Manage the ssh_known_hosts file when ssh_key_import is used

This commit is contained in:
Markus Frosch 2014-09-11 11:50:47 +02:00 committed by Garrett Honeycutt
parent f5081f3055
commit a03df37f09
4 changed files with 149 additions and 91 deletions

View File

@ -503,6 +503,30 @@ Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-r
- *Default*: 'ssh-rsa' - *Default*: 'ssh-rsa'
ssh_config_global_known_hosts_file
----------------------------------
File of the global known_hosts file
- *Default*: '/etc/ssh/ssh_known_hosts'
ssh_config_global_known_hosts_owner
----------------------------------
Owner of the global known_hosts file
- *Default*: 'root'
ssh_config_global_known_hosts_group
----------------------------------
Group of the global known_hosts file
- *Default*: 'root'
ssh_config_global_known_hosts_mode
----------------------------------
File mode of the global known_hosts file
- *Default*: '0644'
manage_root_ssh_config manage_root_ssh_config
---------------------- ----------------------
Manage SSH config of root. Valid values are 'true' and 'false'. Manage SSH config of root. Valid values are 'true' and 'false'.

View File

@ -76,6 +76,10 @@ class ssh (
$ssh_key_ensure = 'present', $ssh_key_ensure = 'present',
$ssh_key_import = 'true', $ssh_key_import = 'true',
$ssh_key_type = 'ssh-rsa', $ssh_key_type = 'ssh-rsa',
$ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts',
$ssh_config_global_known_hosts_owner = 'root',
$ssh_config_global_known_hosts_group = 'root',
$ssh_config_global_known_hosts_mode = '0644',
$keys = undef, $keys = undef,
$manage_root_ssh_config = 'false', $manage_root_ssh_config = 'false',
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
@ -511,6 +515,9 @@ class ssh (
} }
} }
validate_absolute_path($ssh_config_global_known_hosts_file)
case $purge_keys { case $purge_keys {
'true','false': { 'true','false': {
# noop # noop
@ -656,8 +663,18 @@ class ssh (
} }
if $ssh_key_import_real == true { if $ssh_key_import_real == true {
file { 'ssh_known_hosts':
ensure => file,
path => $ssh_config_global_known_hosts_file,
owner => $ssh_config_global_known_hosts_owner,
group => $ssh_config_global_known_hosts_group,
mode => $ssh_config_global_known_hosts_mode,
}
# import all nodes' ssh keys # import all nodes' ssh keys
Sshkey <<||>> Sshkey <<||>> {
target => $ssh_config_global_known_hosts_file,
}
} }
# remove ssh key's not managed by puppet # remove ssh key's not managed by puppet

View File

@ -44,6 +44,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -819,6 +820,7 @@ describe 'ssh' do
:ssh_config_macs => [ 'hmac-md5-etm@openssh.com', :ssh_config_macs => [ 'hmac-md5-etm@openssh.com',
'hmac-sha1-etm@openssh.com', 'hmac-sha1-etm@openssh.com',
], ],
:ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2',
} }
end end
@ -845,6 +847,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) }
end end
context 'with params used in sshd_config set on valid osfamily' do context 'with params used in sshd_config set on valid osfamily' do
@ -2453,6 +2456,17 @@ describe 'ssh' do
it { should compile.with_all_deps } it { should compile.with_all_deps }
it { should contain_class('ssh') } it { should contain_class('ssh') }
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
end end
end end

View File

@ -51,6 +51,9 @@
<% if @ssh_config_hash_known_hosts_real != nil -%> <% if @ssh_config_hash_known_hosts_real != nil -%>
HashKnownHosts <%= @ssh_config_hash_known_hosts_real %> HashKnownHosts <%= @ssh_config_hash_known_hosts_real %>
<% end -%> <% end -%>
<% if @ssh_config_global_known_hosts_file -%>
GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %>
<% end -%>
Host * Host *
GSSAPIAuthentication yes GSSAPIAuthentication yes
<% if @ssh_gssapidelegatecredentials != nil -%> <% if @ssh_gssapidelegatecredentials != nil -%>