Parameterize IgnoreUserKnownHosts & IgnoreRhosts

This commit is contained in:
kTitan 2015-06-01 20:44:56 +02:00
parent dc58913f13
commit 6d0cfd48c8
4 changed files with 100 additions and 0 deletions

View File

@ -496,6 +496,18 @@ HostbasedAuthentication: Enables/disables Hostbased authentication. Valid values
- *Default*: 'no' - *Default*: 'no'
sshd_ignoreuserknownhosts
-------------------------
String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.
- *Default*: 'no'
sshd_ignorerhosts
-------------------------
String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.
- *Default*: 'yes'
purge_keys purge_keys
---------- ----------
Remove keys not managed by puppet. Remove keys not managed by puppet.

View File

@ -75,6 +75,8 @@ class ssh (
$sshd_config_hostkey = 'USE_DEFAULTS', $sshd_config_hostkey = 'USE_DEFAULTS',
$sshd_listen_address = undef, $sshd_listen_address = undef,
$sshd_hostbasedauthentication = 'no', $sshd_hostbasedauthentication = 'no',
$sshd_ignoreuserknownhosts = 'no',
$sshd_ignorerhosts = 'yes',
$service_ensure = 'running', $service_ensure = 'running',
$service_name = 'USE_DEFAULTS', $service_name = 'USE_DEFAULTS',
$service_enable = true, $service_enable = true,
@ -485,6 +487,10 @@ class ssh (
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.") validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")
validate_re($sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.")
case type($hiera_merge) { case type($hiera_merge) {
'string': { 'string': {
validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.") validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.")

View File

@ -102,6 +102,8 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) } it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) } it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
it { should contain_file('sshd_config').without_content(/^ForceCommand/) } it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
it { should contain_file('sshd_config').without_content(/^Match/) } it { should contain_file('sshd_config').without_content(/^Match/) }
@ -239,6 +241,8 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) } it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) } it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
it { should contain_file('sshd_config').without_content(/^ForceCommand/) } it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
it { should contain_file('sshd_config').without_content(/^Match/) } it { should contain_file('sshd_config').without_content(/^Match/) }
@ -359,6 +363,8 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) } it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) } it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
it { should contain_file('sshd_config').without_content(/^ForceCommand/) } it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
it { should contain_file('sshd_config').without_content(/^Match/) } it { should contain_file('sshd_config').without_content(/^Match/) }
@ -477,6 +483,8 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) } it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) } it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
it { should contain_file('sshd_config').without_content(/^ForceCommand/) } it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
it { should contain_file('sshd_config').without_content(/^Match/) } it { should contain_file('sshd_config').without_content(/^Match/) }
@ -604,6 +612,8 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) } it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) } it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
it { should contain_file('sshd_config').without_content(/^ForceCommand/) } it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
it { should contain_file('sshd_config').without_content(/^Match/) } it { should contain_file('sshd_config').without_content(/^Match/) }
@ -730,6 +740,8 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) } it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) } it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
it { should contain_file('sshd_config').without_content(/^ForceCommand/) } it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
it { should contain_file('sshd_config').without_content(/^Match/) } it { should contain_file('sshd_config').without_content(/^Match/) }
@ -856,6 +868,8 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) } it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) } it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
it { should contain_file('sshd_config').without_content(/^ForceCommand/) } it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
it { should contain_file('sshd_config').without_content(/^Match/) } it { should contain_file('sshd_config').without_content(/^Match/) }
@ -1074,6 +1088,8 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) } it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) }
it { should contain_file('sshd_config').with_content(/^ForceCommand \/force\/command --with-parameter 242$/) } it { should contain_file('sshd_config').with_content(/^ForceCommand \/force\/command --with-parameter 242$/) }
it { should contain_file('sshd_config').with_content(/^Match User JohnDoe\n AllowTcpForwarding yes\Z/) } it { should contain_file('sshd_config').with_content(/^Match User JohnDoe\n AllowTcpForwarding yes\Z/) }
@ -3017,4 +3033,68 @@ describe 'ssh' do
end end
end end
end end
describe 'with parameter sshd_ignoreuserknownhosts' do
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :sshd_ignoreuserknownhosts => value } }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :sshd_ignoreuserknownhosts => value } }
if value.is_a?(Array)
value = value.join
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <#{value}>\./)
end
end
end
end
describe 'with parameter sshd_ignorerhosts' do
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :sshd_ignorerhosts => value } }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :sshd_ignorerhosts => value } }
if value.is_a?(Array)
value = value.join
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <#{value}>\./)
end
end
end
end
end end

View File

@ -81,8 +81,10 @@ HostbasedAuthentication <%= @sshd_hostbasedauthentication %>
# Change to yes if you don't trust ~/.ssh/known_hosts for # Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication # RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no #IgnoreUserKnownHosts no
IgnoreUserKnownHosts <%= @sshd_ignoreuserknownhosts %>
# Don't read the user's ~/.rhosts and ~/.shosts files # Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes #IgnoreRhosts yes
IgnoreRhosts <%= @sshd_ignorerhosts %>
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes