diff --git a/README.md b/README.md index e79ed7b..1808806 100644 --- a/README.md +++ b/README.md @@ -503,6 +503,30 @@ Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-r - *Default*: 'ssh-rsa' +ssh_config_global_known_hosts_file +---------------------------------- +File of the global known_hosts file + +- *Default*: '/etc/ssh/ssh_known_hosts' + +ssh_config_global_known_hosts_owner +---------------------------------- +Owner of the global known_hosts file + +- *Default*: 'root' + +ssh_config_global_known_hosts_group +---------------------------------- +Group of the global known_hosts file + +- *Default*: 'root' + +ssh_config_global_known_hosts_mode +---------------------------------- +File mode of the global known_hosts file + +- *Default*: '0644' + manage_root_ssh_config ---------------------- Manage SSH config of root. Valid values are 'true' and 'false'. diff --git a/manifests/init.pp b/manifests/init.pp index 92a0e84..986252e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,82 +3,86 @@ # Manage ssh client and server # class ssh ( - $hiera_merge = false, - $packages = 'USE_DEFAULTS', - $permit_root_login = 'yes', - $purge_keys = 'true', - $manage_firewall = false, - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $ssh_config_hash_known_hosts = 'USE_DEFAULTS', - $ssh_config_path = '/etc/ssh/ssh_config', - $ssh_config_owner = 'root', - $ssh_config_group = 'root', - $ssh_config_mode = '0644', - $ssh_config_forward_x11 = undef, - $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', - $ssh_config_forward_agent = undef, - $ssh_config_server_alive_interval = undef, - $ssh_config_sendenv_xmodifiers = false, - $ssh_config_ciphers = undef, - $ssh_config_macs = undef, - $ssh_config_template = 'ssh/ssh_config.erb', - $ssh_sendenv = 'USE_DEFAULTS', - $ssh_gssapidelegatecredentials = undef, - $sshd_config_path = '/etc/ssh/sshd_config', - $sshd_config_owner = 'root', - $sshd_config_group = 'root', - $sshd_config_loglevel = 'INFO', - $sshd_config_mode = 'USE_DEFAULTS', - $sshd_config_port = '22', - $sshd_config_syslog_facility = 'AUTH', - $sshd_config_template = 'ssh/sshd_config.erb', - $sshd_config_login_grace_time = '120', - $sshd_config_challenge_resp_auth = 'yes', - $sshd_config_print_motd = 'yes', - $sshd_config_use_dns = 'USE_DEFAULTS', - $sshd_config_authkey_location = undef, - $sshd_config_strictmodes = undef, - $sshd_config_serverkeybits = 'USE_DEFAULTS', - $sshd_config_banner = 'none', - $sshd_config_ciphers = undef, - $sshd_config_macs = undef, - $sshd_config_denyusers = undef, - $sshd_config_denygroups = undef, - $sshd_config_allowusers = undef, - $sshd_config_allowgroups = undef, - $sshd_config_maxstartups = undef, - $sshd_config_maxsessions = undef, - $sshd_banner_content = undef, - $sshd_banner_owner = 'root', - $sshd_banner_group = 'root', - $sshd_banner_mode = '0644', - $sshd_config_xauth_location = 'USE_DEFAULTS', - $sshd_config_subsystem_sftp = 'USE_DEFAULTS', - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_count_max = '3', - $sshd_client_alive_interval = '0', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $sshd_acceptenv = 'USE_DEFAULTS', - $sshd_config_hostkey = 'USE_DEFAULTS', - $sshd_listen_address = undef, - $service_ensure = 'running', - $service_name = 'USE_DEFAULTS', - $service_enable = 'true', - $service_hasrestart = 'true', - $service_hasstatus = 'USE_DEFAULTS', - $ssh_key_ensure = 'present', - $ssh_key_import = 'true', - $ssh_key_type = 'ssh-rsa', - $keys = undef, - $manage_root_ssh_config = 'false', - $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $hiera_merge = false, + $packages = 'USE_DEFAULTS', + $permit_root_login = 'yes', + $purge_keys = 'true', + $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', + $ssh_config_path = '/etc/ssh/ssh_config', + $ssh_config_owner = 'root', + $ssh_config_group = 'root', + $ssh_config_mode = '0644', + $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', + $ssh_config_forward_agent = undef, + $ssh_config_server_alive_interval = undef, + $ssh_config_sendenv_xmodifiers = false, + $ssh_config_ciphers = undef, + $ssh_config_macs = undef, + $ssh_config_template = 'ssh/ssh_config.erb', + $ssh_sendenv = 'USE_DEFAULTS', + $ssh_gssapidelegatecredentials = undef, + $sshd_config_path = '/etc/ssh/sshd_config', + $sshd_config_owner = 'root', + $sshd_config_group = 'root', + $sshd_config_loglevel = 'INFO', + $sshd_config_mode = 'USE_DEFAULTS', + $sshd_config_port = '22', + $sshd_config_syslog_facility = 'AUTH', + $sshd_config_template = 'ssh/sshd_config.erb', + $sshd_config_login_grace_time = '120', + $sshd_config_challenge_resp_auth = 'yes', + $sshd_config_print_motd = 'yes', + $sshd_config_use_dns = 'USE_DEFAULTS', + $sshd_config_authkey_location = undef, + $sshd_config_strictmodes = undef, + $sshd_config_serverkeybits = 'USE_DEFAULTS', + $sshd_config_banner = 'none', + $sshd_config_ciphers = undef, + $sshd_config_macs = undef, + $sshd_config_denyusers = undef, + $sshd_config_denygroups = undef, + $sshd_config_allowusers = undef, + $sshd_config_allowgroups = undef, + $sshd_config_maxstartups = undef, + $sshd_config_maxsessions = undef, + $sshd_banner_content = undef, + $sshd_banner_owner = 'root', + $sshd_banner_group = 'root', + $sshd_banner_mode = '0644', + $sshd_config_xauth_location = 'USE_DEFAULTS', + $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', + $sshd_config_hostkey = 'USE_DEFAULTS', + $sshd_listen_address = undef, + $service_ensure = 'running', + $service_name = 'USE_DEFAULTS', + $service_enable = 'true', + $service_hasrestart = 'true', + $service_hasstatus = 'USE_DEFAULTS', + $ssh_key_ensure = 'present', + $ssh_key_import = 'true', + $ssh_key_type = 'ssh-rsa', + $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_owner = 'root', + $ssh_config_global_known_hosts_group = 'root', + $ssh_config_global_known_hosts_mode = '0644', + $keys = undef, + $manage_root_ssh_config = 'false', + $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", ) { case $::osfamily { @@ -511,6 +515,12 @@ class ssh ( } } + validate_absolute_path($ssh_config_global_known_hosts_file) + validate_string($ssh_config_global_known_hosts_owner) + validate_string($ssh_config_global_known_hosts_group) + validate_re($ssh_config_global_known_hosts_mode, '^[0-7]{4}$', + "ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is <${ssh_config_global_known_hosts_mode}>.") + case $purge_keys { 'true','false': { # noop @@ -526,7 +536,6 @@ class ssh ( #sshd_config template validate_string($sshd_config_template) - #loglevel $supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE'] validate_re($sshd_config_loglevel, $supported_loglevel_vals) @@ -655,9 +664,19 @@ class ssh ( key => $key, } + file { 'ssh_known_hosts': + ensure => file, + path => $ssh_config_global_known_hosts_file, + owner => $ssh_config_global_known_hosts_owner, + group => $ssh_config_global_known_hosts_group, + mode => $ssh_config_global_known_hosts_mode, + } + + # import all nodes' ssh keys if $ssh_key_import_real == true { - # import all nodes' ssh keys - Sshkey <<||>> + Sshkey <<||>> { + target => $ssh_config_global_known_hosts_file, + } } # remove ssh key's not managed by puppet diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 0a5e14a..4a263a1 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -26,6 +26,16 @@ describe 'ssh' do } end + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + it { should contain_file('ssh_config').with({ 'ensure' => 'file', @@ -44,6 +54,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) } + it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -156,6 +167,16 @@ describe 'ssh' do } end + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + it { should contain_file('ssh_config').with({ 'ensure' => 'file', @@ -260,6 +281,16 @@ describe 'ssh' do } end + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + it { should contain_file('ssh_config').with({ 'ensure' => 'file', @@ -363,6 +394,16 @@ describe 'ssh' do } end + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + it { should contain_file('ssh_config').with({ 'ensure' => 'file', @@ -465,6 +506,16 @@ describe 'ssh' do } end + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + it { should contain_file('ssh_config').with({ 'ensure' => 'file', @@ -575,6 +626,16 @@ describe 'ssh' do }) } + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + it { should contain_file('ssh_config').with({ 'ensure' => 'file', @@ -685,6 +746,16 @@ describe 'ssh' do }) } + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + it { should contain_file('ssh_config').with({ 'ensure' => 'file', @@ -803,22 +874,23 @@ describe 'ssh' do end let :params do { - :ssh_config_hash_known_hosts => 'yes', - :ssh_config_forward_agent => 'yes', - :ssh_config_forward_x11 => 'yes', - :ssh_config_server_alive_interval => '300', - :ssh_config_sendenv_xmodifiers => true, - :ssh_config_ciphers => [ 'aes128-cbc', - '3des-cbc', - 'blowfish-cbc', - 'cast128-cbc', - 'arcfour', - 