diff --git a/README.md b/README.md index e79ed7b..1808806 100644 --- a/README.md +++ b/README.md @@ -503,6 +503,30 @@ Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-r - *Default*: 'ssh-rsa' +ssh_config_global_known_hosts_file +---------------------------------- +File of the global known_hosts file + +- *Default*: '/etc/ssh/ssh_known_hosts' + +ssh_config_global_known_hosts_owner +---------------------------------- +Owner of the global known_hosts file + +- *Default*: 'root' + +ssh_config_global_known_hosts_group +---------------------------------- +Group of the global known_hosts file + +- *Default*: 'root' + +ssh_config_global_known_hosts_mode +---------------------------------- +File mode of the global known_hosts file + +- *Default*: '0644' + manage_root_ssh_config ---------------------- Manage SSH config of root. Valid values are 'true' and 'false'. diff --git a/manifests/init.pp b/manifests/init.pp index 92a0e84..dbce9d4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,82 +3,86 @@ # Manage ssh client and server # class ssh ( - $hiera_merge = false, - $packages = 'USE_DEFAULTS', - $permit_root_login = 'yes', - $purge_keys = 'true', - $manage_firewall = false, - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $ssh_config_hash_known_hosts = 'USE_DEFAULTS', - $ssh_config_path = '/etc/ssh/ssh_config', - $ssh_config_owner = 'root', - $ssh_config_group = 'root', - $ssh_config_mode = '0644', - $ssh_config_forward_x11 = undef, - $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', - $ssh_config_forward_agent = undef, - $ssh_config_server_alive_interval = undef, - $ssh_config_sendenv_xmodifiers = false, - $ssh_config_ciphers = undef, - $ssh_config_macs = undef, - $ssh_config_template = 'ssh/ssh_config.erb', - $ssh_sendenv = 'USE_DEFAULTS', - $ssh_gssapidelegatecredentials = undef, - $sshd_config_path = '/etc/ssh/sshd_config', - $sshd_config_owner = 'root', - $sshd_config_group = 'root', - $sshd_config_loglevel = 'INFO', - $sshd_config_mode = 'USE_DEFAULTS', - $sshd_config_port = '22', - $sshd_config_syslog_facility = 'AUTH', - $sshd_config_template = 'ssh/sshd_config.erb', - $sshd_config_login_grace_time = '120', - $sshd_config_challenge_resp_auth = 'yes', - $sshd_config_print_motd = 'yes', - $sshd_config_use_dns = 'USE_DEFAULTS', - $sshd_config_authkey_location = undef, - $sshd_config_strictmodes = undef, - $sshd_config_serverkeybits = 'USE_DEFAULTS', - $sshd_config_banner = 'none', - $sshd_config_ciphers = undef, - $sshd_config_macs = undef, - $sshd_config_denyusers = undef, - $sshd_config_denygroups = undef, - $sshd_config_allowusers = undef, - $sshd_config_allowgroups = undef, - $sshd_config_maxstartups = undef, - $sshd_config_maxsessions = undef, - $sshd_banner_content = undef, - $sshd_banner_owner = 'root', - $sshd_banner_group = 'root', - $sshd_banner_mode = '0644', - $sshd_config_xauth_location = 'USE_DEFAULTS', - $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_count_max = '3', - $sshd_client_alive_interval = '0', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $sshd_acceptenv = 'USE_DEFAULTS', - $sshd_config_hostkey = 'USE_DEFAULTS', - $sshd_listen_address = undef, - $service_ensure = 'running', - $service_name = 'USE_DEFAULTS', - $service_enable = 'true', - $service_hasrestart = 'true', - $service_hasstatus = 'USE_DEFAULTS', - $ssh_key_ensure = 'present', - $ssh_key_import = 'true', - $ssh_key_type = 'ssh-rsa', - $keys = undef, - $manage_root_ssh_config = 'false', - $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $hiera_merge = false, + $packages = 'USE_DEFAULTS', + $permit_root_login = 'yes', + $purge_keys = 'true', + $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', + $ssh_config_path = '/etc/ssh/ssh_config', + $ssh_config_owner = 'root', + $ssh_config_group = 'root', + $ssh_config_mode = '0644', + $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', + $ssh_config_forward_agent = undef, + $ssh_config_server_alive_interval = undef, + $ssh_config_sendenv_xmodifiers = false, + $ssh_config_ciphers = undef, + $ssh_config_macs = undef, + $ssh_config_template = 'ssh/ssh_config.erb', + $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapidelegatecredentials = undef, + $sshd_config_path = '/etc/ssh/sshd_config', + $sshd_config_owner = 'root', + $sshd_config_group = 