Merge pull request #218 from ghoneycutt/PubkeyAcceptedKeyTypes

Add support for PubkeyAcceptedKeyTypes option to sshd_config

Gemfile

@@ -6,9 +6,8 @@ else
   gem 'puppet', :require => false
 end
 
-gem 'puppetlabs_spec_helper', '>= 1.2.0'
 gem 'facter', '>= 1.7.0'
-gem 'rspec-puppet'
+gem 'rspec-puppet', '~> 2.0'
 gem 'puppet-lint', '~> 2.0'
 gem 'puppet-lint-absolute_classname-check'
 gem 'puppet-lint-alias-check'
@@ -22,9 +21,13 @@ gem 'puppet-lint-undef_in_function-check'
 gem 'puppet-lint-unquoted_string-check'
 gem 'puppet-lint-variable_contains_upcase'
 
-gem 'rspec',     '~> 2.0'   if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
-gem 'rake',      '~> 10.0'  if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
+gem 'rspec',              '~> 2.0'   if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
+gem 'rake',               '~> 10.0'  if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
 gem 'json',               '<= 1.8'   if RUBY_VERSION < '2.0.0'
 gem 'json_pure',          '<= 2.0.1' if RUBY_VERSION < '2.0.0'
 gem 'metadata-json-lint', '0.0.11'   if RUBY_VERSION < '1.9'
 gem 'metadata-json-lint'             if RUBY_VERSION >= '1.9'
+
+gem 'puppetlabs_spec_helper', '2.0.2',    :require => false if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
+gem 'puppetlabs_spec_helper', '>= 2.0.0', :require => false if RUBY_VERSION >= '1.9'
+gem 'parallel_tests',         '<= 2.9.0', :require => false if RUBY_VERSION < '2.0.0'

README.md

@@ -642,6 +642,12 @@ String for HostbasedAuthentication option in sshd_config. Valid values are 'yes'
 
 - *Default*: 'no'
 
+sshd_pubkeyacceptedkeytypes
+-------------------------
+Array of public key types to be used with the PubkeyAcceptedKeyTypes option in sshd_config.
+
+- *Default*: undef
+
 sshd_pubkeyauthentication
 -------------------------
 String for PubkeyAuthentication option in sshd_config. Valid values are 'yes' and 'no'.

manifests/init.pp

@@ -87,6 +87,7 @@ class ssh (
   $sshd_config_hostkey                 = 'USE_DEFAULTS',
   $sshd_listen_address                 = undef,
   $sshd_hostbasedauthentication        = 'no',
+  $sshd_pubkeyacceptedkeytypes         = undef,
   $sshd_pubkeyauthentication           = 'yes',
   $sshd_ignoreuserknownhosts           = 'no',
   $sshd_ignorerhosts                   = 'yes',
@@ -636,6 +637,10 @@ class ssh (
 
   validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
 
+  if $sshd_pubkeyacceptedkeytypes != undef {
+    validate_array($sshd_pubkeyacceptedkeytypes)
+  }
+
   validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.")
 
   validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")

metadata.json

@@ -8,10 +8,6 @@
   "project_page": "https://github.com/ghoneycutt/puppet-module-ssh",
   "issues_url": "https://github.com/ghoneycutt/puppet-module-ssh/issues",
   "requirements": [
-    {
-      "name": "pe",
-      "version_requirement": ">= 3.2.0 < 5.0.0"
-    },
     {
       "name": "puppet",
       "version_requirement": ">= 3.0.0 < 5.0.0"

spec/classes/init_spec.rb

@@ -403,6 +403,12 @@ describe 'ssh' do
         :sshd_password_authentication      => 'no',
         :sshd_config_permitemptypasswords  => 'no',
         :sshd_config_permituserenvironment => 'no',
+        :sshd_pubkeyacceptedkeytypes       => [ 'ecdsa-sha2-nistp256',
+                                                'ecdsa-sha2-nistp384',
+                                                'ecdsa-sha2-nistp521',
+                                                'ssh-ed25519',
+                                                'ssh-rsa',
+        ],
         :sshd_pubkeyauthentication         => 'no',
         :sshd_allow_tcp_forwarding         => 'no',
         :sshd_x11_forwarding               => 'no',
@@ -506,6 +512,7 @@ describe 'ssh' do
     it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
     it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
     it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
+    it { should contain_file('sshd_config').with_content(/^PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa$/) }
     it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
     it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
@@ -2188,6 +2195,18 @@ describe 'ssh' do
     end
   end
 
+  [true,'invalid'].each do |pubkeyacceptedkeytypes|
+    context "with sshd_pubkeyacceptedkeytypes set to invalid value #{pubkeyacceptedkeytypes}" do
+      let(:params) { { :sshd_pubkeyacceptedkeytypes => pubkeyacceptedkeytypes } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/is not/)
+      end
+    end
+  end
+
   describe 'with parameter sshd_pubkeyauthentication' do
     ['yes','no'].each do |value|
       context "specified as valid #{value} (as #{value.class})" do

templates/sshd_config.erb

@@ -69,6 +69,9 @@ MaxAuthTries <%= @sshd_config_maxauthtries %>
 <% end -%>
 
 #RSAAuthentication yes
+<% if @sshd_pubkeyacceptedkeytypes -%>
+PubkeyAcceptedKeyTypes <%= @sshd_pubkeyacceptedkeytypes.join(',') %>
+<% end -%>
 #PubkeyAuthentication yes
 PubkeyAuthentication <%= @sshd_pubkeyauthentication %>
 #AuthorizedKeysFile .ssh/authorized_keys