Add parameter to set AuthorizedPrincipalsFile setting
This commit is contained in:
David Hollinger
parent
ec5141de84
commit
717a237cc0
@ -3,120 +3,121 @@
|
|||||||
# Manage ssh client and server
|
# Manage ssh client and server
|
||||||
#
|
#
|
||||||
class ssh (
|
class ssh (
|
||||||
$hiera_merge = false,
|
$hiera_merge = false,
|
||||||
$packages = 'USE_DEFAULTS',
|
$packages = 'USE_DEFAULTS',
|
||||||
$permit_root_login = 'yes',
|
$permit_root_login = 'yes',
|
||||||
$purge_keys = true,
|
$purge_keys = true,
|
||||||
$manage_firewall = false,
|
$manage_firewall = false,
|
||||||
$ssh_package_source = 'USE_DEFAULTS',
|
$ssh_package_source = 'USE_DEFAULTS',
|
||||||
$ssh_package_adminfile = 'USE_DEFAULTS',
|
$ssh_package_adminfile = 'USE_DEFAULTS',
|
||||||
$ssh_config_hash_known_hosts = 'USE_DEFAULTS',
|
$ssh_config_hash_known_hosts = 'USE_DEFAULTS',
|
||||||
$ssh_config_path = '/etc/ssh/ssh_config',
|
$ssh_config_path = '/etc/ssh/ssh_config',
|
||||||
$ssh_config_owner = 'root',
|
$ssh_config_owner = 'root',
|
||||||
$ssh_config_group = 'root',
|
$ssh_config_group = 'root',
|
||||||
$ssh_config_mode = '0644',
|
$ssh_config_mode = '0644',
|
||||||
$ssh_config_forward_x11 = undef,
|
$ssh_config_forward_x11 = undef,
|
||||||
$ssh_config_forward_x11_trusted = 'USE_DEFAULTS',
|
$ssh_config_forward_x11_trusted = 'USE_DEFAULTS',
|
||||||
$ssh_config_forward_agent = undef,
|
$ssh_config_forward_agent = undef,
|
||||||
$ssh_config_server_alive_interval = undef,
|
$ssh_config_server_alive_interval = undef,
|
||||||
$ssh_config_sendenv_xmodifiers = false,
|
$ssh_config_sendenv_xmodifiers = false,
|
||||||
$ssh_hostbasedauthentication = undef,
|
$ssh_hostbasedauthentication = undef,
|
||||||
$ssh_config_proxy_command = undef,
|
$ssh_config_proxy_command = undef,
|
||||||
$ssh_strict_host_key_checking = undef,
|
$ssh_strict_host_key_checking = undef,
|
||||||
$ssh_config_ciphers = undef,
|
$ssh_config_ciphers = undef,
|
||||||
$ssh_config_kexalgorithms = undef,
|
$ssh_config_kexalgorithms = undef,
|
||||||
$ssh_config_macs = undef,
|
$ssh_config_macs = undef,
|
||||||
$ssh_config_use_roaming = 'USE_DEFAULTS',
|
$ssh_config_use_roaming = 'USE_DEFAULTS',
|
||||||
$ssh_config_template = 'ssh/ssh_config.erb',
|
$ssh_config_template = 'ssh/ssh_config.erb',
|
||||||
$ssh_sendenv = 'USE_DEFAULTS',
|
$ssh_sendenv = 'USE_DEFAULTS',
|
||||||
$ssh_gssapiauthentication = 'yes',
|
$ssh_gssapiauthentication = 'yes',
|
||||||
$ssh_gssapidelegatecredentials = undef,
|
$ssh_gssapidelegatecredentials = undef,
|
||||||
$sshd_config_path = '/etc/ssh/sshd_config',
|
$sshd_config_path = '/etc/ssh/sshd_config',
|
||||||
$sshd_config_owner = 'root',
|
$sshd_config_owner = 'root',
|
||||||
$sshd_config_group = 'root',
|
$sshd_config_group = 'root',
|
||||||
$sshd_config_loglevel = 'INFO',
|
$sshd_config_loglevel = 'INFO',
|
||||||
$sshd_config_mode = 'USE_DEFAULTS',
|
$sshd_config_mode = 'USE_DEFAULTS',
|
||||||
$sshd_config_permitemptypasswords = undef,
|
$sshd_config_permitemptypasswords = undef,
|
||||||
$sshd_config_permituserenvironment = undef,
|
