puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add option to specify AuthorizedKeysFile

Browse Source
This commit is contained in:
Martin Hagstrom 2014-05-16 10:31:54 +02:00
parent b3511938e9
commit 7dd6b653b0
4 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -161,6 +161,12 @@ UseDNS option in sshd_config. The default is 'yes' on Linux.
- *Default*: 'USE_DEFAULTS' - *Default*: 'USE_DEFAULTS'
sshd_config_authkey_location
----------------------------
Specify location of authorized_keys file. Default is to not specify.
- *Default*: undef
sshd_config_banner sshd_config_banner
------------------ ------------------
Banner option in sshd_config. Banner option in sshd_config.

5
manifests/init.pp
View File

@ -31,6 +31,7 @@ class ssh (
$sshd_config_challenge_resp_auth = 'yes', $sshd_config_challenge_resp_auth = 'yes',
$sshd_config_print_motd = 'yes', $sshd_config_print_motd = 'yes',
$sshd_config_use_dns = 'USE_DEFAULTS', $sshd_config_use_dns = 'USE_DEFAULTS',
$sshd_config_authkey_location = undef,
$sshd_config_banner = 'none', $sshd_config_banner = 'none',
$sshd_banner_content = undef, $sshd_banner_content = undef,
$sshd_banner_owner = 'root', $sshd_banner_owner = 'root',
@ -348,6 +349,10 @@ class ssh (
validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
} }
if $sshd_config_authkey_location != undef {
validate_string($sshd_config_authkey_location)
}
case type($hiera_merge) { case type($hiera_merge) {
'string': { 'string': {
validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.") validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.")

25
spec/classes/init_spec.rb
View File

@ -76,6 +76,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange no$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange no$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { it {
@ -184,6 +185,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -273,6 +275,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -361,6 +364,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -456,6 +460,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -551,6 +556,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -646,6 +652,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
it { it {
should contain_service('sshd_service').with({ should contain_service('sshd_service').with({
@ -753,6 +760,7 @@ describe 'ssh' do
:sshd_use_pam => 'no', :sshd_use_pam => 'no',
:sshd_client_alive_interval => '242', :sshd_client_alive_interval => '242',
:sshd_client_alive_count_max => '0', :sshd_client_alive_count_max => '0',
:sshd_config_authkey_location => '.ssh/authorized_keys',
} }
end end
@ -791,6 +799,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) }
it { it {
should contain_file('sshd_banner').with({ should contain_file('sshd_banner').with({
@ -1034,6 +1043,22 @@ describe 'ssh' do
end end
end end
context 'with sshd_config_authkey_location set to invalid value on valid osfamily' do
let(:params) { { :sshd_config_authkey_location => false } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/is not a string/)
end
end
context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do
let(:params) { { :sshd_banner_content => 'textinbanner' } } let(:params) { { :sshd_banner_content => 'textinbanner' } }
let :facts do let :facts do

3
templates/sshd_config.erb
View File

@ -49,6 +49,9 @@ PermitRootLogin <%= @permit_root_login %>
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys
<% if @sshd_config_authkey_location -%>
AuthorizedKeysFile <%= @sshd_config_authkey_location %>
<% end -%>
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no #RhostsRSAAuthentication no