puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Align fixtures with 20.04 defaults

Browse Source 
Align fixtures with defaults
This commit is contained in:
mergwyn 2020-06-11 20:49:23 +01:00
parent 8baa6760dc
commit 57814688cd
6 changed files with 200 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
manifests/init.pp
View File

@ -110,6 +110,7 @@ class ssh (
$ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_group = 'root',
$ssh_config_global_known_hosts_mode = '0644', $ssh_config_global_known_hosts_mode = '0644',
$ssh_config_user_known_hosts_file = undef, $ssh_config_user_known_hosts_file = undef,
Optional[Ssh::Include] $ssh_config_include = 'USE_DEFAULTS',
$config_entries = {}, $config_entries = {},
$keys = undef, $keys = undef,
$manage_root_ssh_config = false, $manage_root_ssh_config = false,
@ -122,6 +123,7 @@ class ssh (
$sshd_config_key_revocation_list = undef, $sshd_config_key_revocation_list = undef,
$sshd_config_authorized_principals_file = undef, $sshd_config_authorized_principals_file = undef,
$sshd_config_allowagentforwarding = undef, $sshd_config_allowagentforwarding = undef,
Optional[Ssh::Include] $sshd_config_include = 'USE_DEFAULTS',
) { ) {
case $::osfamily { case $::osfamily {
@ -134,6 +136,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
@ -153,6 +156,7 @@ class ssh (
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no' $default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
} }
'Suse': { 'Suse': {
$default_packages = 'openssh' $default_packages = 'openssh'
@ -162,6 +166,7 @@ class ssh (
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_include = undef
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = '/usr/bin/xauth' $default_sshd_config_xauth_location = '/usr/bin/xauth'
@ -176,6 +181,7 @@ class ssh (
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no' $default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
case $::architecture { case $::architecture {
'x86_64': { 'x86_64': {
if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) { if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) {
@ -212,6 +218,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
@ -225,6 +232,7 @@ class ssh (
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no' $default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
} }
'18.04': { '18.04': {
$default_sshd_config_hostkey = [ $default_sshd_config_hostkey = [
@ -239,6 +247,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
@ -252,32 +261,37 @@ class ssh (
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no' $default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
} }
'20.04': { '20.04': {
$default_sshd_config_hostkey = [ $default_service_hasstatus = true
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
'/etc/ssh/ssh_host_ecdsa_key',
'/etc/ssh/ssh_host_ed25519_key',
]
$default_ssh_config_hash_known_hosts = 'yes'
$default_sshd_config_xauth_location = undef
$default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_package_source = undef
$default_ssh_config_hash_known_hosts = 'yes'
$default_ssh_gssapiauthentication = 'yes'
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf'
$default_sshd_acceptenv = true
$default_sshd_addressfamily = 'any'
#$default_sshd_config_challenge_resp_auth = 'no'
$default_sshd_config_hostkey = []
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_permittunnel = undef
$default_sshd_config_print_motd = 'no'
$default_sshd_config_serverkeybits = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_tcp_keepalive = undef
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
$default_sshd_use_pam = 'yes' $default_sshd_config_xauth_location = undef
$default_sshd_gssapiauthentication = 'yes'
$default_sshd_gssapicleanupcredentials = 'yes'
$default_sshd_gssapikeyexchange = undef $default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef $default_sshd_pamauthenticationviakbdint = undef
$default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_use_pam = 'yes'
$default_sshd_acceptenv = true $default_sshd_x11_forwarding = 'yes'
$default_service_hasstatus = true $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf'
$default_sshd_config_serverkeybits = '1024' }
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
/^10.*/: { /^10.*/: {
$default_sshd_config_hostkey = [ $default_sshd_config_hostkey = [
'/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_rsa_key',
