puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Release v3.0.0

Browse Source 
Remove sshd_config_sendenv_xmodifiers parameter which introduced a bug
that would prevent sshd from running.

Change default behvior of sshd to permit root to login. This is done to
be in line with the standard default of sshd. If you want to block root
from logging in by default, set the following in hiera.

ssh::permit_root_login: false
This commit is contained in:
Garrett Honeycutt 2013-10-31 20:13:05 +01:00
parent 8c1e058343
commit 5971660ec3
6 changed files with 20 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -28,3 +28,4 @@ doc/
metadata.json metadata.json
coverage/ coverage/
spec/fixtures/modules/* spec/fixtures/modules/*
Gemfile.lock

4
Modulefile
View File

@ -1,5 +1,5 @@
name 'ghoneycutt-ssh' name 'ghoneycutt-ssh'
version '2.5.0' version '3.0.0'
source 'git://github.com/ghoneycutt/puppet-module-ssh.git' source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
author 'ghoneycutt' author 'ghoneycutt'
license 'Apache License, Version 2.0' license 'Apache License, Version 2.0'
@ -8,5 +8,5 @@ description 'Manage SSH'
project_page 'https://github.com/ghoneycutt/puppet-module-ssh' project_page 'https://github.com/ghoneycutt/puppet-module-ssh'
dependency 'puppetlabs/stdlib', '3.2.x' dependency 'puppetlabs/stdlib', '3.2.x'
dependency 'ghoneycutt/common', '1.0.0' dependency 'ghoneycutt/common', '1.0.2'
dependency 'puppetlabs/firewall' dependency 'puppetlabs/firewall'

16
README.md
View File

@ -63,7 +63,7 @@ ServerAliveInterval option in ssh_config. Not set by default.
ssh_config_sendenv_xmodifiers ssh_config_sendenv_xmodifiers
----------------------- -----------------------
Set 'SendEnv XMODIFIERS' in ssh_config. Boolean to set 'SendEnv XMODIFIERS' in ssh_config.
- *Default*: false - *Default*: false
@ -180,12 +180,6 @@ This option applies to protocol version 2 only.
- *Default*: '0' - *Default*: '0'
sshd_config_sendenv_xmodifiers
-----------------------
Set 'SendEnv XMODIFIERS' in sshd_config.
- *Default*: false
keys keys
---- ----
Hash of keys for user's ~/.ssh/authorized_keys Hash of keys for user's ~/.ssh/authorized_keys
@ -196,13 +190,13 @@ packages
-------- --------
Array of package names used for installation. Array of package names used for installation.
- *Default*: 'openssh-server', 'openssh-server', 'openssh-clients' - *Default*: Based on OS
permit_root_login permit_root_login
----------------- -----------------
Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'. Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', and 'no'.
- *Default*: no - *Default*: yes
purge_keys purge_keys
---------- ----------
@ -226,7 +220,7 @@ service_name
------------ ------------
Name of the SSH service. Name of the SSH service.
- *Default*: 'sshd' - *Default*: Based on OS
service_enable service_enable
-------------- --------------

15
manifests/init.pp
View File

@ -4,7 +4,7 @@
# #
class ssh ( class ssh (
$packages = 'USE_DEFAULTS', $packages = 'USE_DEFAULTS',
$permit_root_login = 'no', $permit_root_login = 'yes',
$purge_keys = 'true', $purge_keys = 'true',
$manage_firewall = false, $manage_firewall = false,
$ssh_config_path = '/etc/ssh/ssh_config', $ssh_config_path = '/etc/ssh/ssh_config',
@ -27,7 +27,6 @@ class ssh (
$sshd_config_banner = 'none', $sshd_config_banner = 'none',
$sshd_config_xauth_location = '/usr/bin/xauth', $sshd_config_xauth_location = '/usr/bin/xauth',
$sshd_config_subsystem_sftp = 'USE_DEFAULTS', $sshd_config_subsystem_sftp = 'USE_DEFAULTS',
$sshd_config_sendenv_xmodifiers = false,
$service_ensure = 'running', $service_ensure = 'running',
$service_name = 'USE_DEFAULTS', $service_name = 'USE_DEFAULTS',
$service_enable = 'true', $service_enable = 'true',
@ -64,18 +63,6 @@ class ssh (
} }
} }
case type($sshd_config_sendenv_xmodifiers) {
'string': {
$sshd_config_sendenv_xmodifiers_real = str2bool($sshd_config_sendenv_xmodifiers)
}
'boolean': {
$sshd_config_sendenv_xmodifiers_real = $sshd_config_sendenv_xmodifiers
}
default: {
fail("sshd_config_sendenv_xmodifiers type must be true or false.")
}
}
case $permit_root_login { case $permit_root_login {
'no', 'yes', 'without-password', 'forced-commands-only': { 'no', 'yes', 'without-password', 'forced-commands-only': {
# noop # noop

55
spec/classes/init_spec.rb
View File

@ -32,6 +32,7 @@ describe 'ssh' do
} }
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -50,7 +51,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) }
it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) }
@ -130,6 +131,7 @@ describe 'ssh' do
} }
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -148,7 +150,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) }
it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) }
@ -211,6 +213,7 @@ describe 'ssh' do
} }
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -229,7 +232,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) }
it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) }
@ -292,6 +295,7 @@ describe 'ssh' do
} }
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -310,7 +314,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) } it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) }
it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) } it { should contain_file('sshd_config').with_content(/^UseDNS yes$/) }
@ -370,6 +374,7 @@ describe 'ssh' do
} }
it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) }
it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) }
@ -388,7 +393,7 @@ describe 'ssh' do
{ {
:sshd_config_syslog_facility => 'DAEMON', :sshd_config_syslog_facility => 'DAEMON',
:sshd_config_login_grace_time => '60', :sshd_config_login_grace_time => '60',
:permit_root_login => 'yes', :permit_root_login => 'no',
:sshd_config_challenge_resp_auth => 'yes', :sshd_config_challenge_resp_auth => 'yes',
:sshd_config_print_motd => 'no', :sshd_config_print_motd => 'no',
:sshd_config_use_dns => 'no', :sshd_config_use_dns => 'no',
@ -400,7 +405,6 @@ describe 'ssh' do
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
:sshd_use_pam => 'no', :sshd_use_pam => 'no',
:sshd_client_alive_interval => '242', :sshd_client_alive_interval => '242',
:sshd_config_sendenv_xmodifiers => true,
} }
end end
@ -417,7 +421,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^SyslogFacility DAEMON$/) } it { should contain_file('sshd_config').with_content(/^SyslogFacility DAEMON$/) }
it { should contain_file('sshd_config').with_content(/^LoginGraceTime 60$/) } it { should contain_file('sshd_config').with_content(/^LoginGraceTime 60$/) }
it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } it { should contain_file('sshd_config').with_content(/^PermitRootLogin no$/) }
it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) } it { should contain_file('sshd_config').with_content(/^PrintMotd no$/) }
it { should contain_file('sshd_config').with_content(/^UseDNS no$/) } it { should contain_file('sshd_config').with_content(/^UseDNS no$/) }
@ -429,7 +433,6 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
it { should contain_file('sshd_config').with_content(/^SendEnv XMODIFIERS$/) }
end end
context 'with manage_root_ssh_config set to \'true\' on valid osfamily' do context 'with manage_root_ssh_config set to \'true\' on valid osfamily' do
@ -622,42 +625,6 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
end end
context 'with sshd_config_sendenv_xmodifiers set to invalid type, array' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{ :sshd_config_sendenv_xmodifiers => ['invalid','type'] }
end
it 'should fail' do
expect {
should include_class('ssh')
}.to raise_error(Puppet::Error,/sshd_config_sendenv_xmodifiers type must be true or false./)
end
end
context 'with sshd_config_sendenv_xmodifiers set to stringified true' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{
:sshd_config_sendenv_xmodifiers => 'true',
}
end
it { should contain_file('sshd_config').with_content(/^SendEnv XMODIFIERS$/) }
end
context 'with manage_firewall set to true on valid osfamily' do context 'with manage_firewall set to true on valid osfamily' do
let :facts do let :facts do
{ {

4
templates/sshd_config.erb
View File

@ -130,7 +130,3 @@ XAuthLocation <%= @sshd_config_xauth_location %>
# override default of no subsystems # override default of no subsystems
Subsystem sftp <%= @sshd_config_subsystem_sftp_real %> Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>
<% if @sshd_config_sendenv_xmodifiers_real == true -%>
SendEnv XMODIFIERS
<% end -%>