$sshd_config_permituserenvironment = undef,
|
||||||
$sshd_config_compression = undef,
|
$sshd_config_compression = undef,
|
||||||
$sshd_config_port = '22',
|
$sshd_config_port = '22',
|
||||||
$sshd_config_syslog_facility = 'AUTH',
|
$sshd_config_syslog_facility = 'AUTH',
|
||||||
$sshd_config_template = 'ssh/sshd_config.erb',
|
$sshd_config_template = 'ssh/sshd_config.erb',
|
||||||
$sshd_config_login_grace_time = '120',
|
$sshd_config_login_grace_time = '120',
|
||||||
$sshd_config_challenge_resp_auth = 'yes',
|
$sshd_config_challenge_resp_auth = 'yes',
|
||||||
$sshd_config_print_motd = 'yes',
|
$sshd_config_print_motd = 'yes',
|
||||||
$sshd_config_print_last_log = undef,
|
$sshd_config_print_last_log = undef,
|
||||||
$sshd_config_use_dns = 'USE_DEFAULTS',
|
$sshd_config_use_dns = 'USE_DEFAULTS',
|
||||||
$sshd_config_authkey_location = undef,
|
$sshd_config_authkey_location = undef,
|
||||||
$sshd_config_strictmodes = undef,
|
$sshd_config_strictmodes = undef,
|
||||||
$sshd_config_serverkeybits = 'USE_DEFAULTS',
|
$sshd_config_serverkeybits = 'USE_DEFAULTS',
|
||||||
$sshd_config_banner = 'none',
|
$sshd_config_banner = 'none',
|
||||||
$sshd_config_ciphers = undef,
|
$sshd_config_ciphers = undef,
|
||||||
$sshd_config_kexalgorithms = undef,
|
$sshd_config_kexalgorithms = undef,
|
||||||
$sshd_config_macs = undef,
|
$sshd_config_macs = undef,
|
||||||
$ssh_enable_ssh_keysign = undef,
|
$ssh_enable_ssh_keysign = undef,
|
||||||
$sshd_config_allowgroups = [],
|
$sshd_config_allowgroups = [],
|
||||||
$sshd_config_allowusers = [],
|
$sshd_config_allowusers = [],
|
||||||
$sshd_config_denygroups = [],
|
$sshd_config_denygroups = [],
|
||||||
$sshd_config_denyusers = [],
|
$sshd_config_denyusers = [],
|
||||||
$sshd_config_maxauthtries = undef,
|
$sshd_config_maxauthtries = undef,
|
||||||
$sshd_config_maxstartups = undef,
|
$sshd_config_maxstartups = undef,
|
||||||
$sshd_config_maxsessions = undef,
|
$sshd_config_maxsessions = undef,
|
||||||
$sshd_config_chrootdirectory = undef,
|
$sshd_config_chrootdirectory = undef,
|
||||||
$sshd_config_forcecommand = undef,
|
$sshd_config_forcecommand = undef,
|
||||||
$sshd_config_match = undef,
|
$sshd_config_match = undef,
|
||||||
$sshd_authorized_keys_command = undef,
|
$sshd_authorized_keys_command = undef,
|
||||||
$sshd_authorized_keys_command_user = undef,
|
$sshd_authorized_keys_command_user = undef,
|
||||||
$sshd_banner_content = undef,
|
$sshd_banner_content = undef,
|
||||||
$sshd_banner_owner = 'root',
|
$sshd_banner_owner = 'root',
|
||||||
$sshd_banner_group = 'root',
|
$sshd_banner_group = 'root',
|
||||||
$sshd_banner_mode = '0644',
|
$sshd_banner_mode = '0644',
|
||||||
$sshd_config_xauth_location = 'USE_DEFAULTS',
|
$sshd_config_xauth_location = 'USE_DEFAULTS',
|
||||||
$sshd_config_subsystem_sftp = 'USE_DEFAULTS',
|
$sshd_config_subsystem_sftp = 'USE_DEFAULTS',
|
||||||
$sshd_kerberos_authentication = undef,
|
$sshd_kerberos_authentication = undef,
|
||||||
$sshd_password_authentication = 'yes',
|
$sshd_password_authentication = 'yes',
|
||||||
$sshd_allow_tcp_forwarding = 'yes',
|
