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256',
'ssh-ed25519', 'ecdsa-sha2-nistp384',
'ssh-rsa', 'ecdsa-sha2-nistp521',
'ssh-ed25519',
'ssh-rsa',
], ],
:sshd_pubkeyauthentication => 'no', :sshd_pubkeyauthentication => 'no',
:sshd_allow_tcp_forwarding => 'no', :sshd_allow_tcp_forwarding => 'no',
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
:sshd_x11_use_localhost => 'no', :sshd_x11_use_localhost => 'no',
:sshd_use_pam => 'no', :sshd_use_pam => 'no',
:sshd_client_alive_interval => '242', :sshd_client_alive_interval => '242',
:sshd_config_serverkeybits => '1024', :sshd_config_serverkeybits => '1024',
:sshd_client_alive_count_max => '0', :sshd_client_alive_count_max => '0',
:sshd_config_authkey_location => '.ssh/authorized_keys', :sshd_config_authkey_location => '.ssh/authorized_keys',
:sshd_config_hostkey => [ '/etc/ssh/ssh_host_rsa_key', :sshd_config_hostkey => [ '/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_dsa_key',
], ],
:sshd_config_strictmodes => 'yes', :sshd_config_strictmodes => 'yes',
:sshd_config_ciphers => [ 'aes128-cbc', :sshd_config_ciphers => [ 'aes128-cbc',
'3des-cbc', '3des-cbc',
'blowfish-cbc', 'blowfish-cbc',
'cast128-cbc', 'cast128-cbc',
'arcfour', 'arcfour',
'aes192-cbc', 'aes192-cbc',
'aes256-cbc', 'aes256-cbc',
], ],
:sshd_config_kexalgorithms => [ 'curve25519-sha256@libssh.org', :sshd_config_kexalgorithms => [ 'curve25519-sha256@libssh.org',
'ecdh-sha2-nistp256', 'ecdh-sha2-nistp256',
'ecdh-sha2-nistp384', 'ecdh-sha2-nistp384',
'ecdh-sha2-nistp521', 'ecdh-sha2-nistp521',
'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha256',
'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group-exchange-sha1',
'diffie-hellman-group14-sha1', 'diffie-hellman-group14-sha1',
'diffie-hellman-group1-sha1', 'diffie-hellman-group1-sha1',
], ],
:sshd_config_macs => [ 'hmac-md5-etm@openssh.com', :sshd_config_macs => [ 'hmac-md5-etm@openssh.com',
'hmac-sha1-etm@openssh.com', 'hmac-sha1-etm@openssh.com',
], ],
:sshd_config_denyusers => [ 'root', :sshd_config_denyusers => [ 'root',
'lusers', 'lusers',
], ],
:sshd_config_denygroups => [ 'nossh', :sshd_config_denygroups => [ 'nossh',
'wheel', 'wheel',
], ],
:sshd_config_allowusers => [ 'foo', :sshd_config_allowusers => [ 'foo',
'bar', 'bar',
], ],
:sshd_config_allowgroups => [ 'ssh', :sshd_config_allowgroups => [ 'ssh',
'security', 'security',
], ],
:sshd_listen_address => [ '192.168.1.1', :sshd_listen_address => [ '192.168.1.1',
'2001:db8::dead:f00d', '2001:db8::dead:f00d',
], ],
:sshd_config_tcp_keepalive => 'yes', :sshd_config_tcp_keepalive => 'yes',
:sshd_config_permittunnel => 'no', :sshd_config_use_privilege_separation => 'no',
:sshd_config_permittunnel => 'no',
} }
end end
@ -488,6 +491,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) }
it { should contain_file('sshd_config').with_content(/^PrintLastLog no$/) }
it { should contain_file('sshd_config').with_content(/^UseDNS no$/) } it { should contain_file('sshd_config').with_content(/^UseDNS no$/) }
it { should contain_file('sshd_config').with_content(/^Banner \/etc\/sshd_banner$/) } it { should contain_file('sshd_config').with_content(/^Banner \/etc\/sshd_banner$/) }
it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) } it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) }
@ -511,6 +515,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) } it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) }
it { should contain_file('sshd_config').with_content(/^Compression no$/) }
it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) } it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) }
it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) } it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) } it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
@ -534,6 +539,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) } it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) } it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) } it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) }
