puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'ghoneycutt:master' into master

Browse Source
This commit is contained in:
Francisco 2021-10-21 13:11:05 +02:00 committed by GitHub
commit 5d4fb8d2e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 743 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -5,7 +5,7 @@ cache: bundler
before_install:
- if [ $BUNDLER_VERSION ]; then
gem install -v $BUNDLER_VERSION bundler --no-rdoc --no-ri;
gem install -v $BUNDLER_VERSION bundler --no-document;
fi
- bundle -v
- rm Gemfile.lock || true

3
CHANGELOG.md
View File

@ -1,3 +1,6 @@
### v3.62.0 - 2020-09-07
* Support Ubuntu 20.04 LTS
### v3.61.0 - 2019-05-01
* Support Debian 8
* Support Ubuntu 18.04 LTS

2
LICENSE
View File

@ -1,4 +1,4 @@
Copyright (C) 2010-2019 Garrett Honeycutt <code@garretthoneycutt.com>
Copyright (C) 2010-2020 Garrett Honeycutt <code@garretthoneycutt.com>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

2
README.md
View File

@ -29,6 +29,7 @@ for the exact matrix of supported Puppet and ruby versions.
* Debian 7
* Debian 8
* Debian 9
* Debian 10
* EL 5
* EL 6
* EL 7
@ -40,6 +41,7 @@ for the exact matrix of supported Puppet and ruby versions.
* Ubuntu 14.04 LTS
* Ubuntu 16.04 LTS
* Ubuntu 18.04 LTS
* Ubuntu 20.04 LTS
* Solaris 9
* Solaris 10
* Solaris 11

1
Rakefile
View File

@ -2,6 +2,7 @@ require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.send('disable_140chars')
PuppetLint.configuration.send('disable_relative_classname_inclusion')
PuppetLint.configuration.relative = true
PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp', 'vendor/**/*.pp']