'root', + $sshd_config_loglevel = 'INFO', + $sshd_config_mode = 'USE_DEFAULTS', + $sshd_config_port = '22', + $sshd_config_syslog_facility = 'AUTH', + $sshd_config_template = 'ssh/sshd_config.erb', + $sshd_config_login_grace_time = '120', + $sshd_config_challenge_resp_auth = 'yes', + $sshd_config_print_motd = 'yes', + $sshd_config_use_dns = 'USE_DEFAULTS', + $sshd_config_authkey_location = undef, + $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', + $sshd_config_banner = 'none', + $sshd_config_ciphers = undef, + $sshd_config_macs = undef, + $sshd_config_denyusers = undef, + $sshd_config_denygroups = undef, + $sshd_config_allowusers = undef, + $sshd_config_allowgroups = undef, + $sshd_config_maxstartups = undef, + $sshd_config_maxsessions = undef, + $sshd_banner_content = undef, + $sshd_banner_owner = 'root', + $sshd_banner_group = 'root', + $sshd_banner_mode = '0644', + $sshd_config_xauth_location = 'USE_DEFAULTS', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', + $sshd_config_hostkey = 'USE_DEFAULTS', + $sshd_listen_address = undef, + $service_ensure = 'running', + $service_name = 'USE_DEFAULTS', + $service_enable = 'true', + $service_hasrestart = 'true', + $service_hasstatus = 'USE_DEFAULTS', + $ssh_key_ensure = 'present', + $ssh_key_import = 'true', + $ssh_key_type = 'ssh-rsa', + $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_owner = 'root', + $ssh_config_global_known_hosts_group = 'root', + $ssh_config_global_known_hosts_mode = '0644', + $keys = undef, + $manage_root_ssh_config = 'false', + $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", ) { case $::osfamily { @@ -511,6 +515,9 @@ class ssh ( } } + validate_absolute_path($ssh_config_global_known_hosts_file) + + case $purge_keys { 'true','false': { # noop @@ -656,8 +663,18 @@ class ssh ( } if $ssh_key_import_real == true { + file { 'ssh_known_hosts': + ensure => file, + path => $ssh_config_global_known_hosts_file, + owner => $ssh_config_global_known_hosts_owner, + group => $ssh_config_global_known_hosts_group, + mode => $ssh_config_global_known_hosts_mode, + } + # import all nodes' ssh keys - Sshkey <<||>> + Sshkey <<||>> { + target => $ssh_config_global_known_hosts_file, + } } # remove ssh key's not managed by puppet diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 0a5e14a..a2072d5 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -44,6 +44,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) } + it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -803,22 +804,23 @@ describe 'ssh' do end let :params do { - :ssh_config_hash_known_hosts => 'yes', - :ssh_config_forward_agent => 'yes', - :ssh_config_forward_x11 => 'yes', - :ssh_config_server_alive_interval => '300', - :ssh_config_sendenv_xmodifiers => true, - :ssh_config_ciphers => [ 'aes128-cbc', - '3des-cbc', - 'blowfish-cbc', - 'cast128-cbc', - 'arcfour', - 'aes192-cbc', - 'aes256-cbc', + :ssh_config_hash_known_hosts => 'yes', + :ssh_config_forward_agent => 'yes', + :ssh_config_forward_x11 => 'yes', + :ssh_config_server_alive_interval => '300', + :ssh_config_sendenv_xmodifiers => true, + :ssh_config_ciphers => [ 'aes128-cbc', + '3des-cbc', + 'blowfish-cbc', + 'cast128-cbc', + 'arcfour', + 'aes192-cbc', + 'aes256-cbc', ], - :ssh_config_macs => [ 'hmac-md5-etm@openssh.com', - 'hmac-sha1-etm@openssh.com', + :ssh_config_macs => [ 'hmac-md5-etm@openssh.com', + 'hmac-sha1-etm@openssh.com', ], + :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2', } end @@ -845,6 +847,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } + it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) } end context 'with params used in sshd_config set on valid osfamily' do @@ -2453,6 +2456,17 @@ describe 'ssh' do it { should compile.with_all_deps } it { should contain_class('ssh') } + + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + end end diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 90623af..1719661 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -51,6 +51,9 @@ <% if @ssh_config_hash_known_hosts_real != nil -%> HashKnownHosts <%= @ssh_config_hash_known_hosts_real %> <% end -%> +<% if @ssh_config_global_known_hosts_file -%> + GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %> +<% end -%> Host * GSSAPIAuthentication yes <% if @ssh_gssapidelegatecredentials != nil -%>