Merge pull request #54 from ghoneycutt/support_solaris

Support solaris
2014-02-28 18:53:49 -05:00 · 2014-02-28 18:53:49 -05:00 · 5e60d4eceb
commit 5e60d4eceb
parent ccfce3d093 b3c2cd7886
5 changed files with 1271 additions and 141 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# puppet-module-ssh #
+# puppet-module-ssh
 Manage ssh client and server.
@ -6,7 +6,7 @@ The module uses exported resources to manage ssh keys and removes ssh keys that
 ===
-# Compatability #
+# Compatability
 This module has been tested to work on the following systems with Puppet v3 and Ruby versions 1.8.7, 1.9.3 and 2.0.0.
@ -15,10 +15,15 @@ This module has been tested to work on the following systems with Puppet v3 and
 * EL 6
 * SLES 11
 * Ubuntu 12.04 LTS
 * Solaris 9
 * Solaris 10
 * Solaris 11
 ===
-# Parameters #
+# Parameters
 A value of `'USE_DEFAULTS'` will use the defaults specified by the module.
 hiera_merge
 -----------
@ -34,13 +39,13 @@ ssh_config_hash_known_hosts
 HashKnownHosts in ssh_config.
 Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts.
 These hashed names may be used normally by ssh and sshd, but they do not reveal identifying
-information should the file's contents be disclosed.  The default is 'no'.
+information should the file's contents be disclosed. The default is 'no' on Linux.
 Note that existing names and addresses in known hosts files will not be converted automatically,
 but may be manually hashed using ssh-keygen. Use of this option may break facilities such as
 tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts.
- *Default*: 'no'
+- *Default*: 'USE_DEFAULTS'
 ssh_config_path
 ---------------
@ -86,10 +91,16 @@ ServerAliveInterval option in ssh_config. Not set by default.
 ssh_config_sendenv_xmodifiers
 -----------------------
-Boolean to set 'SendEnv XMODIFIERS' in ssh_config.
+Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on Linux.
 - *Default*: false
 ssh_sendenv
 -------------
 Boolean to enable SendEnv options for specifying environment variables. Default is set to true on Linux.
 - *Default*: 'USE_DEFAULTS'
 sshd_config_path
 ----------------
 Path to sshd_config.
@ -110,15 +121,15 @@ sshd_config's group.
 sshd_config_mode
 ---------------
-sshd_config's mode.
+sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris.
- *Default*: '0600'
+- *Default*: 'USE_DEFAULTS'
 sshd_config_port
 ---------------------------
 String to specify listen port for sshd. Port option in sshd_config.
- *Default*: 22
+- *Default*: '22'
 sshd_config_syslog_facility
 ---------------------------
@ -146,9 +157,9 @@ PrintMotd option in sshd_config.
 sshd_config_use_dns
 -------------------
-UseDNS option in sshd_config.
+UseDNS option in sshd_config. The default is 'yes' on Linux.
- *Default*: 'yes'
+- *Default*: 'USE_DEFAULTS'
 sshd_config_banner
 ------------------
@ -184,35 +195,32 @@ sshd_config_xauth_location
 --------------------------
 XAuthLocation option in sshd_config.
- *Default*: '/usr/bin/xauth'
+- *Default*: 'USE_DEFAULTS'
 sshd_config_subsystem_sftp
 --------------------------
 Path to sftp file transfer subsystem in sshd_config.
- *Default*: '/usr/libexec/openssh/sftp-server'
+- *Default*: 'USE_DEFAULTS'
 sshd_password_authentication
 -----------------------------
-PasswordAuthentication in sshd_config.
+PasswordAuthentication in sshd_config. Specifies whether password authentication is allowed.
 Specifies whether password authentication is allowed.
 - *Default*: 'yes'
 sshd_allow_tcp_forwarding
 -------------------------
-AllowTcpForwarding in sshd_config.
+AllowTcpForwarding in sshd_config. Specifies whether TCP forwarding is permitted.
 Specifies whether TCP forwarding is permitted.
 - *Default*: 'yes'
 sshd_x11_forwarding
 -------------------
-X11Forwarding in sshd_config.
+X11Forwarding in sshd_config. Specifies whether X11 forwarding is permitted.
 Specifies whether X11 forwarding is permitted.
- *Default*: 'no'
+- *Default*: 'yes'
 sshd_use_pam
 ------------
@ -220,8 +228,9 @@ UsePam in sshd_config.
 Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM
 authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition
 to PAM account and session module processing for all authentication types.
 This module sets this option to 'yes' on Linux and undef on Solaris.
- *Default*: 'no'
+- *Default*: 'USE_DEFAULTS'
 sshd_client_alive_interval
 --------------------------
@ -251,6 +260,54 @@ Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-o
 - *Default*: yes
 ssh_config_forward_x11_trusted
 ------------------------------
 ForwardX11Trusted. Determine remote X11 client access to the original X11 display. The option is set to 'yes' on Linux. Valid values are 'yes', 'no', and undef.
 - *Default*: 'USE_DEFAULTS' (Not valid on Solaris.)
 ssh_package_source
 ------------------
 Source to SSH packages.
 - *Default*: 'USE_DEFAULTS'
 ssh_package_adminfile
 ---------------------
 Path to admin file for SSH packages.
 - *Default*: 'USE_DEFAULTS'
 sshd_gssapiauthentication
 -------------------------
 GSSAPIAuthentication: Enables/disables GSS-API user authentication. Valid values are 'yes' and 'no'.
 - *Default*: 'yes'
 sshd_gssapikeyexchange
 ----------------------
 GSSAPIKeyExchange: Enables/disables GSS-API-authenticated key exchanges. Valid values are 'yes', 'no', and undef.
 - *Default*: 'USE_DEFAULTS'
 sshd_pamauthenticationviakbdint
 -------------------------------
 PAMAuthenticationViaKBDInt: Use PAM via keyboard interactive method for authentication. Valid values are 'yes', 'no', and undef.
 - *Default*: 'USE_DEFAULTS'
 sshd_gssapicleanupcredentials
 -----------------------------
 GSSAPICleanupCredentials: Specifies whether to automatically destroy the user's credentials on logout. Default is 'yes' on Linux. Valid values are 'yes', 'no', and undef.
 - *Default*: 'USE_DEFAULTS'
 sshd_acceptenv
 -------------
 Boolean to enable AcceptEnv options for specifying environment variables. Default is set to true on Linux.
 - *Default*: 'USE_DEFAULTS'
 purge_keys
 ----------
 Remove keys not managed by puppet.
@ -259,7 +316,7 @@ Remove keys not managed by puppet.
 manage_firewall
 ---------------
-Open firewall for SSH service.
+Open firewall for SSH service. Not used on Solaris.
 - *Default*: false
@ -289,9 +346,9 @@ Specify that the init script has a restart command. Valid values are 'true' and
 service_hasstatus
 -----------------
-Declare whether the service's init script has a functional status command. Valid values are 'true' and 'false'
+Boolean to declare whether the service's init script has a functional status command.
- *Default*: 'true'
+- *Default*: 'USE_DEFAULTS'
 ssh_key_ensure
 --------------
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -8,56 +8,320 @@ class ssh (
  $permit_root_login                = 'yes',
  $purge_keys                       = 'true',
  $manage_firewall                  = false,
-  $ssh_config_hash_known_hosts      = 'no',
+  $ssh_package_source               = 'USE_DEFAULTS',
  $ssh_package_adminfile            = 'USE_DEFAULTS',
  $ssh_config_hash_known_hosts      = 'USE_DEFAULTS',
  $ssh_config_path                  = '/etc/ssh/ssh_config',
  $ssh_config_owner                 = 'root',
  $ssh_config_group                 = 'root',
  $ssh_config_mode                  = '0644',
  $ssh_config_forward_x11           = undef,
  $ssh_config_forward_x11_trusted   = 'USE_DEFAULTS',
  $ssh_config_forward_agent         = undef,
  $ssh_config_server_alive_interval = undef,
  $ssh_config_sendenv_xmodifiers    = false,
  $ssh_sendenv                      = 'USE_DEFAULTS',
  $sshd_config_path                 = '/etc/ssh/sshd_config',
  $sshd_config_owner                = 'root',
  $sshd_config_group                = 'root',
-  $sshd_config_mode                 = '0600',
+  $sshd_config_mode                 = 'USE_DEFAULTS',
  $sshd_config_port                 = '22',
  $sshd_config_syslog_facility      = 'AUTH',
  $sshd_config_login_grace_time     = '120',
  $sshd_config_challenge_resp_auth  = 'yes',
  $sshd_config_print_motd           = 'yes',
-  $sshd_config_use_dns              = 'yes',
+  $sshd_config_use_dns              = 'USE_DEFAULTS',
  $sshd_config_banner               = 'none',
  $sshd_banner_content              = undef,
  $sshd_banner_owner                = 'root',
  $sshd_banner_group                = 'root',
  $sshd_banner_mode                 = '0644',
-  $sshd_config_xauth_location       = '/usr/bin/xauth',
+  $sshd_config_xauth_location       = 'USE_DEFAULTS',
  $sshd_config_subsystem_sftp       = 'USE_DEFAULTS',
  $sshd_password_authentication     = 'yes',
  $sshd_allow_tcp_forwarding        = 'yes',
  $sshd_x11_forwarding              = 'yes',
  $sshd_use_pam                     = 'USE_DEFAULTS',
  $sshd_client_alive_interval       = '0',
  $sshd_gssapiauthentication        = 'yes',
  $sshd_gssapikeyexchange           = 'USE_DEFAULTS',
  $sshd_pamauthenticationviakbdint  = 'USE_DEFAULTS',
  $sshd_gssapicleanupcredentials    = 'USE_DEFAULTS',
  $sshd_acceptenv                   = 'USE_DEFAULTS',
  $service_ensure                   = 'running',
  $service_name                     = 'USE_DEFAULTS',
  $service_enable                   = 'true',
  $service_hasrestart               = 'true',
-  $service_hasstatus                = 'true',
+  $service_hasstatus                = 'USE_DEFAULTS',
  $ssh_key_ensure                   = 'present',
  $ssh_key_type                     = 'ssh-rsa',
  $keys                             = undef,
  $manage_root_ssh_config           = 'false',
  $root_ssh_config_content          = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
  $sshd_password_authentication     = 'yes',
  $sshd_allow_tcp_forwarding        = 'yes',
  $sshd_x11_forwarding              = 'yes',
  $sshd_use_pam                     = 'yes',
  $sshd_client_alive_interval       = '0',
 ) {
  case $::osfamily {
    'RedHat': {
      $default_packages                        = ['openssh-server',
                                                  'openssh-clients']
      $default_service_name                    = 'sshd'
      $default_ssh_config_hash_known_hosts     = 'no'
      $default_ssh_config_forward_x11_trusted  = 'yes'
      $default_ssh_package_source              = undef
      $default_ssh_package_adminfile           = undef
      $default_ssh_sendenv                     = true
      $default_sshd_config_subsystem_sftp      = '/usr/libexec/openssh/sftp-server'
      $default_sshd_config_mode                = '0600'
      $default_sshd_config_use_dns             = 'yes'
      $default_sshd_config_xauth_location      = '/usr/bin/xauth'
      $default_sshd_use_pam                    = 'yes'
      $default_sshd_gssapikeyexchange          = undef
      $default_sshd_pamauthenticationviakbdint = undef
      $default_sshd_gssapicleanupcredentials   = 'yes'
      $default_sshd_acceptenv                  = true
      $default_service_hasstatus               = true
    }
    'Suse': {
      $default_packages                        = 'openssh'
      $default_service_name                    = 'sshd'
      $default_ssh_config_hash_known_hosts     = 'no'
      $default_ssh_package_source              = undef
      $default_ssh_package_adminfile           = undef
      $default_ssh_sendenv                     = true
      $default_ssh_config_forward_x11_trusted  = 'yes'
      $default_sshd_config_mode                = '0600'
      $default_sshd_config_use_dns             = 'yes'
      $default_sshd_config_xauth_location      = '/usr/bin/xauth'
      $default_sshd_use_pam                    = 'yes'
      $default_sshd_gssapikeyexchange          = undef
      $default_sshd_pamauthenticationviakbdint = undef
      $default_sshd_gssapicleanupcredentials   = 'yes'
      $default_sshd_acceptenv                  = true
      $default_service_hasstatus               = true
      case $::architecture {
        'x86_64': {
          $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
        }
        'i386' : {
          $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
      }
        default: {
          fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.")
