diff --git a/.travis.yml b/.travis.yml index 0650a11..2d9d92b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ cache: bundler before_install: - if [ $BUNDLER_VERSION ]; then - gem install -v $BUNDLER_VERSION bundler --no-rdoc --no-ri; + gem install -v $BUNDLER_VERSION bundler --no-document; fi - bundle -v - rm Gemfile.lock || true diff --git a/CHANGELOG.md b/CHANGELOG.md index 879fd57..9c25105 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### v3.62.0 - 2020-09-07 + * Support Ubuntu 20.04 LTS + ### v3.61.0 - 2019-05-01 * Support Debian 8 * Support Ubuntu 18.04 LTS diff --git a/LICENSE b/LICENSE index 20386f8..b6a116e 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (C) 2010-2019 Garrett Honeycutt +Copyright (C) 2010-2020 Garrett Honeycutt Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 8eab242..1672d1f 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ for the exact matrix of supported Puppet and ruby versions. * Debian 7 * Debian 8 * Debian 9 + * Debian 10 * EL 5 * EL 6 * EL 7 @@ -40,6 +41,7 @@ for the exact matrix of supported Puppet and ruby versions. * Ubuntu 14.04 LTS * Ubuntu 16.04 LTS * Ubuntu 18.04 LTS + * Ubuntu 20.04 LTS * Solaris 9 * Solaris 10 * Solaris 11 @@ -427,7 +429,7 @@ X11Forwarding in sshd_config. Specifies whether X11 forwarding is permitted. sshd_x11_use_localhost ---------------------- -X11UseLocalhost in sshd_config. Specifies if sshd should bind the X11 forwarding server +X11UseLocalhost in sshd_config. Specifies if sshd should bind the X11 forwarding server to the loopback address or to the wildcard address. - *Default*: 'yes' diff --git a/Rakefile b/Rakefile index 93b6400..d49cd0b 100644 --- a/Rakefile +++ b/Rakefile @@ -2,6 +2,7 @@ require 'puppetlabs_spec_helper/rake_tasks' require 'puppet-lint/tasks/puppet-lint' PuppetLint.configuration.send('disable_80chars') PuppetLint.configuration.send('disable_140chars') +PuppetLint.configuration.send('disable_relative_classname_inclusion') PuppetLint.configuration.relative = true PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp', 'vendor/**/*.pp'] diff --git a/manifests/init.pp b/manifests/init.pp index c077a75..46dc431 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,125 +3,127 @@ # Manage ssh client and server # class ssh ( - $hiera_merge = false, - $packages = 'USE_DEFAULTS', - $permit_root_login = 'yes', - $purge_keys = true, - $manage_firewall = false, - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $ssh_config_hash_known_hosts = 'USE_DEFAULTS', - $ssh_config_path = '/etc/ssh/ssh_config', - $ssh_config_owner = 'root', - $ssh_config_group = 'root', - $ssh_config_mode = '0644', - $ssh_config_forward_x11 = undef, - $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', - $ssh_config_forward_agent = undef, - $ssh_config_server_alive_interval = undef, - $ssh_config_sendenv_xmodifiers = false, - $ssh_hostbasedauthentication = undef, - $ssh_config_proxy_command = undef, - $ssh_strict_host_key_checking = undef, - $ssh_config_ciphers = undef, - $ssh_config_kexalgorithms = undef, - $ssh_config_macs = undef, - $ssh_config_use_roaming = 'USE_DEFAULTS', - $ssh_config_template = 'ssh/ssh_config.erb', - $ssh_sendenv = 'USE_DEFAULTS', - $ssh_gssapiauthentication = 'yes', - $ssh_gssapidelegatecredentials = undef, - $sshd_config_path = '/etc/ssh/sshd_config', - $sshd_config_owner = 'root', - $sshd_config_group = 'root', - $sshd_config_loglevel = 'INFO', - $sshd_config_mode = 'USE_DEFAULTS', - $sshd_config_permitemptypasswords = undef, - $sshd_config_permituserenvironment = undef, - $sshd_config_compression = undef, - $sshd_config_port = '22', - $sshd_config_syslog_facility = 'AUTH', - $sshd_config_template = 'ssh/sshd_config.erb', - $sshd_config_login_grace_time = '120', - $sshd_config_challenge_resp_auth = 'yes', - $sshd_config_print_motd = 'yes', - $sshd_config_print_last_log = undef, - $sshd_config_use_dns = 'USE_DEFAULTS', - $sshd_config_authkey_location = undef, - $sshd_config_strictmodes = undef, - $sshd_config_serverkeybits = 'USE_DEFAULTS', - $sshd_config_banner = 'none', - $sshd_config_ciphers = undef, - $sshd_config_kexalgorithms = undef, - $sshd_config_macs = undef, - $ssh_enable_ssh_keysign = undef, - $sshd_config_allowgroups = [], - $sshd_config_allowusers = [], - $sshd_config_denygroups = [], - $sshd_config_denyusers = [], - $sshd_config_maxauthtries = undef, - $sshd_config_maxstartups = undef, - $sshd_config_maxsessions = undef, - $sshd_config_chrootdirectory = undef, - $sshd_config_forcecommand = undef, - $sshd_config_match = undef, - $sshd_authorized_keys_command = undef, - $sshd_authorized_keys_command_user = undef, - $sshd_banner_content = undef, - $sshd_banner_owner = 'root', - $sshd_banner_group = 'root', - $sshd_banner_mode = '0644', - $sshd_config_xauth_location = 'USE_DEFAULTS', - $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_kerberos_authentication = undef, - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_x11_use_localhost = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_count_max = '3', - $sshd_client_alive_interval = '0', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $sshd_acceptenv = 'USE_DEFAULTS', - $sshd_config_hostkey = 'USE_DEFAULTS', - $sshd_listen_address = undef, - $sshd_hostbasedauthentication = 'no', - $sshd_pubkeyacceptedkeytypes = undef, - $sshd_pubkeyauthentication = 'yes', - $sshd_ignoreuserknownhosts = 'no', - $sshd_ignorerhosts = 'yes', - $sshd_config_authenticationmethods = undef, - $manage_service = true, - $sshd_addressfamily = 'USE_DEFAULTS', - $service_ensure = 'running', - $service_name = 'USE_DEFAULTS', - $service_enable = true, - $service_hasrestart = true, - $service_hasstatus = 'USE_DEFAULTS', - $ssh_key_ensure = 'present', - $ssh_key_import = true, - $ssh_key_type = 'ssh-rsa', - $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', - $ssh_config_global_known_hosts_list = undef, - $ssh_config_global_known_hosts_owner = 'root', - $ssh_config_global_known_hosts_group = 'root', - $ssh_config_global_known_hosts_mode = '0644', - $ssh_config_user_known_hosts_file = undef, - $config_entries = {}, - $keys = undef, - $manage_root_ssh_config = false, - $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", - $sshd_config_tcp_keepalive = undef, - $sshd_config_use_privilege_separation = undef, - $sshd_config_permittunnel = undef, - $sshd_config_hostcertificate = undef, - $sshd_config_trustedusercakeys = undef, - $sshd_config_key_revocation_list = undef, - $sshd_config_authorized_principals_file = undef, - $sshd_config_allowagentforwarding = undef, + $hiera_merge = false, + $packages = 'USE_DEFAULTS', + $permit_root_login = 'yes', + $purge_keys = true, + $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', + $ssh_config_path = '/etc/ssh/ssh_config', + $ssh_config_owner = 'root', + $ssh_config_group = 'root', + $ssh_config_mode = '0644', + $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', + $ssh_config_forward_agent = undef, + $ssh_config_server_alive_interval = undef, + $ssh_config_sendenv_xmodifiers = false, + $ssh_hostbasedauthentication = undef, + $ssh_config_proxy_command = undef, + $ssh_strict_host_key_checking = undef, + $ssh_config_ciphers = undef, + $ssh_config_kexalgorithms = undef, + $ssh_config_macs = undef, + $ssh_config_use_roaming = 'USE_DEFAULTS', + $ssh_config_template = 'ssh/ssh_config.erb', + $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapiauthentication = 'yes', + $ssh_gssapidelegatecredentials = undef, + $sshd_config_path = '/etc/ssh/sshd_config', + $sshd_config_owner = 'root', + $sshd_config_group = 'root', + $sshd_config_loglevel = 'INFO', + $sshd_config_mode = 'USE_DEFAULTS', + $sshd_config_permitemptypasswords = undef, + $sshd_config_permituserenvironment = undef, + $sshd_config_compression = undef, + $sshd_config_port = '22', + $sshd_config_syslog_facility = 'AUTH', + $sshd_config_template = 'ssh/sshd_config.erb', + $sshd_config_login_grace_time = '120', + $sshd_config_challenge_resp_auth = 'yes', + $sshd_config_print_motd = 'yes', + $sshd_config_print_last_log = undef, + $sshd_config_use_dns = 'USE_DEFAULTS', + $sshd_config_authkey_location = undef, + $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', + $sshd_config_banner = 'none', + $sshd_config_ciphers = undef, + $sshd_config_kexalgorithms = undef, + $sshd_config_macs = undef, + $ssh_enable_ssh_keysign = undef, + $sshd_config_allowgroups = [], + $sshd_config_allowusers = [], + $sshd_config_denygroups = [], + $sshd_config_denyusers = [], + $sshd_config_maxauthtries = undef, + $sshd_config_maxstartups = undef, + $sshd_config_maxsessions = undef, + $sshd_config_chrootdirectory = undef, + $sshd_config_forcecommand = undef, + $sshd_config_match = undef, + $sshd_authorized_keys_command = undef, + $sshd_authorized_keys_command_user = undef, + $sshd_banner_content = undef, + $sshd_banner_owner = 'root', + $sshd_banner_group = 'root', + $sshd_banner_mode = '0644', + $sshd_config_xauth_location = 'USE_DEFAULTS', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_kerberos_authentication = undef, + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_x11_use_localhost = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', + $sshd_config_hostkey = 'USE_DEFAULTS', + $sshd_listen_address = undef, + $sshd_hostbasedauthentication = 'no', + $sshd_pubkeyacceptedkeytypes = undef, + $sshd_pubkeyauthentication = 'yes', + $sshd_ignoreuserknownhosts = 'no', + $sshd_ignorerhosts = 'yes', + $sshd_config_authenticationmethods = undef, + $manage_service = true, + $sshd_addressfamily = 'USE_DEFAULTS', + $service_ensure = 'running', + $service_name = 'USE_DEFAULTS', + $service_enable = true, + $service_hasrestart = true, + $service_hasstatus = 'USE_DEFAULTS', + $ssh_key_ensure = 'present', + $ssh_key_import = true, + $ssh_key_type = 'ssh-rsa', + $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_list = undef, + $ssh_config_global_known_hosts_owner = 'root', + $ssh_config_global_known_hosts_group = 'root', + $ssh_config_global_known_hosts_mode = '0644', + $ssh_config_user_known_hosts_file = undef, + $ssh_config_include = 'USE_DEFAULTS', + $config_entries = {}, + $keys = undef, + $manage_root_ssh_config = false, + $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $sshd_config_tcp_keepalive = undef, + $sshd_config_use_privilege_separation = undef, + $sshd_config_permittunnel = undef, + $sshd_config_hostcertificate = undef, + $sshd_config_trustedusercakeys = undef, + $sshd_config_key_revocation_list = undef, + $sshd_config_authorized_principals_file = undef, + $sshd_config_allowagentforwarding = undef, + $sshd_config_include = 'USE_DEFAULTS', ) { case $::osfamily { @@ -134,6 +136,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -153,6 +156,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } 'Suse': { $default_packages = 'openssh' @@ -162,6 +166,7 @@ class ssh ( $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' @@ -175,6 +180,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef case $::architecture { 'x86_64': { if ($::operatingsystem == 'SLES') { @@ -222,6 +228,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -235,6 +242,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } '18.04': { $default_sshd_config_hostkey = [ @@ -249,6 +257,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -262,8 +271,37 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } - /^9.*/: { + '20.04': { + $default_service_hasstatus = true + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_hash_known_hosts = 'yes' + $default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf' + $default_ssh_gssapiauthentication = 'yes' + $default_ssh_package_adminfile = undef + $default_ssh_package_source = undef + $default_ssh_sendenv = true + $default_sshd_acceptenv = true + $default_sshd_addressfamily = 'any' + $default_sshd_config_hostkey = [] + $default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf' + $default_sshd_config_mode = '0600' + $default_sshd_config_permittunnel = undef + $default_sshd_config_print_motd = 'no' + $default_sshd_config_serverkeybits = undef + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_sshd_config_tcp_keepalive = undef + $default_sshd_config_use_dns = 'yes' + $default_sshd_config_xauth_location = undef + $default_sshd_gssapiauthentication = 'yes' + $default_sshd_gssapicleanupcredentials = 'yes' + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_use_pam = 'yes' + $default_sshd_x11_forwarding = 'yes' + } + /^10.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', @@ -272,6 +310,7 @@ class ssh ( $default_sshd_config_mode = '0600' $default_sshd_use_pam = 'yes' $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_include = undef $default_sshd_acceptenv = true $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_ssh_config_hash_known_hosts = 'yes' @@ -288,6 +327,35 @@ class ssh ( $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_service_hasstatus = true + $default_sshd_config_include = undef + } + /^9.