@ -287,6 +301,7 @@ class ssh (
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_use_pam = 'yes' $default_sshd_use_pam = 'yes'
$default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_include = undef
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_ssh_config_hash_known_hosts = 'yes' $default_ssh_config_hash_known_hosts = 'yes'
@ -303,6 +318,7 @@ class ssh (
$default_sshd_gssapikeyexchange = undef $default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef $default_sshd_pamauthenticationviakbdint = undef
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_include = undef
} }
/^9.*/: { /^9.*/: {
$default_sshd_config_hostkey = [ $default_sshd_config_hostkey = [
@ -317,6 +333,7 @@ class ssh (
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_ssh_config_hash_known_hosts = 'yes' $default_ssh_config_hash_known_hosts = 'yes'
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_addressfamily = undef $default_sshd_addressfamily = undef
$default_sshd_config_serverkeybits = undef $default_sshd_config_serverkeybits = undef
$default_sshd_gssapicleanupcredentials = undef $default_sshd_gssapicleanupcredentials = undef
@ -328,6 +345,7 @@ class ssh (
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_sshd_gssapikeyexchange = undef $default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef $default_sshd_pamauthenticationviakbdint = undef
$default_sshd_config_include = undef
$default_service_hasstatus = true $default_service_hasstatus = true
} }
/^7.*/: { /^7.*/: {
@ -338,6 +356,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
@ -351,6 +370,7 @@ class ssh (
$default_sshd_addressfamily = 'any' $default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no' $default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
} }
/^8.*/: { /^8.*/: {
@ -359,6 +379,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_hostkey = [ $default_sshd_config_hostkey = [
'/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_dsa_key',
@ -379,6 +400,7 @@ class ssh (
$default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no' $default_sshd_config_permittunnel = 'no'
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_include = undef
} }
default: { fail ("Operating System : ${::operatingsystemrelease} not supported") } default: { fail ("Operating System : ${::operatingsystemrelease} not supported") }
} }
@ -387,6 +409,7 @@ class ssh (
$default_ssh_config_hash_known_hosts = undef $default_ssh_config_hash_known_hosts = undef
$default_ssh_sendenv = false $default_ssh_sendenv = false
$default_ssh_config_forward_x11_trusted = undef $default_ssh_config_forward_x11_trusted = undef
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
$default_sshd_config_mode = '0644' $default_sshd_config_mode = '0644'
$default_sshd_config_use_dns = undef $default_sshd_config_use_dns = undef
@ -402,6 +425,7 @@ class ssh (
$default_sshd_addressfamily = undef $default_sshd_addressfamily = undef
$default_sshd_config_tcp_keepalive = undef $default_sshd_config_tcp_keepalive = undef
$default_sshd_config_permittunnel = undef $default_sshd_config_permittunnel = undef
$default_sshd_config_include = undef
case $::kernelrelease { case $::kernelrelease {
'5.11': { '5.11': {
$default_packages = ['network/ssh', $default_packages = ['network/ssh',
@ -567,6 +591,12 @@ class ssh (
$ssh_config_use_roaming_real = $ssh_config_use_roaming $ssh_config_use_roaming_real = $ssh_config_use_roaming
} }
if $ssh_config_include == 'USE_DEFAULTS' {
$ssh_config_include_real = $default_ssh_config_include
} else {
$ssh_config_include_real = $ssh_config_include
}
if $ssh_sendenv == 'USE_DEFAULTS' { if $ssh_sendenv == 'USE_DEFAULTS' {
$ssh_sendenv_real = $default_ssh_sendenv $ssh_sendenv_real = $default_ssh_sendenv
} else { } else {
@ -636,6 +666,12 @@ class ssh (
$sshd_addressfamily_real = $sshd_addressfamily $sshd_addressfamily_real = $sshd_addressfamily
} }
if $sshd_config_include == 'USE_DEFAULTS' {
$sshd_config_include_real = $default_sshd_config_include
} else {
$sshd_config_include_real = $sshd_config_include
}
case $sshd_config_maxsessions { case $sshd_config_maxsessions {
'unset', undef: { $sshd_config_maxsessions_integer = undef } 'unset', undef: { $sshd_config_maxsessions_integer = undef }
default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) } default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) }