        }
      }
    }
    'Debian': {
      $default_packages                        = ['openssh-server',
                                                  'openssh-client']
      $default_service_name                    = 'ssh'
      $default_ssh_config_forward_x11_trusted  = 'yes'
      $default_ssh_config_hash_known_hosts     = 'no'
      $default_ssh_package_source              = undef
      $default_ssh_package_adminfile           = undef
      $default_ssh_sendenv                     = true
      $default_sshd_config_subsystem_sftp      = '/usr/lib/openssh/sftp-server'
      $default_sshd_config_mode                = '0600'
      $default_sshd_config_use_dns             = 'yes'
      $default_sshd_config_xauth_location      = '/usr/bin/xauth'
      $default_sshd_use_pam                    = 'yes'
      $default_sshd_gssapikeyexchange          = undef
      $default_sshd_pamauthenticationviakbdint = undef
      $default_sshd_gssapicleanupcredentials   = 'yes'
      $default_sshd_acceptenv                  = true
      $default_service_hasstatus               = true
    }
    'Solaris': {
      $default_packages                        = ['SUNWsshcu',
                                                  'SUNWsshdr',
                                                  'SUNWsshdu',
                                                  'SUNWsshr',
                                                  'SUNWsshu']
      $default_ssh_config_hash_known_hosts     = undef
      $default_ssh_package_source              = '/var/spool/pkg'
      $default_ssh_package_adminfile           = undef
      $default_ssh_sendenv                     = false
      $default_ssh_config_forward_x11_trusted  = undef
      $default_sshd_config_subsystem_sftp      = '/usr/lib/ssh/sftp-server'
      $default_sshd_config_mode                = '0644'
      $default_sshd_config_use_dns             = undef
      $default_sshd_config_xauth_location      = '/usr/openwin/bin/xauth'
      $default_sshd_use_pam                    = undef
      $default_sshd_gssapikeyexchange          = 'yes'
      $default_sshd_pamauthenticationviakbdint = 'yes'
      $default_sshd_gssapicleanupcredentials   = undef
      $default_sshd_acceptenv                  = false
      case $::kernelrelease {
        '5.10','5.11': {
          $default_service_name      = 'ssh'
          $default_service_hasstatus = true
        }
        '5.9' : {
          $default_service_name      = 'sshd'
          $default_service_hasstatus = false
        }
        default: {
          fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.')
        }
      }
    }
    default: {
      fail("ssh supports osfamilies RedHat, Suse, Debian and Solaris. Detected osfamily is <${::osfamily}>.")