$sshd_allow_tcp_forwarding = 'yes',
|
||||||
$sshd_x11_forwarding = 'yes',
|
$sshd_x11_forwarding = 'yes',
|
||||||
$sshd_x11_use_localhost = 'yes',
|
$sshd_x11_use_localhost = 'yes',
|
||||||
$sshd_use_pam = 'USE_DEFAULTS',
|
$sshd_use_pam = 'USE_DEFAULTS',
|
||||||
$sshd_client_alive_count_max = '3',
|
$sshd_client_alive_count_max = '3',
|
||||||
$sshd_client_alive_interval = '0',
|
$sshd_client_alive_interval = '0',
|
||||||
$sshd_gssapiauthentication = 'yes',
|
$sshd_gssapiauthentication = 'yes',
|
||||||
$sshd_gssapikeyexchange = 'USE_DEFAULTS',
|
$sshd_gssapikeyexchange = 'USE_DEFAULTS',
|
||||||
$sshd_pamauthenticationviakbdint = 'USE_DEFAULTS',
|
$sshd_pamauthenticationviakbdint = 'USE_DEFAULTS',
|
||||||
$sshd_gssapicleanupcredentials = 'USE_DEFAULTS',
|
$sshd_gssapicleanupcredentials = 'USE_DEFAULTS',
|
||||||
$sshd_acceptenv = 'USE_DEFAULTS',
|
$sshd_acceptenv = 'USE_DEFAULTS',
|
||||||
$sshd_config_hostkey = 'USE_DEFAULTS',
|
$sshd_config_hostkey = 'USE_DEFAULTS',
|
||||||
$sshd_listen_address = undef,
|
$sshd_listen_address = undef,
|
||||||
$sshd_hostbasedauthentication = 'no',
|
$sshd_hostbasedauthentication = 'no',
|
||||||
$sshd_pubkeyacceptedkeytypes = undef,
|
$sshd_pubkeyacceptedkeytypes = undef,
|
||||||
$sshd_pubkeyauthentication = 'yes',
|
$sshd_pubkeyauthentication = 'yes',
|
||||||
$sshd_ignoreuserknownhosts = 'no',
|
$sshd_ignoreuserknownhosts = 'no',
|
||||||
$sshd_ignorerhosts = 'yes',
|
$sshd_ignorerhosts = 'yes',
|
||||||
$manage_service = true,
|
$manage_service = true,
|
||||||
$sshd_addressfamily = 'USE_DEFAULTS',
|
$sshd_addressfamily = 'USE_DEFAULTS',
|
||||||
$service_ensure = 'running',
|
$service_ensure = 'running',
|
||||||
$service_name = 'USE_DEFAULTS',
|
$service_name = 'USE_DEFAULTS',
|
||||||
$service_enable = true,
|
$service_enable = true,
|
||||||
$service_hasrestart = true,
|
$service_hasrestart = true,
|
||||||
$service_hasstatus = 'USE_DEFAULTS',
|
$service_hasstatus = 'USE_DEFAULTS',
|
||||||
$ssh_key_ensure = 'present',
|
$ssh_key_ensure = 'present',
|
||||||
$ssh_key_import = true,
|
$ssh_key_import = true,
|
||||||
$ssh_key_type = 'ssh-rsa',
|
$ssh_key_type = 'ssh-rsa',
|
||||||
$ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts',
|
$ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts',
|
||||||
$ssh_config_global_known_hosts_list = undef,
|
$ssh_config_global_known_hosts_list = undef,
|
||||||
$ssh_config_global_known_hosts_owner = 'root',
|
$ssh_config_global_known_hosts_owner = 'root',
|
||||||
$ssh_config_global_known_hosts_group = 'root',
|
$ssh_config_global_known_hosts_group = 'root',
|
||||||
$ssh_config_global_known_hosts_mode = '0644',
|
$ssh_config_global_known_hosts_mode = '0644',
|
||||||
$ssh_config_user_known_hosts_file = undef,
|
$ssh_config_user_known_hosts_file = undef,
|
||||||
$keys = undef,
|
$keys = undef,
|
||||||
$manage_root_ssh_config = false,
|
$manage_root_ssh_config = false,
|
||||||
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
|
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
|
||||||
$sshd_config_tcp_keepalive = undef,
|