*/: { + $default_sshd_config_hostkey = [ + '/etc/ssh/ssh_host_rsa_key', + '/etc/ssh/ssh_host_ecdsa_key', + '/etc/ssh/ssh_host_ed25519_key', + ] + $default_sshd_config_mode = '0600' + $default_sshd_use_pam = 'yes' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_sshd_acceptenv = true + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_ssh_config_hash_known_hosts = 'yes' + $default_ssh_sendenv = true + $default_ssh_config_include = undef + $default_sshd_addressfamily = undef + $default_sshd_config_serverkeybits = undef + $default_sshd_gssapicleanupcredentials = undef + $default_sshd_config_use_dns = undef + $default_sshd_config_xauth_location = undef + $default_sshd_config_permittunnel = undef + $default_sshd_config_tcp_keepalive = undef + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_config_include = undef + $default_service_hasstatus = true } /^7.*/: { $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] @@ -297,6 +365,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' @@ -310,6 +379,7 @@ class ssh ( $default_sshd_addressfamily = 'any' $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' + $default_sshd_config_include = undef } /^8.*/: { @@ -318,6 +388,7 @@ class ssh ( $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true + $default_ssh_config_include = undef $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', @@ -338,6 +409,7 @@ class ssh ( $default_sshd_config_tcp_keepalive = 'yes' $default_sshd_config_permittunnel = 'no' $default_service_hasstatus = true + $default_sshd_config_include = undef } default: { fail ("Operating System : ${::operatingsystemrelease} not supported") } } @@ -346,6 +418,7 @@ class ssh ( $default_ssh_config_hash_known_hosts = undef $default_ssh_sendenv = false $default_ssh_config_forward_x11_trusted = undef + $default_ssh_config_include = undef $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_mode = '0644' $default_sshd_config_use_dns = undef @@ -361,6 +434,7 @@ class ssh ( $default_sshd_addressfamily = undef $default_sshd_config_tcp_keepalive = undef $default_sshd_config_permittunnel = undef + $default_sshd_config_include = undef case $::kernelrelease { '5.11': { $default_packages = ['network/ssh', @@ -526,6 +600,23 @@ class ssh ( $ssh_config_use_roaming_real = $ssh_config_use_roaming } + if $ssh_config_include == 'USE_DEFAULTS' { + $ssh_config_include_real = $default_ssh_config_include + } else { + case type3x($ssh_config_include) { + 'array': { + validate_array($ssh_config_include) + } + 'string': { + validate_string($ssh_config_include) + } + default: { + fail('ssh::ssh_config_include type must be a strting or array.') + } + } + $ssh_config_include_real = $ssh_config_include + } + if $ssh_sendenv == 'USE_DEFAULTS' { $ssh_sendenv_real = $default_ssh_sendenv } else { @@ -595,6 +686,23 @@ class ssh ( $sshd_addressfamily_real = $sshd_addressfamily } + if $sshd_config_include == 'USE_DEFAULTS' { + $sshd_config_include_real = $default_sshd_config_include + } else { + case type3x($sshd_config_include) { + 'array': { + validate_array($sshd_config_include) + } + 'string': { + validate_string($sshd_config_include) + } + default: { + fail('ssh::sshd_config_include type must be a strting or array.') + } + } + $sshd_config_include_real = $sshd_config_include + } + case $sshd_config_maxsessions { 'unset', undef: { $sshd_config_maxsessions_integer = undef } default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) } diff --git a/metadata.json b/metadata.json index cf2d066..acf9eb5 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "ghoneycutt-ssh", - "version": "3.61.0", + "version": "3.62.0", "author": "ghoneycutt", "summary": "Manages SSH", "license": "Apache-2.0", @@ -19,7 +19,8 @@ "operatingsystemrelease": [ "7", "8", - "9" + "9", + "10" ] }, { @@ -85,16 +86,17 @@ "12.04", "14.04", "16.04", - "18.04" + "18.04", + "20.04" ] } ], "description": "Manage SSH", "dependencies": [ - {"name":"puppetlabs/stdlib","version_requirement":">= 4.6.0 < 6.0.0"}, - {"name":"puppetlabs/concat","version_requirement":">= 2.0.0 < 6.0.0"}, + {"name":"puppetlabs/stdlib","version_requirement":">= 4.6.0 < 7.0.0"}, + {"name":"puppetlabs/concat","version_requirement":">= 2.0.0 < 7.0.0"}, {"name":"ghoneycutt/common","version_requirement":">= 1.4.1 < 2.0.0"}, - {"name":"puppetlabs/firewall","version_requirement":">= 