    }
  }
  if $packages == 'USE_DEFAULTS' {
    $packages_real = $default_packages
  } else {
    $packages_real = $packages
  }
  if $ssh_config_hash_known_hosts == 'USE_DEFAULTS' {
    $ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts
  } else {
    $ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts
  }
  if $service_name == 'USE_DEFAULTS' {
    $service_name_real = $default_service_name
  } else {
    $service_name_real = $service_name
  }
  if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' {
    $sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp
  } else {
    $sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp
  }
  if $sshd_config_mode    == 'USE_DEFAULTS' {
    $sshd_config_mode_real = $default_sshd_config_mode
  } else {
    $sshd_config_mode_real = $sshd_config_mode
  }
  if $sshd_config_xauth_location == 'USE_DEFAULTS' {
    $sshd_config_xauth_location_real = $default_sshd_config_xauth_location
  } else {
    $sshd_config_xauth_location_real = $sshd_config_xauth_location
  }
  if $ssh_package_source == 'USE_DEFAULTS' {
    $ssh_package_source_real = $default_ssh_package_source
  } else {
    $ssh_package_source_real = $ssh_package_source
  }
  if $ssh_package_adminfile == 'USE_DEFAULTS' {
    $ssh_package_adminfile_real = $default_ssh_package_adminfile
  } else {
    $ssh_package_adminfile_real = $ssh_package_adminfile
  }
  if $ssh_package_adminfile_real != undef {
    validate_absolute_path($ssh_package_adminfile_real)
  }
  if $sshd_config_use_dns == 'USE_DEFAULTS' {
    $sshd_config_use_dns_real = $default_sshd_config_use_dns
  } else {
    $sshd_config_use_dns_real = $sshd_config_use_dns
  }
  if $sshd_use_pam == 'USE_DEFAULTS' {
    $sshd_use_pam_real = $default_sshd_use_pam
  } else {
    $sshd_use_pam_real = $sshd_use_pam
  }
  if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' {
    $ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted
  } else {
    $ssh_config_forward_x11_trusted_real = $ssh_config_forward_x11_trusted
  }
  if $ssh_config_forward_x11_trusted_real != undef {
    validate_re($ssh_config_forward_x11_trusted_real, '^(yes|no)$', "ssh::ssh_config_forward_x11_trusted may be either 'yes' or 'no' and is set to <${ssh_config_forward_x11_trusted_real}>.")
  }
  if $sshd_gssapikeyexchange == 'USE_DEFAULTS' {
    $sshd_gssapikeyexchange_real = $default_sshd_gssapikeyexchange
  } else {
    $sshd_gssapikeyexchange_real = $sshd_gssapikeyexchange
  }
  if $sshd_pamauthenticationviakbdint == 'USE_DEFAULTS' {
    $sshd_pamauthenticationviakbdint_real = $default_sshd_pamauthenticationviakbdint
  } else {
    $sshd_pamauthenticationviakbdint_real = $sshd_pamauthenticationviakbdint
  }
  if $sshd_gssapicleanupcredentials == 'USE_DEFAULTS' {
    $sshd_gssapicleanupcredentials_real = $default_sshd_gssapicleanupcredentials
  } else {
    $sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials
  }
  if $ssh_sendenv == 'USE_DEFAULTS' {
    $ssh_sendenv_real = $default_ssh_sendenv
  } else {
    case type($ssh_sendenv) {
      'string': {
        validate_re($ssh_sendenv, '^(true|false)$', "ssh::ssh_sendenv may be either 'true' or 'false' and is set to <${ssh_sendenv}>.")
        $ssh_sendenv_real = str2bool($ssh_sendenv)
      }
      'boolean': {
        $ssh_sendenv_real = $ssh_sendenv
      }
      default: {
        fail('ssh::ssh_sendenv type must be true or false.')
      }
    }
  }
  if $sshd_acceptenv == 'USE_DEFAULTS' {
    $sshd_acceptenv_real = $default_sshd_acceptenv
  } else {
    case type($sshd_acceptenv) {
      'string': {
        validate_re($sshd_acceptenv, '^(true|false)$', "ssh::sshd_acceptenv may be either 'true' or 'false' and is set to <${sshd_acceptenv}>.")
        $sshd_acceptenv_real = str2bool($sshd_acceptenv)
      }
      'boolean': {
        $sshd_acceptenv_real = $sshd_acceptenv
      }
      default: {
        fail('ssh::sshd_acceptenv type must be true or false.')
      }
    }
  }
  if $service_hasstatus == 'USE_DEFAULTS' {
    $service_hasstatus_real = $default_service_hasstatus
  } else {
    case type($service_hasstatus) {
      'string': {
        validate_re($service_hasstatus, '^(true|false)$', "ssh::service_hasstatus must be 'true' or 'false' and is set to <${service_hasstatus}>.")