'aes192-cbc', - 'aes256-cbc', + :ssh_config_hash_known_hosts => 'yes', + :ssh_config_forward_agent => 'yes', + :ssh_config_forward_x11 => 'yes', + :ssh_config_server_alive_interval => '300', + :ssh_config_sendenv_xmodifiers => true, + :ssh_config_ciphers => [ 'aes128-cbc', + '3des-cbc', + 'blowfish-cbc', + 'cast128-cbc', + 'arcfour', + 'aes192-cbc', + 'aes256-cbc', ], - :ssh_config_macs => [ 'hmac-md5-etm@openssh.com', - 'hmac-sha1-etm@openssh.com', + :ssh_config_macs => [ 'hmac-md5-etm@openssh.com', + 'hmac-sha1-etm@openssh.com', ], + :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2', } end @@ -845,6 +917,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } + it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) } end context 'with params used in sshd_config set on valid osfamily' do @@ -2419,6 +2492,194 @@ describe 'ssh' do end end + describe 'with parameter ssh_config_global_known_hosts_file' do + context 'specified as a valid path' do + let(:params) { { :ssh_config_global_known_hosts_file => '/valid/path' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/valid/path', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + + it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/valid\/path$/) } + end + + context 'specified as an invalid path' do + let(:params) { { :ssh_config_global_known_hosts_file => 'invalid/path' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^\"invalid\/path\" is not an absolute path./) + end + end + + context 'specified as an invalid type' do + let(:params) { { :ssh_config_global_known_hosts_file => ['invalid','type'] } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^\[\"invalid\", \"type\"\] is not an absolute path./) + end + end + end + + describe 'with parameter ssh_config_global_known_hosts_owner' do + context 'specified as a valid string' do + let(:params) { { :ssh_config_global_known_hosts_owner => 'gh' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'gh', + 'group' => 'root', + 'mode' => '0644', + }) + } + end + + context 'specified as an invalid type [non-string]' do + let(:params) { { :ssh_config_global_known_hosts_owner => ['invalid','type'] } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^\[\"invalid\", \"type\"\] is not a string. It looks to be a Array/) + end + end + end + + describe 'with parameter ssh_config_global_known_hosts_group' do + context 'specified as a valid string' do + let(:params) { { :ssh_config_global_known_hosts_group => 'gh' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'gh', + 'mode' => '0644', + }) + } + end + + context 'specified as an invalid type [non-string]' do + let(:params) { { :ssh_config_global_known_hosts_group => ['invalid','type'] } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^\[\"invalid\", \"type\"\] is not a string. It looks to be a Array/) + end + end + end + + describe 'with parameter ssh_config_global_known_hosts_mode' do + context 'specified as a valid mode' do + let(:params) { { :ssh_config_global_known_hosts_mode => '0666' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0666', + }) + } + end + + ['666','0842','06666'].each do |value| + context "specified as invalid mode - #{value}" do + let(:params) { { :ssh_config_global_known_hosts_mode => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is <#{value}>./) + end + end + end + + context 'specified as an invalid type [non-string]' do + let(:params) { { :ssh_config_global_known_hosts_mode => ['invalid','type'] } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is ./) + end + end + end + describe 'with ssh_key_import parameter specified' do context 'as a non-boolean or non-string' do let(:params) { { :ssh_key_import => ['not_a_boolean','or_a_string'] } } @@ -2453,6 +2714,17 @@ describe 'ssh' do it { should compile.with_all_deps } it { should contain_class('ssh') } + + it { + should contain_file('ssh_known_hosts').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_known_hosts', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + end end diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 90623af..1719661 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -51,6 +51,9 @@ <% if @ssh_config_hash_known_hosts_real != nil -%> HashKnownHosts <%= @ssh_config_hash_known_hosts_real %> <% end -%> +<% if @ssh_config_global_known_hosts_file -%> + GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %> +<% end -%> Host * GSSAPIAuthentication yes <% if @ssh_gssapidelegatecredentials != nil -%>