puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #173 from florianfa/master

Browse Source 
allow ecdsa-sha2-nistp256 hostkeys,  add host_aliases attribute to sshkey resource, add support for PubkeyAuthentication
This commit is contained in:
Garrett Honeycutt 2016-06-08 12:35:48 -04:00
commit 6a82780175
10 changed files with 65 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -556,6 +556,12 @@ String for HostbasedAuthentication option in sshd_config. Valid values are 'yes'
- *Default*: 'no' - *Default*: 'no'
sshd_pubkeyauthentication
-------------------------
String for PubkeyAuthentication option in sshd_config. Valid values are 'yes' and 'no'.
- *Default*: 'yes'
sshd_ignoreuserknownhosts sshd_ignoreuserknownhosts
------------------------- -------------------------
String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication. String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.
@ -624,7 +630,7 @@ Import all exported node SSH keys. Valid values are 'true' and 'false'.
ssh_key_type ssh_key_type
------------ ------------
Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-rsa' Encryption type for SSH key. Valid values are 'ecdsa-sha2-nistp256', 'rsa', 'dsa', 'ssh-dss' and 'ssh-rsa'
- *Default*: 'ssh-rsa' - *Default*: 'ssh-rsa'

15
manifests/init.pp
View File

@ -81,6 +81,7 @@ class ssh (
$sshd_config_hostkey = 'USE_DEFAULTS', $sshd_config_hostkey = 'USE_DEFAULTS',
$sshd_listen_address = undef, $sshd_listen_address = undef,
$sshd_hostbasedauthentication = 'no', $sshd_hostbasedauthentication = 'no',
$sshd_pubkeyauthentication = 'yes',
$sshd_ignoreuserknownhosts = 'no', $sshd_ignoreuserknownhosts = 'no',
$sshd_ignorerhosts = 'yes', $sshd_ignorerhosts = 'yes',
$manage_service = true, $manage_service = true,
@ -561,6 +562,8 @@ class ssh (
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.") validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.")
validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.") validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")
validate_re($sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.") validate_re($sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.")
@ -620,8 +623,11 @@ class ssh (
'ssh-dsa','dsa': { 'ssh-dsa','dsa': {
$key = $::sshdsakey $key = $::sshdsakey
} }
'ecdsa-sha2-nistp256': {
$key = $::sshecdsakey
}
default: { default: {
fail("ssh::ssh_key_type must be 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is <${ssh_key_type}>.") fail("ssh::ssh_key_type must be 'ecdsa-sha2-nistp256', 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is <${ssh_key_type}>.")
} }
} }
@ -789,9 +795,10 @@ class ssh (
# export each node's ssh key # export each node's ssh key
@@sshkey { $::fqdn : @@sshkey { $::fqdn :
ensure => $ssh_key_ensure, ensure => $ssh_key_ensure,
type => $ssh_key_type, host_aliases => [$::hostname, $::ipaddress],
key => $key, type => $ssh_key_type,
key => $key,
} }
file { 'ssh_known_hosts': file { 'ssh_known_hosts':

40
spec/classes/init_spec.rb
View File

@ -4,6 +4,8 @@ describe 'ssh' do
default_facts = { default_facts = {
:fqdn => 'monkey.example.com', :fqdn => 'monkey.example.com',
:hostname => 'monkey',
:ipaddress => '127.0.0.1',
:osfamily => 'RedHat', :osfamily => 'RedHat',
:ssh_version => 'OpenSSH_6.6p1', :ssh_version => 'OpenSSH_6.6p1',
:ssh_version_numeric => '6.6', :ssh_version_numeric => '6.6',
@ -12,6 +14,8 @@ describe 'ssh' do
default_solaris_facts = { default_solaris_facts = {
:fqdn => 'monkey.example.com', :fqdn => 'monkey.example.com',
:hostname => 'monkey',
:ipaddress => '127.0.0.1',
:osfamily => 'Solaris', :osfamily => 'Solaris',
:ssh_version => 'Sun_SSH_2.2', :ssh_version => 'Sun_SSH_2.2',
:ssh_version_numeric => '2.2', :ssh_version_numeric => '2.2',
@ -188,6 +192,8 @@ describe 'ssh' do
facts.merge( facts.merge(
{ {
:fqdn => 'monkey.example.com', :fqdn => 'monkey.example.com',
:hostname => 'monkey',
:ipaddress => '127.0.0.1',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==', :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==',
} }
) )
@ -385,6 +391,7 @@ describe 'ssh' do
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp', :sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
:sshd_kerberos_authentication => 'no', :sshd_kerberos_authentication => 'no',
:sshd_password_authentication => 'no', :sshd_password_authentication => 'no',
:sshd_pubkeyauthentication => 'no',
:sshd_allow_tcp_forwarding => 'no', :sshd_allow_tcp_forwarding => 'no',
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
:sshd_use_pam => 'no', :sshd_use_pam => 'no',
@ -472,6 +479,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) } it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) } it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) }
@ -2462,6 +2470,38 @@ describe 'ssh' do
end end
end end
describe 'with parameter sshd_pubkeyauthentication' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :sshd_pubkeyauthentication => value } }
it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :sshd_pubkeyauthentication => value } }
if value.is_a?(Array)
value = value.join
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to/)
end
end
end
end
describe 'with parameter sshd_ignoreuserknownhosts' do describe 'with parameter sshd_ignoreuserknownhosts' do
let :facts do let :facts do
default_facts.merge( default_facts.merge(

1
spec/fixtures/sshd_config_debian vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_rhel vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_sles_12_x86_64 vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_solaris vendored
View File

@ -47,6 +47,7 @@ PermitRootLogin yes
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_suse_i386 vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
spec/fixtures/sshd_config_suse_x86_64 vendored
View File

@ -49,6 +49,7 @@ PermitRootLogin yes
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

1
templates/sshd_config.erb
View File

@ -68,6 +68,7 @@ MaxAuthTries <%= @sshd_config_maxauthtries %>
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
PubkeyAuthentication <%= @sshd_pubkeyauthentication %>
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
<% if @sshd_config_authkey_location -%> <% if @sshd_config_authkey_location -%>
AuthorizedKeysFile <%= @sshd_config_authkey_location %> AuthorizedKeysFile <%= @sshd_config_authkey_location %>