puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #70 from ghoneycutt/add_sshd_config_serverkeybits

Browse Source 
Add sshd config serverkeybits
This commit is contained in:
Garrett Honeycutt 2014-05-22 15:01:18 -04:00
commit 7d06898c38
4 changed files with 53 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -173,6 +173,12 @@ Specifies whether sshd should check file modes and ownership of the user's files
- *Default*: undef - *Default*: undef
sshd_config_serverkeybits
----------------------------
Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024 except for Solaris default value is 768.
- *Default*: '1024' except for Solaris which is '768'
sshd_config_banner sshd_config_banner
------------------ ------------------
Banner option in sshd_config. Banner option in sshd_config.

14
manifests/init.pp
View File

@ -33,6 +33,7 @@ class ssh (
$sshd_config_use_dns = 'USE_DEFAULTS', $sshd_config_use_dns = 'USE_DEFAULTS',
$sshd_config_authkey_location = undef, $sshd_config_authkey_location = undef,
$sshd_config_strictmodes = undef, $sshd_config_strictmodes = undef,
$sshd_config_serverkeybits = 'USE_DEFAULTS',
$sshd_config_banner = 'none', $sshd_config_banner = 'none',
$sshd_banner_content = undef, $sshd_banner_content = undef,
$sshd_banner_owner = 'root', $sshd_banner_owner = 'root',
@ -84,6 +85,7 @@ class ssh (
$default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_gssapicleanupcredentials = 'yes'
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024'
} }
'Suse': { 'Suse': {
$default_packages = 'openssh' $default_packages = 'openssh'
@ -102,6 +104,7 @@ class ssh (
$default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_gssapicleanupcredentials = 'yes'
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024'
case $::architecture { case $::architecture {
'x86_64': { 'x86_64': {
$default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
@ -133,6 +136,7 @@ class ssh (
$default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_gssapicleanupcredentials = 'yes'
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024'
} }
'Solaris': { 'Solaris': {
$default_packages = ['SUNWsshcu', $default_packages = ['SUNWsshcu',
@ -154,6 +158,7 @@ class ssh (
$default_sshd_pamauthenticationviakbdint = 'yes' $default_sshd_pamauthenticationviakbdint = 'yes'
$default_sshd_gssapicleanupcredentials = undef $default_sshd_gssapicleanupcredentials = undef
$default_sshd_acceptenv = false $default_sshd_acceptenv = false
$default_sshd_config_serverkeybits = '768'
case $::kernelrelease { case $::kernelrelease {
'5.10','5.11': { '5.10','5.11': {
$default_service_name = 'ssh' $default_service_name = 'ssh'
@ -237,6 +242,12 @@ class ssh (
$sshd_use_pam_real = $sshd_use_pam $sshd_use_pam_real = $sshd_use_pam
} }
if $sshd_config_serverkeybits == 'USE_DEFAULTS' {
$sshd_config_serverkeybits_real = $default_sshd_config_serverkeybits
} else {
$sshd_config_serverkeybits_real = $sshd_config_serverkeybits
}
if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' { if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' {
$ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted $ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted
} else { } else {
@ -326,6 +337,9 @@ class ssh (
if $sshd_use_pam_real != undef { if $sshd_use_pam_real != undef {
validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
} }
if $sshd_config_serverkeybits_real != undef {
if is_integer($sshd_config_serverkeybits_real) == false { fail("ssh::sshd_config_serverkeybits must be an integer and is set to <${sshd_config_serverkeybits}>.") }
}
if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") } if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") }

32
spec/classes/init_spec.rb
View File

@ -70,6 +70,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@ -188,6 +189,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -279,6 +281,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -369,6 +372,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) } it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -457,6 +461,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@ -554,6 +559,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@ -651,6 +657,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@ -766,6 +773,7 @@ describe 'ssh' do
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
:sshd_use_pam => 'no', :sshd_use_pam => 'no',
:sshd_client_alive_interval => '242', :sshd_client_alive_interval => '242',
:sshd_config_serverkeybits => '1024',
:sshd_client_alive_count_max => '0', :sshd_client_alive_count_max => '0',
:sshd_config_authkey_location => '.ssh/authorized_keys', :sshd_config_authkey_location => '.ssh/authorized_keys',
:sshd_config_strictmodes => 'yes', :sshd_config_strictmodes => 'yes',
@ -800,6 +808,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@ -998,6 +1007,25 @@ describe 'ssh' do
end end
end end
context 'with sshd_config_serverkeybits set to invalid value on valid osfamily' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{ :sshd_config_serverkeybits => 'invalid' }
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^ssh::sshd_config_serverkeybits must be an integer and is set to <invalid>\./)
end
end
context 'with sshd_client_alive_interval set to invalid value on valid osfamily' do context 'with sshd_client_alive_interval set to invalid value on valid osfamily' do
let :facts do let :facts do
{ {
@ -1067,7 +1095,7 @@ describe 'ssh' do
}.to raise_error(Puppet::Error,/is not a string/) }.to raise_error(Puppet::Error,/is not a string/)
end end
end end
context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
let :facts do let :facts do
{ {
@ -1086,7 +1114,7 @@ describe 'ssh' do
}.to raise_error(Puppet::Error,/^ssh::sshd_config_strictmodes may be either \'yes\' or \'no\' and is set to <invalid>\./) }.to raise_error(Puppet::Error,/^ssh::sshd_config_strictmodes may be either \'yes\' or \'no\' and is set to <invalid>\./)
end end
end end
context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do
let(:params) { { :sshd_banner_content => 'textinbanner' } } let(:params) { { :sshd_banner_content => 'textinbanner' } }
let :facts do let :facts do

4
templates/sshd_config.erb
View File

@ -30,7 +30,9 @@ HostKey /etc/ssh/ssh_host_rsa_key
# Lifetime and size of ephemeral version 1 server key # Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h #KeyRegenerationInterval 1h
#ServerKeyBits 1024 #ServerKeyBits 1024
<% if @sshd_config_serverkeybits_real != nil -%>
ServerKeyBits <%= @sshd_config_serverkeybits_real %>
<% end -%>
# Logging # Logging
# obsoletes QuietMode and FascistLogging # obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH #SyslogFacility AUTH