1.9.0 < 2.0.0"}, - {"name":"puppetlabs/sshkeys_core","version_requirement":">= 1.0.1 <2.0.0"} + {"name":"puppetlabs/firewall","version_requirement":">= 1.9.0 < 3.0.0"}, + {"name":"puppetlabs/sshkeys_core","version_requirement":">= 1.0.1 < 3.0.0"} ] } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 783902f..236c16b 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -6,6 +6,7 @@ describe 'ssh' do :fqdn => 'monkey.example.com', :hostname => 'monkey', :ipaddress => '127.0.0.1', + :ipaddress6 => nil, :lsbmajdistrelease => '6', :operatingsystemrelease => '6.7', :osfamily => 'RedHat', @@ -71,6 +72,19 @@ describe 'ssh' do :sshd_config_fixture => 'sshd_config_debian9', :ssh_config_fixture => 'ssh_config_debian9', }, + 'Debian-10' => { + :architecture => 'x86_64', + :osfamily => 'Debian', + :operatingsystemrelease => '10', + :ssh_version => 'OpenSSH_7.9p1', + :ssh_version_numeric => '7.9', + :ssh_packages => ['openssh-server', 'openssh-client'], + :sshd_config_mode => '0600', + :sshd_service_name => 'ssh', + :sshd_service_hasstatus => true, + :sshd_config_fixture => 'sshd_config_debian10', + :ssh_config_fixture => 'ssh_config_debian10', + }, 'RedHat-5' => { :architecture => 'x86_64', :osfamily => 'RedHat', @@ -272,6 +286,19 @@ describe 'ssh' do :sshd_config_fixture => 'sshd_config_ubuntu1804', :ssh_config_fixture => 'ssh_config_ubuntu1804', }, + 'Ubuntu-2004' => { + :architecture => 'x86_64', + :osfamily => 'Debian', + :operatingsystemrelease => '20.04', + :ssh_version => 'OpenSSH_7.6p1', + :ssh_version_numeric => '7.6', + :ssh_packages => ['openssh-server', 'openssh-client'], + :sshd_config_mode => '0600', + :sshd_service_name => 'ssh', + :sshd_service_hasstatus => true, + :sshd_config_fixture => 'sshd_config_ubuntu2004', + :ssh_config_fixture => 'ssh_config_ubuntu2004', + }, } osfamily_matrix.each do |os, facts| @@ -2773,4 +2800,61 @@ describe 'sshd_config_print_last_log param' do end # var[:name].each end # validations.sort.each end # describe 'variable type and content validations' + + describe 'sshd_config_include' do + context 'when set to an array' do + let(:params) { {'sshd_config_include' => ['file1','file2'] } } + + it { should contain_file('sshd_config').with_content(/^Include file1 file2$/) } + end + + context 'when set to a string' do + let(:params) { {'sshd_config_include' => 'file1' } } + + it { should contain_file('sshd_config').with_content(/^Include file1$/) } + end + + context 'when not set' do + it { should_not contain_file('sshd_config').with_content(/^\s*Include/) } + end + + context 'when set to an invalid type (not string or array)' do + let(:params) { {'sshd_config_include' => true } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + + describe 'ssh_config_include' do + context 'when set to an array' do + let(:params) { {'ssh_config_include' => ['file1','file2'] } } + + it { should contain_file('ssh_config').with_content(/^Include file1 file2$/) } + end + + context 'when set to a string' do + let(:params) { {'ssh_config_include' => 'file1' } } + + it { should contain_file('ssh_config').with_content(/^Include file1$/) } + end + + context 'when not set' do + it { should_not contain_file('ssh_config').with_content(/^\s*Include/) } + end + + context 'when set to an invalid type (not string or array)' do + let(:params) { {'ssh_config_include' => true } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + end diff --git a/spec/fixtures/ssh_config_debian10 b/spec/fixtures/ssh_config_debian10 new file mode 100644 index 0000000..d13cc55 --- /dev/null +++ b/spec/fixtures/ssh_config_debian10 @@ -0,0 +1,61 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes + PasswordAuthentication yes + PubkeyAuthentication yes +# HostbasedAuthentication no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity + IdentityFile ~/.ssh/id_rsa + IdentityFile ~/.ssh/id_dsa +# Port 22 + Protocol 2 +# Cipher 3des +# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# HashKnownHosts no + HashKnownHosts yes + GlobalKnownHostsFile /etc/ssh/ssh_known_hosts +Host * +# GSSAPIAuthentication yes + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes + UseRoaming no +# Send locale-related environment variables + SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL diff --git a/spec/fixtures/ssh_config_ubuntu2004 