$sshd_config_tcp_keepalive = undef,
|
||||||
$sshd_config_use_privilege_separation = undef,
|
$sshd_config_use_privilege_separation = undef,
|
||||||
$sshd_config_permittunnel = undef,
|
$sshd_config_permittunnel = undef,
|
||||||
$sshd_config_hostcertificate = undef,
|
$sshd_config_hostcertificate = undef,
|
||||||
$sshd_config_trustedusercakeys = undef,
|
$sshd_config_trustedusercakeys = undef,
|
||||||
|
$sshd_config_authorized_principals_file = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
@ -500,6 +501,11 @@ class ssh (
|
|||||||
default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
|
default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case $sshd_config_authorized_principals_file {
|
||||||
|
'unset', undef: { $sshd_config_authorized_principals_file_real = undef }
|
||||||
|
default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file }
|
||||||
|
}
|
||||||
|
|
||||||
# validate params
|
# validate params
|
||||||
if $ssh_config_ciphers != undef {
|
if $ssh_config_ciphers != undef {
|
||||||
validate_array($ssh_config_ciphers)
|
validate_array($ssh_config_ciphers)
|
||||||
@ -850,6 +856,10 @@ class ssh (
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if $sshd_config_authorized_principals_file_real != undef {
|
||||||
|
validate_string($sshd_config_authorized_principals_file_real)
|
||||||
|
}
|
||||||
|
|
||||||
package { $packages_real:
|
package { $packages_real:
|
||||||
ensure => installed,
|
ensure => installed,
|
||||||
source => $ssh_package_source_real,
|
source => $ssh_package_source_real,
|
||||||
|
|||||||
@ -1097,6 +1097,20 @@ describe 'sshd_config_print_last_log param' do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with sshd_config_authorized_principals_file param' do
|
||||||
|
['unset', '.ssh/authorized_principals'].each do |value|
|
||||||
|
context "set to #{value}" do
|
||||||
|
let (:params) { { :sshd_config_authorized_principals_file => value } }
|
||||||
|
|
||||||
|
if value == 'unset'
|
||||||
|
it { should contain_file('sshd_config').without_content(/^\s*AuthorizedPrincipalsFile/)}
|
||||||
|
else
|
||||||
|
it { should contain_file('sshd_config').with_content(/^AuthorizedPrincipalsFile \.ssh\/authorized_principals/)}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'sshd_config_trustedusercakeys param' do
|
describe 'sshd_config_trustedusercakeys param' do
|
||||||
['unset', '/etc/ssh/authorized_users_ca.pub', 'none'].each do |value|
|
['unset', '/etc/ssh/authorized_users_ca.pub', 'none'].each do |value|
|
||||||
context "set to #{value}" do
|
context "set to #{value}" do
|
||||||
|
|||||||
@ -271,3 +271,6 @@ HostCertificate <%= cert %>
|
|||||||
<% if @sshd_config_trustedusercakeys_real -%>
|
<% if @sshd_config_trustedusercakeys_real -%>
|
||||||
TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
|
TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
|
<% if @sshd_config_authorized_principals_file_real -%>
|
||||||
|
AuthorizedPrincipalsFile <%= @sshd_config_authorized_principals_file_real %>
|
||||||
|
<% end -%>
|
||||||
Loading…
x
Reference in New Issue
Block a user