it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) } it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) }
it { it {
@ -622,6 +628,26 @@ describe 'ssh' do
end end
describe 'sshd_config_print_last_log param' do
['yes','no'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_print_last_log => value } }
it { should contain_file('sshd_config').with_content(/^PrintLastLog #{value}$/) }
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_print_last_log => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_print_last_log may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
end
describe 'sshd_listen_address param' do describe 'sshd_listen_address param' do
context 'when set to an array' do context 'when set to an array' do
let(:params) { {'sshd_listen_address' => ['192.168.1.1','2001:db8::dead:f00d'] } } let(:params) { {'sshd_listen_address' => ['192.168.1.1','2001:db8::dead:f00d'] } }
@ -967,6 +993,26 @@ describe 'ssh' do
end end
end end
describe 'sshd_config_compression param' do
['yes','no','delayed'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_compression => value } }
it { should contain_file('sshd_config').with_content(/^Compression #{value}$/) }
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_compression => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_compression may be either \'yes\', \'no\' or \'delayed\' and is set to <invalid>\./)
end
end
end
describe 'sshd_config_port param' do describe 'sshd_config_port param' do
context 'when set to an array' do context 'when set to an array' do
let(:params) { {'sshd_config_port' => ['22222', '22223'] } } let(:params) { {'sshd_config_port' => ['22222', '22223'] } }
@ -2392,6 +2438,26 @@ describe 'ssh' do
end end
end end
describe 'sshd_config_use_privilege_separation param' do
['yes','no','sandbox'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_use_privilege_separation => value } }
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation #{value}$/) }
end
end
context 'when set to an invalid value' do
let (:params) { { :sshd_config_use_privilege_separation => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_use_privilege_separation may be either \'yes\', \'no\' or \'sandbox\' and is set to <invalid>\./)
end
end
end
describe 'with parameter sshd_addressfamily' do describe 'with parameter sshd_addressfamily' do
['any','inet','inet6'].each do |value| ['any','inet','inet6'].each do |value|
context "set to a valid entry of #{value}" do context "set to a valid entry of #{value}" do

9
templates/sshd_config.erb
View File

@ -168,17 +168,26 @@ X11UseLocalhost <%= @sshd_x11_use_localhost %>
#PrintMotd yes #PrintMotd yes
PrintMotd <%= @sshd_config_print_motd %> PrintMotd <%= @sshd_config_print_motd %>
#PrintLastLog yes #PrintLastLog yes
<% if @sshd_config_print_last_log != nil -%>
PrintLastLog <%= @sshd_config_print_last_log %>
<% end -%>
#TCPKeepAlive yes #TCPKeepAlive yes
<% if @sshd_config_tcp_keepalive_real != nil -%> <% if @sshd_config_tcp_keepalive_real != nil -%>
TCPKeepAlive <%= @sshd_config_tcp_keepalive_real %> TCPKeepAlive <%= @sshd_config_tcp_keepalive_real %>
<% end -%> <% end -%>
#UseLogin no #UseLogin no
#UsePrivilegeSeparation yes #UsePrivilegeSeparation yes
<% if @sshd_config_use_privilege_separation != nil -%>
UsePrivilegeSeparation <%= @sshd_config_use_privilege_separation %>
<% end -%>
#PermitUserEnvironment no #PermitUserEnvironment no
<% if @sshd_config_permituserenvironment != nil -%> <% if @sshd_config_permituserenvironment != nil -%>
PermitUserEnvironment <%= @sshd_config_permituserenvironment %> PermitUserEnvironment <%= @sshd_config_permituserenvironment %>
<% end -%> <% end -%>
#Compression delayed #Compression delayed
<% if @sshd_config_compression != nil -%>
Compression <%= @sshd_config_compression %>
<% end -%>
#ClientAliveInterval 0 #ClientAliveInterval 0
ClientAliveInterval <%= @sshd_client_alive_interval %> ClientAliveInterval <%= @sshd_client_alive_interval %>
ClientAliveCountMax <%= @sshd_client_alive_count_max %> ClientAliveCountMax <%= @sshd_client_alive_count_max %>