        $service_hasstatus_real = str2bool($service_hasstatus)
      }
      'boolean': {
        $service_hasstatus_real = $service_hasstatus
      }
      default: {
        fail('ssh::service_hasstatus must be true or false.')
      }
    }
  }
  # validate params
-  validate_re($ssh_config_hash_known_hosts, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts}>.")
+  if $ssh_config_hash_known_hosts_real != undef {
    validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
  }
  validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
  validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
  validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
  validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
-  validate_re($sshd_use_pam, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.")
+  if $sshd_use_pam_real != undef {
    validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
  }
  if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
  if $sshd_config_banner != 'none' {
@ -67,6 +331,20 @@ class ssh (
    fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.')
  }
  validate_re($sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.")
  if $sshd_gssapikeyexchange_real != undef {
    validate_re($sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.")
  }
  if $sshd_pamauthenticationviakbdint_real != undef {
    validate_re($sshd_pamauthenticationviakbdint_real, '^(yes|no)$', "ssh::sshd_pamauthenticationviakbdint may be either 'yes' or 'no' and is set to <${sshd_pamauthenticationviakbdint_real}>.")
  }
  if $sshd_gssapicleanupcredentials_real != undef {
    validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
  }
  case type($hiera_merge) {
    'string': {
      validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.")
@ -122,59 +400,10 @@ class ssh (
    }
  }
  case $::osfamily {
    'RedHat': {
      $default_packages                   = ['openssh-server',
                                              'openssh-clients']
      $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
      $default_service_name               = 'sshd'
    }
    'Suse': {
      $default_packages     = 'openssh'
      $default_service_name = 'sshd'
      case $::architecture {
        'x86_64': {
          $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
        }
        'i386' : {
          $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
      }
        default: {
          fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.")
        }
      }
    }
    'Debian': {
      $default_packages                   = [ 'openssh-server',
                                              'openssh-client']
      $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
      $default_service_name               = 'ssh'
    }
    default: {
      fail("ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <${::osfamily}>.")
    }
  }
  if $packages == 'USE_DEFAULTS' {
    $packages_real = $default_packages
  } else {
    $packages_real = $packages
  }
  if $service_name == 'USE_DEFAULTS' {
    $service_name_real = $default_service_name
  } else {
    $service_name_real = $service_name
  }
  if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' {
    $sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp
  } else {
    $sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp
  }
  package { $packages_real:
-    ensure => installed,
+    ensure    => installed,
    source    => $ssh_package_source_real,
    adminfile => $ssh_package_adminfile_real,
  }
  file  { 'ssh_config' :
@ -190,7 +419,7 @@ class ssh (
  file  { 'sshd_config' :