110
manifests/init.pp
View File

@ -110,6 +110,7 @@ class ssh (
$ssh_config_global_known_hosts_group = 'root',
$ssh_config_global_known_hosts_mode = '0644',
$ssh_config_user_known_hosts_file = undef,
$ssh_config_include = 'USE_DEFAULTS',
$config_entries = {},
$keys = undef,
$manage_root_ssh_config = false,
@ -122,6 +123,7 @@ class ssh (
$sshd_config_key_revocation_list = undef,
$sshd_config_authorized_principals_file = undef,
$sshd_config_allowagentforwarding = undef,
$sshd_config_include = 'USE_DEFAULTS',
) {
case $::osfamily {
@ -134,6 +136,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -153,6 +156,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
'Suse': {
$default_packages = 'openssh'
@ -162,6 +166,7 @@ class ssh (
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_include = undef
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = '/usr/bin/xauth'
@ -175,6 +180,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
case $::architecture {
'x86_64': {
if ($::operatingsystem == 'SLES') {
@ -222,6 +228,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -235,6 +242,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
'18.04': {
$default_sshd_config_hostkey = [
@ -249,6 +257,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -262,8 +271,37 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
/^9.*/: {
'20.04': {
$default_service_hasstatus = true
$default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_hash_known_hosts = 'yes'
$default_ssh_config_include = '/etc/ssh/ssh_config.d/*.conf'
$default_ssh_gssapiauthentication = 'yes'
$default_ssh_package_adminfile = undef
$default_ssh_package_source = undef
$default_ssh_sendenv = true
$default_sshd_acceptenv = true
$default_sshd_addressfamily = 'any'
$default_sshd_config_hostkey = []
$default_sshd_config_include = '/etc/ssh/sshd_config.d/*.conf'
$default_sshd_config_mode = '0600'
$default_sshd_config_permittunnel = undef
$default_sshd_config_print_motd = 'no'
$default_sshd_config_serverkeybits = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_tcp_keepalive = undef
$default_sshd_config_use_dns = 'yes'
$default_sshd_config_xauth_location = undef
$default_sshd_gssapiauthentication = 'yes'
$default_sshd_gssapicleanupcredentials = 'yes'
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_sshd_use_pam = 'yes'
$default_sshd_x11_forwarding = 'yes'
}
/^10.*/: {
$default_sshd_config_hostkey = [
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_ecdsa_key',
@ -272,6 +310,7 @@ class ssh (
$default_sshd_config_mode = '0600'
$default_sshd_use_pam = 'yes'
$default_ssh_config_forward_x11_trusted = 'yes'
$default_ssh_config_include = undef
$default_sshd_acceptenv = true
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_ssh_config_hash_known_hosts = 'yes'
@ -288,6 +327,35 @@ class ssh (
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_service_hasstatus = true
$default_sshd_config_include = undef
}
/^9.*/: {
$default_sshd_config_hostkey = [
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_ecdsa_key',
'/etc/ssh/ssh_host_ed25519_key',
]
$default_sshd_config_mode = '0600'
$default_sshd_use_pam = 'yes'
$default_ssh_config_forward_x11_trusted = 'yes'
$default_sshd_acceptenv = true
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_ssh_config_hash_known_hosts = 'yes'
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_addressfamily = undef
$default_sshd_config_serverkeybits = undef
$default_sshd_gssapicleanupcredentials = undef
$default_sshd_config_use_dns = undef
$default_sshd_config_xauth_location = undef
$default_sshd_config_permittunnel = undef
$default_sshd_config_tcp_keepalive = undef
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_sshd_gssapikeyexchange = undef
$default_sshd_pamauthenticationviakbdint = undef
$default_sshd_config_include = undef
$default_service_hasstatus = true
}
/^7.*/: {
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
@ -297,6 +365,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -310,6 +379,7 @@ class ssh (
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_sshd_config_include = undef
}
/^8.*/: {
@ -318,6 +388,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_config_include = undef
$default_sshd_config_hostkey = [
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
@ -338,6 +409,7 @@ class ssh (
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
$default_service_hasstatus = true
$default_sshd_config_include = undef
}
default: { fail ("Operating System : ${::operatingsystemrelease} not supported") }
}
@ -346,6 +418,7 @@ class ssh (
$default_ssh_config_hash_known_hosts = undef
$default_ssh_sendenv = false
$default_ssh_config_forward_x11_trusted = undef
$default_ssh_config_include = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
$default_sshd_config_mode = '0644'
$default_sshd_config_use_dns = undef
@ -361,6 +434,7 @@ class ssh (
$default_sshd_addressfamily = undef
$default_sshd_config_tcp_keepalive = undef
$default_sshd_config_permittunnel = undef
$default_sshd_config_include = undef
case $::kernelrelease {
'5.11': {
$default_packages = ['network/ssh',
@ -526,6 +600,23 @@ class ssh (
$ssh_config_use_roaming_real = $ssh_config_use_roaming
}
if $ssh_config_include == 'USE_DEFAULTS' {
$ssh_config_include_real = $default_ssh_config_include
} else {
case type3x($ssh_config_include) {
'array': {
validate_array($ssh_config_include)
}
'string': {
validate_string($ssh_config_include)
}
default: {
fail('ssh::ssh_config_include type must be a strting or array.')
}
}
$ssh_config_include_real = $ssh_config_include
}
if $ssh_sendenv == 'USE_DEFAULTS' {
$ssh_sendenv_real = $default_ssh_sendenv
} else {
@ -595,6 +686,23 @@ class ssh (
$sshd_addressfamily_real = $sshd_addressfamily
}
if $sshd_config_include == 'USE_DEFAULTS' {
$sshd_config_include_real = $default_sshd_config_include
} else {
case type3x($sshd_config_include) {
'array': {
validate_array($sshd_config_include)
}
'string': {
validate_string($sshd_config_include)
}
default: {
fail('ssh::sshd_config_include type must be a strting or array.')
}
}
$sshd_config_include_real = $sshd_config_include
}
case $sshd_config_maxsessions {
'unset', undef: { $sshd_config_maxsessions_integer = undef }
default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) }

16
metadata.json
View File

@ -1,6 +1,6 @@
{
"name": "ghoneycutt-ssh",
"version": "3.61.0",
"version": "3.62.0",
"author": "ghoneycutt",
"summary": "Manages SSH",
"license": "Apache-2.0",
@ -19,7 +19,8 @@
"operatingsystemrelease": [
"7",
"8",
"9"
"9",
"10"
]
},
{
@ -85,16 +86,17 @@
"12.04",
"14.04",
"16.04",
"18.04"
"18.04",
"20.04"
]
}
],
"description": "Manage SSH",
"dependencies": [
{"name":"puppetlabs/stdlib","version_requirement":">= 4.6.0 < 6.0.0"},
{"name":"puppetlabs/concat","version_requirement":">= 2.0.0 < 6.0.0"},
{"name":"puppetlabs/stdlib","version_requirement":">= 4.6.0 < 7.0.0"},
{"name":"puppetlabs/concat","version_requirement":">= 2.0.0 < 7.0.0"},
{"name":"ghoneycutt/common","version_requirement":">= 1.4.1 < 2.0.0"},
{"name":"puppetlabs/firewall","version_requirement":">= 1.9.0 < 2.0.0"},
{"name":"puppetlabs/sshkeys_core","version_requirement":">= 1.0.1 <2.0.0"}
{"name":"puppetlabs/firewall","version_requirement":">= 1.9.0 < 3.0.0"},
{"name":"puppetlabs/sshkeys_core","version_requirement":">= 1.0.1 < 3.0.0"}
]
}

84
spec/classes/init_spec.rb
View File

@ -6,6 +6,7 @@ describe 'ssh' do
:fqdn => 'monkey.example.com',
:hostname => 'monkey',
:ipaddress => '127.0.0.1',
:ipaddress6 => nil,
:lsbmajdistrelease => '6',
:operatingsystemrelease => '6.7',
:osfamily => 'RedHat',
@ -71,6 +72,19 @@ describe 'ssh' do
:sshd_config_fixture => 'sshd_config_debian9',
:ssh_config_fixture => 'ssh_config_debian9',
},
'Debian-10' => {
:architecture => 'x86_64',
:osfamily => 'Debian',
:operatingsystemrelease => '10',
:ssh_version => 'OpenSSH_7.9p1',
:ssh_version_numeric => '7.9',
:ssh_packages => ['openssh-server', 'openssh-client'],
:sshd_config_mode => '0600',
:sshd_service_name => 'ssh',
:sshd_service_hasstatus => true,
:sshd_config_fixture => 'sshd_config_debian10',
:ssh_config_fixture => 'ssh_config_debian10',
},
'RedHat-5' => {
:architecture => 'x86_64',
:osfamily => 'RedHat',
@ -272,6 +286,19 @@ describe 'ssh' do
:sshd_config_fixture => 'sshd_config_ubuntu1804',
:ssh_config_fixture => 'ssh_config_ubuntu1804',
},
'Ubuntu-2004' => {
:architecture => 'x86_64',
:osfamily => 'Debian',
:operatingsystemrelease => '20.04',
:ssh_version => 'OpenSSH_7.6p1',
:ssh_version_numeric => '7.6',
:ssh_packages => ['openssh-server', 'openssh-client'],
:sshd_config_mode => '0600',
:sshd_service_name => 'ssh',
:sshd_service_hasstatus => true,
:sshd_config_fixture => 'sshd_config_ubuntu2004',
:ssh_config_fixture => 'ssh_config_ubuntu2004',
},
}
osfamily_matrix.each do |os, facts|
@ -2773,4 +2800,61 @@ describe 'sshd_config_print_last_log param' do
end # var[:name].each
end # validations.sort.each
end # describe 'variable type and content validations'
describe 'sshd_config_include' do
context 'when set to an array' do
let(:params) { {'sshd_config_include' => ['file1','file2'] } }
it { should contain_file('sshd_config').with_content(/^Include file1 file2$/) }
end
context 'when set to a string' do
let(:params) { {'sshd_config_include' => 'file1' } }
it { should contain_file('sshd_config').with_content(/^Include file1$/) }
end
context 'when not set' do
it { should_not contain_file('sshd_config').with_content(/^\s*Include/) }
end
context 'when set to an invalid type (not string or array)' do
let(:params) { {'sshd_config_include' => true } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
describe 'ssh_config_include' do
context 'when set to an array' do
let(:params) { {'ssh_config_include' => ['file1','file2'] } }
it { should contain_file('ssh_config').with_content(/^Include file1 file2$/) }
end
context 'when set to a string' do
let(:params) { {'ssh_config_include' => 'file1' } }
it { should contain_file('ssh_config').with_content(/^Include file1$/) }
end
context 'when not set' do
it { should_not contain_file('ssh_config').with_content(/^\s*Include/) }
end
context 'when set to an invalid type (not string or array)' do
let(:params) { {'ssh_config_include' => true } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
end