2
spec/fixtures/ssh_config_ubuntu2004 vendored
View File

@ -20,6 +20,8 @@
# list of available options, their meanings and defaults, please see the # list of available options, their meanings and defaults, please see the
# ssh_config(5) man page. # ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
# Host * # Host *
# ForwardAgent no # ForwardAgent no
# ForwardX11 no # ForwardX11 no

9
spec/fixtures/sshd_config_ubuntu2004 vendored
View File

@ -13,6 +13,8 @@
# possible, but leave them commented. Uncommented options change a # possible, but leave them commented. Uncommented options change a
# default value. # default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22 #Port 22
Port 22 Port 22
#Protocol 2,1 #Protocol 2,1
@ -25,15 +27,10 @@ AddressFamily any
# HostKeys for protocol version 2 # HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key # Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h #KeyRegenerationInterval 1h
#ServerKeyBits 1024 #ServerKeyBits 1024
ServerKeyBits 1024
# Logging # Logging
# obsoletes QuietMode and FascistLogging # obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH #SyslogFacility AUTH
@ -115,7 +112,6 @@ X11UseLocalhost yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
TCPKeepAlive yes
#UseLogin no #UseLogin no
#UsePrivilegeSeparation yes #UsePrivilegeSeparation yes
#PermitUserEnvironment no #PermitUserEnvironment no
@ -131,7 +127,6 @@ UseDNS yes
#MaxSessions 10 #MaxSessions 10
#PermitTunnel no #PermitTunnel no
PermitTunnel no
#ChrootDirectory none #ChrootDirectory none
# no default banner path # no default banner path

10
templates/ssh_config.erb
View File

@ -20,6 +20,14 @@
# list of available options, their meanings and defaults, please see the # list of available options, their meanings and defaults, please see the
# ssh_config(5) man page. # ssh_config(5) man page.
<% if defined?(@ssh_config_include_real) -%>
<% if @ssh_config_include_real.is_a? Array -%>
Include <%= @ssh_config_include_real.join(' ') %>
<% else -%>
Include <%= @ssh_config_include_real %>
<% end -%>
<% end -%>
# Host * # Host *
# ForwardAgent no # ForwardAgent no
# ForwardX11 no # ForwardX11 no
@ -75,7 +83,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
# If this option is set to yes then remote X11 clients will have full access # If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted # to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes. # mode correctly we set this to yes.
<% if @ssh_config_forward_x11_trusted_real != nil -%> <% if defined?(@ssh_config_forward_x11_trusted_real) -%>
ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %> ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %>
<% end -%> <% end -%>
<% if @ssh_config_forward_agent != nil -%> <% if @ssh_config_forward_agent != nil -%>

10
templates/sshd_config.erb
View File

@ -13,13 +13,21 @@
# possible, but leave them commented. Uncommented options change a # possible, but leave them commented. Uncommented options change a
# default value. # default value.
<% if defined?(@sshd_config_include_real) -%>
<% if @sshd_config_include_real.is_a? Array -%>
Include <%= @sshd_config_include_real.join(' ') %>
<% else -%>
Include <%= @sshd_config_include_real %>
<% end -%>
<% end -%>
#Port 22 #Port 22
<% @sshd_config_port_array.each do |p| -%> <% @sshd_config_port_array.each do |p| -%>
<%= "Port #{p}" %> <%= "Port #{p}" %>
<% end -%> <% end -%>
#Protocol 2,1 #Protocol 2,1
Protocol 2 Protocol 2
<% if @sshd_addressfamily_real != nil -%> <% if defined?(@sshd_addressfamily_real) -%>
#AddressFamily any #AddressFamily any
AddressFamily <%= @sshd_addressfamily_real %> AddressFamily <%= @sshd_addressfamily_real %>
<% end -%> <% end -%>

5
types/include.pp Normal file
View File

@ -0,0 +1,5 @@
# config files to be includes
# @summary
# directory of array of directories to be included
#
type Ssh::Include = Variant[String[1],Array[String[1]]]