diff --git a/Gemfile b/Gemfile index 57f5d73..65ffa5d 100644 --- a/Gemfile +++ b/Gemfile @@ -6,9 +6,8 @@ else gem 'puppet', :require => false end -gem 'puppetlabs_spec_helper', '>= 1.2.0' gem 'facter', '>= 1.7.0' -gem 'rspec-puppet' +gem 'rspec-puppet', '~> 2.0' gem 'puppet-lint', '~> 2.0' gem 'puppet-lint-absolute_classname-check' gem 'puppet-lint-alias-check' @@ -22,9 +21,13 @@ gem 'puppet-lint-undef_in_function-check' gem 'puppet-lint-unquoted_string-check' gem 'puppet-lint-variable_contains_upcase' -gem 'rspec', '~> 2.0' if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9' -gem 'rake', '~> 10.0' if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9' -gem 'json', '<= 1.8' if RUBY_VERSION < '2.0.0' -gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0' +gem 'rspec', '~> 2.0' if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' +gem 'rake', '~> 10.0' if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' +gem 'json', '<= 1.8' if RUBY_VERSION < '2.0.0' +gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0' gem 'metadata-json-lint', '0.0.11' if RUBY_VERSION < '1.9' gem 'metadata-json-lint' if RUBY_VERSION >= '1.9' + +gem 'puppetlabs_spec_helper', '2.0.2', :require => false if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' +gem 'puppetlabs_spec_helper', '>= 2.0.0', :require => false if RUBY_VERSION >= '1.9' +gem 'parallel_tests', '<= 2.9.0', :require => false if RUBY_VERSION < '2.0.0' diff --git a/README.md b/README.md index 160668a..1d229dd 100644 --- a/README.md +++ b/README.md @@ -642,6 +642,12 @@ String for HostbasedAuthentication option in sshd_config. Valid values are 'yes' - *Default*: 'no' +sshd_pubkeyacceptedkeytypes +------------------------- +Array of public key types to be used with the PubkeyAcceptedKeyTypes option in sshd_config. + +- *Default*: undef + sshd_pubkeyauthentication ------------------------- String for PubkeyAuthentication option in sshd_config. Valid values are 'yes' and 'no'. diff --git a/manifests/init.pp b/manifests/init.pp index a10df3f..3e8667b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -87,6 +87,7 @@ class ssh ( $sshd_config_hostkey = 'USE_DEFAULTS', $sshd_listen_address = undef, $sshd_hostbasedauthentication = 'no', + $sshd_pubkeyacceptedkeytypes = undef, $sshd_pubkeyauthentication = 'yes', $sshd_ignoreuserknownhosts = 'no', $sshd_ignorerhosts = 'yes', @@ -636,6 +637,10 @@ class ssh ( validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.") + if $sshd_pubkeyacceptedkeytypes != undef { + validate_array($sshd_pubkeyacceptedkeytypes) + } + validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.") validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.") diff --git a/metadata.json b/metadata.json index 19edfc0..5c365b3 100644 --- a/metadata.json +++ b/metadata.json @@ -8,10 +8,6 @@ "project_page": "https://github.com/ghoneycutt/puppet-module-ssh", "issues_url": "https://github.com/ghoneycutt/puppet-module-ssh/issues", "requirements": [ - { - "name": "pe", - "version_requirement": ">= 3.2.0 < 5.0.0" - }, { "name": "puppet", "version_requirement": ">= 3.0.0 < 5.0.0" diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index a6f305e..53b48b1 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -403,6 +403,12 @@ describe 'ssh' do :sshd_password_authentication => 'no', :sshd_config_permitemptypasswords => 'no', :sshd_config_permituserenvironment => 'no', + :sshd_pubkeyacceptedkeytypes => [ 'ecdsa-sha2-nistp256', + 'ecdsa-sha2-nistp384', + 'ecdsa-sha2-nistp521', + 'ssh-ed25519', + 'ssh-rsa', + ], :sshd_pubkeyauthentication => 'no', :sshd_allow_tcp_forwarding => 'no', :sshd_x11_forwarding => 'no', @@ -506,6 +512,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } + it { should contain_file('sshd_config').with_content(/^PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa$/) } it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) } @@ -2188,6 +2195,18 @@ describe 'ssh' do end end + [true,'invalid'].each do |pubkeyacceptedkeytypes| + context "with sshd_pubkeyacceptedkeytypes set to invalid value #{pubkeyacceptedkeytypes}" do + let(:params) { { :sshd_pubkeyacceptedkeytypes => pubkeyacceptedkeytypes } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/is not/) + end + end + end + describe 'with parameter sshd_pubkeyauthentication' do ['yes','no'].each do |value| context "specified as valid #{value} (as #{value.class})" do diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 51c3196..1a1c9fe 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -69,6 +69,9 @@ MaxAuthTries <%= @sshd_config_maxauthtries %> <% end -%> #RSAAuthentication yes +<% if @sshd_pubkeyacceptedkeytypes -%> +PubkeyAcceptedKeyTypes <%= @sshd_pubkeyacceptedkeytypes.join(',') %> +<% end -%> #PubkeyAuthentication yes PubkeyAuthentication <%= @sshd_pubkeyauthentication %> #AuthorizedKeysFile .ssh/authorized_keys