b/spec/fixtures/ssh_config_ubuntu2004 new file mode 100644 index 0000000..9b7f5d5 --- /dev/null +++ b/spec/fixtures/ssh_config_ubuntu2004 @@ -0,0 +1,63 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Include /etc/ssh/ssh_config.d/*.conf + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes + PasswordAuthentication yes + PubkeyAuthentication yes +# HostbasedAuthentication no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity + IdentityFile ~/.ssh/id_rsa + IdentityFile ~/.ssh/id_dsa +# Port 22 + Protocol 2 +# Cipher 3des +# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# HashKnownHosts no + HashKnownHosts yes + GlobalKnownHostsFile /etc/ssh/ssh_known_hosts +Host * +# GSSAPIAuthentication yes + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes + UseRoaming no +# Send locale-related environment variables + SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL diff --git a/spec/fixtures/sshd_config_debian10 b/spec/fixtures/sshd_config_debian10 new file mode 100644 index 0000000..5b150ee --- /dev/null +++ b/spec/fixtures/sshd_config_debian10 @@ -0,0 +1,133 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +Port 22 +#Protocol 2,1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTH +#LogLevel INFO +LogLevel INFO + +# Authentication: + +#LoginGraceTime 120 +LoginGraceTime 120 +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 + +#RSAAuthentication yes +#PubkeyAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowTcpForwarding yes +AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +X11UseLocalhost yes +#PrintMotd yes +PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +ClientAliveInterval 0 +ClientAliveCountMax 3 +#ShowPatchLevel no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#MaxSessions 10 + +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none +Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + diff --git a/spec/fixtures/sshd_config_ubuntu2004 b/spec/fixtures/sshd_config_ubuntu2004 new file mode 100644 index 0000000..60d8a68 --- /dev/null +++ b/spec/fixtures/sshd_config_ubuntu2004 @@ -0,0 +1,138 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +Port 22 +#Protocol 2,1 +Protocol 2 +#AddressFamily any +AddressFamily any + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTH +#LogLevel INFO +LogLevel INFO + +# Authentication: + +#LoginGraceTime 120 +LoginGraceTime 120 +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 + +#RSAAuthentication yes +#PubkeyAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowTcpForwarding yes +AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +X11UseLocalhost yes +#PrintMotd yes +PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +ClientAliveInterval 0 +ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#MaxSessions 10 + +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none +Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 9cb65e3..a7b18c4 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -20,6 +20,14 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +<% if defined?(@ssh_config_include_real) -%> +<% if @ssh_config_include_real.is_a? Array -%> +Include <%= @ssh_config_include_real.join(' ') %> +<% else -%> +Include <%= @ssh_config_include_real %> +<% end -%> + +<% end -%> # Host * # ForwardAgent no # ForwardX11 no @@ -75,7 +83,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. -<% if @ssh_config_forward_x11_trusted_real != nil -%> +<% if defined?(@ssh_config_forward_x11_trusted_real) -%> ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %> <% end -%> <% if @ssh_config_forward_agent != nil -%> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 4e1bd70..e020a80 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -13,13 +13,21 @@ # possible, but leave them commented. Uncommented options change a # default value. +<% if defined?(@sshd_config_include_real) -%> +<% if @sshd_config_include_real.is_a? Array -%> +Include <%= @sshd_config_include_real.join(' ') %> +<% else -%> +Include <%= @sshd_config_include_real %> +<% end -%> + +<% end -%> #Port 22 <% @sshd_config_port_array.each do |p| -%> <%= "Port #{p}" %> <% end -%> #Protocol 2,1 Protocol 2 -<% if @sshd_addressfamily_real != nil -%> +<% if defined?(@sshd_addressfamily_real) -%> #AddressFamily any AddressFamily <%= @sshd_addressfamily_real %> <% end -%>