diff --git a/README.md b/README.md index 8c52b43..be7bf4a 100644 --- a/README.md +++ b/README.md @@ -306,6 +306,24 @@ Array of users for the DenyUsers setting in sshd_config. - *Default*: undef +sshd_config_denygroups +--------------------- +Array of groups for the DenyGroups setting in sshd_config. + +- *Default*: undef + +sshd_config_allowgroups +----------------------- +Array of users for the AllowGroups setting in sshd_config. + +- *Default*: undef + +sshd_config_allowusers +----------------------- +Array of users for the AllowUsers setting in sshd_config. + +- *Default*: undef + keys ---- Hash of keys for user's ~/.ssh/authorized_keys diff --git a/manifests/init.pp b/manifests/init.pp index b6cca09..4da6b66 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -40,6 +40,9 @@ class ssh ( $sshd_config_ciphers = undef, $sshd_config_macs = undef, $sshd_config_denyusers = undef, + $sshd_config_denygroups = undef, + $sshd_config_allowusers = undef, + $sshd_config_allowgroups = undef, $sshd_banner_content = undef, $sshd_banner_owner = 'root', $sshd_banner_group = 'root', @@ -352,6 +355,18 @@ class ssh ( validate_array($sshd_config_denyusers) } + if $sshd_config_denygroups != undef { + validate_array($sshd_config_denygroups) + } + + if $sshd_config_allowusers != undef { + validate_array($sshd_config_allowusers) + } + + if $sshd_config_allowgroups != undef { + validate_array($sshd_config_allowgroups) + } + if $ssh_config_hash_known_hosts_real != undef { validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 29deb87..6f98d7a 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -85,6 +85,9 @@ describe 'ssh' do it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_service('sshd_service').with({ @@ -200,6 +203,9 @@ describe 'ssh' do it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_service('sshd_service').with({ @@ -297,6 +303,9 @@ describe 'ssh' do it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_service('sshd_service').with({ @@ -393,6 +402,9 @@ describe 'ssh' do it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_service('sshd_service').with({ @@ -496,6 +508,9 @@ describe 'ssh' do it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*DenyUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_service('sshd_service').with({ @@ -599,6 +614,9 @@ describe 'ssh' do it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_service('sshd_service').with({ @@ -702,6 +720,9 @@ describe 'ssh' do it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) } + it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) } it { should contain_service('sshd_service').with({ @@ -839,6 +860,15 @@ describe 'ssh' do :sshd_config_denyusers => [ 'root', 'lusers', ], + :sshd_config_denygroups => [ 'nossh', + 'wheel', + ], + :sshd_config_allowusers => [ 'foo', + 'bar', + ], + :sshd_config_allowgroups => [ 'ssh', + 'security', + ], } end @@ -883,6 +913,9 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) } + it { should contain_file('sshd_config').with_content(/^\s*DenyGroups nossh wheel$/) } + it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) } + it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) } it { should contain_file('sshd_banner').with({ @@ -1037,6 +1070,66 @@ describe 'ssh' do end end + [true,'invalid'].each do |denygroups| + context "with sshd_config_denygroups set to invalid value #{denygroups}" do + let(:params) { { :sshd_config_denygroups => denygroups } } + + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + + [true,'invalid'].each do |allowusers| + context "with sshd_config_allowusers set to invalid value #{allowusers}" do + let(:params) { { :sshd_config_allowusers => allowusers } } + + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + + [true,'invalid'].each do |allowgroups| + context "with sshd_config_allowgroups set to invalid value #{allowgroups}" do + let(:params) { { :sshd_config_allowgroups => allowgroups } } + + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + [true,'invalid'].each do |macs| context "with sshd_config_macs set to invalid value #{macs}" do let(:params) { { :sshd_config_macs => macs } } diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index a553505..ea0d05a 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -168,3 +168,12 @@ MACs <%= @sshd_config_macs.join(',') %> <% if @sshd_config_denyusers -%> DenyUsers <%= @sshd_config_denyusers.join(' ') %> <% end -%> +<% if @sshd_config_denygroups -%> +DenyGroups <%= @sshd_config_denygroups.join(' ') %> +<% end -%> +<% if @sshd_config_allowusers -%> +AllowUsers <%= @sshd_config_allowusers.join(' ') %> +<% end -%> +<% if @sshd_config_allowgroups -%> +AllowGroups <%= @sshd_config_allowgroups.join(' ') %> +<% end -%>