    ensure  => file,
    path    => $sshd_config_path,
-    mode    => $sshd_config_mode,
+    mode    => $sshd_config_mode_real,
    owner   => $sshd_config_owner,
    group   => $sshd_config_group,
    content => template('ssh/sshd_config.erb'),
@ -247,7 +476,7 @@ class ssh (
    name       => $service_name_real,
    enable     => $service_enable,
    hasrestart => $service_hasrestart,
-    hasstatus  => $service_hasstatus,
+    hasstatus  => $service_hasstatus_real,
    subscribe  => File['sshd_config'],
  }
@ -264,7 +493,6 @@ class ssh (
    ensure  => $ssh_key_ensure,
    type    => $ssh_key_type,
    key     => $key,
    require => Package[$packages_real],
  }
  # import all nodes' ssh keys
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
--- a/templates/ssh_config.erb
+++ b/templates/ssh_config.erb
@ -45,13 +45,17 @@
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 #   HashKnownHosts no
-   HashKnownHosts <%= @ssh_config_hash_known_hosts %>
+<% if @ssh_config_hash_known_hosts_real != nil -%>
   HashKnownHosts <%= @ssh_config_hash_known_hosts_real %>
 <% end -%>
 Host *
  GSSAPIAuthentication yes
 # If this option is set to yes then remote X11 clients will have full access
 # to the original X11 display. As virtually no X11 client supports the untrusted
 # mode correctly we set this to yes.
-  ForwardX11Trusted yes
+<% if @ssh_config_forward_x11_trusted_real != nil -%>
  ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %>
 <% end -%>
 <% if @ssh_config_forward_agent != nil -%>
  ForwardAgent <%= @ssh_config_forward_agent %>
 <% end -%>
@ -61,6 +65,7 @@ Host *
 <% if @ssh_config_server_alive_interval != nil -%>
  ServerAliveInterval <%= @ssh_config_server_alive_interval %>
 <% end -%>
 <% if @ssh_sendenv_real == true -%>
 # Send locale-related environment variables
  SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
@ -68,3 +73,4 @@ Host *
 <% if @ssh_config_sendenv_xmodifiers_real == true -%>
  SendEnv XMODIFIERS
 <% end -%>
 <% end -%>
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@ -24,7 +24,7 @@ Protocol 2
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 # Lifetime and size of ephemeral version 1 server key
@ -63,6 +63,14 @@ PermitRootLogin <%= @permit_root_login %>
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 PasswordAuthentication <%= @sshd_password_authentication %>
 <% if @sshd_pamauthenticationviakbdint_real != nil -%>
 # Use PAM via keyboard interactive method for authentication.
 # Depending on the setup of pam.conf(4) this may allow tunneled clear text
 # passwords even when PasswordAuthentication is set to no. This is dependent
 # on what the individual modules request and is out of the control of sshd
 # or the protocol.
 PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %>
 <% end -%>
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
@ -77,10 +85,16 @@ ChallengeResponseAuthentication <%= @sshd_config_challenge_resp_auth %>
 # GSSAPI options
 #GSSAPIAuthentication no
-GSSAPIAuthentication yes
+GSSAPIAuthentication <%= @sshd_gssapiauthentication %>
 <% if @sshd_gssapikeyexchange_real != nil -%>
 GSSAPIKeyExchange <%= @sshd_gssapikeyexchange_real %>
 <% end -%>
 <% if @sshd_gssapicleanupcredentials_real != nil -%>
 #GSSAPICleanupCredentials yes
-GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials <%= @sshd_gssapicleanupcredentials_real %>
 <% end -%>
 <% if @sshd_use_pam_real != nil -%>
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication mechanism.
@ -90,12 +104,15 @@ GSSAPICleanupCredentials yes
 # session checks to run without PAM authentication, then enable this but set
 # ChallengeResponseAuthentication=no
 #UsePAM no
-UsePAM <%= @sshd_use_pam %>
+UsePAM <%= @sshd_use_pam_real %>
 <% end -%>
 <% if @sshd_acceptenv_real == true -%>
 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 AcceptEnv LC_IDENTIFICATION LC_ALL
 <% end -%>
 #AllowTcpForwarding yes
 AllowTcpForwarding <%= @sshd_allow_tcp_forwarding %>
 #GatewayPorts no
@ -115,8 +132,10 @@ PrintMotd <%= @sshd_config_print_motd %>
 ClientAliveInterval <%= @sshd_client_alive_interval %>
 #ClientAliveCountMax 3
 #ShowPatchLevel no
 <% if @sshd_config_use_dns_real != nil -%>
 #UseDNS yes
-UseDNS <%= @sshd_config_use_dns %>
+UseDNS <%= @sshd_config_use_dns_real %>
 <% end -%>
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
 #PermitTunnel no
@ -127,7 +146,7 @@ UseDNS <%= @sshd_config_use_dns %>
 Banner <%= @sshd_config_banner %>
 #XAuthLocation /usr/bin/xauth
-XAuthLocation <%= @sshd_config_xauth_location %>
+XAuthLocation <%= @sshd_config_xauth_location_real %>
 # override default of no subsystems
 Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>