61
spec/fixtures/ssh_config_debian10 vendored Normal file
View File

@ -0,0 +1,61 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
PasswordAuthentication yes
PubkeyAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# HashKnownHosts no
HashKnownHosts yes
GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
Host *
# GSSAPIAuthentication yes
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
UseRoaming no
# Send locale-related environment variables
SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

63
spec/fixtures/ssh_config_ubuntu2004 vendored Normal file
View File

@ -0,0 +1,63 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
PasswordAuthentication yes
PubkeyAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# HashKnownHosts no
HashKnownHosts yes
GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
Host *
# GSSAPIAuthentication yes
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
UseRoaming no
# Send locale-related environment variables
SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

133
spec/fixtures/sshd_config_debian10 vendored Normal file
View File

@ -0,0 +1,133 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
Port 22
#Protocol 2,1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTH
#LogLevel INFO
LogLevel INFO
# Authentication:
#LoginGraceTime 120
LoginGraceTime 120
#PermitRootLogin yes
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes
PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveInterval 0
ClientAliveCountMax 3
#ShowPatchLevel no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#MaxSessions 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

138
spec/fixtures/sshd_config_ubuntu2004 vendored Normal file
View File

@ -0,0 +1,138 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
AddressFamily any
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTH
#LogLevel INFO
LogLevel INFO
# Authentication:
#LoginGraceTime 120
LoginGraceTime 120
#PermitRootLogin yes
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes
PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveInterval 0
ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#MaxSessions 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

10
templates/ssh_config.erb
View File

@ -20,6 +20,14 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
<% if defined?(@ssh_config_include_real) -%>
<% if @ssh_config_include_real.is_a? Array -%>
Include <%= @ssh_config_include_real.join(' ') %>
<% else -%>
Include <%= @ssh_config_include_real %>
<% end -%>
<% end -%>
# Host *
# ForwardAgent no
# ForwardX11 no
@ -75,7 +83,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
<% if @ssh_config_forward_x11_trusted_real != nil -%>
<% if defined?(@ssh_config_forward_x11_trusted_real) -%>
ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %>
<% end -%>
<% if @ssh_config_forward_agent != nil -%>

10
templates/sshd_config.erb
View File

@ -13,13 +13,21 @@
# possible, but leave them commented. Uncommented options change a
# default value.
<% if defined?(@sshd_config_include_real) -%>
<% if @sshd_config_include_real.is_a? Array -%>
Include <%= @sshd_config_include_real.join(' ') %>
<% else -%>
Include <%= @sshd_config_include_real %>
<% end -%>
<% end -%>
#Port 22
<% @sshd_config_port_array.each do |p| -%>
<%= "Port #{p}" %>
<% end -%>
#Protocol 2,1
Protocol 2
<% if @sshd_addressfamily_real != nil -%>
<% if defined?(@sshd_addressfamily_real) -%>
#AddressFamily any
AddressFamily <%= @sshd_addressfamily_real %>
<% end -%>