puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #101 from ghoneycutt/known_hosts

Browse Source 
Known hosts
This commit is contained in:
Garrett Honeycutt 2014-11-16 17:31:56 -08:00
commit a9d1b75867
4 changed files with 411 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -503,6 +503,30 @@ Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-r
- *Default*: 'ssh-rsa' - *Default*: 'ssh-rsa'
ssh_config_global_known_hosts_file
----------------------------------
File of the global known_hosts file
- *Default*: '/etc/ssh/ssh_known_hosts'
ssh_config_global_known_hosts_owner
----------------------------------
Owner of the global known_hosts file
- *Default*: 'root'
ssh_config_global_known_hosts_group
----------------------------------
Group of the global known_hosts file
- *Default*: 'root'
ssh_config_global_known_hosts_mode
----------------------------------
File mode of the global known_hosts file
- *Default*: '0644'
manage_root_ssh_config manage_root_ssh_config
---------------------- ----------------------
Manage SSH config of root. Valid values are 'true' and 'false'. Manage SSH config of root. Valid values are 'true' and 'false'.

25
manifests/init.pp
View File

@ -76,6 +76,10 @@ class ssh (
$ssh_key_ensure = 'present', $ssh_key_ensure = 'present',
$ssh_key_import = 'true', $ssh_key_import = 'true',
$ssh_key_type = 'ssh-rsa', $ssh_key_type = 'ssh-rsa',
$ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts',
$ssh_config_global_known_hosts_owner = 'root',
$ssh_config_global_known_hosts_group = 'root',
$ssh_config_global_known_hosts_mode = '0644',
$keys = undef, $keys = undef,
$manage_root_ssh_config = 'false', $manage_root_ssh_config = 'false',
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
@ -511,6 +515,12 @@ class ssh (
} }
} }
validate_absolute_path($ssh_config_global_known_hosts_file)
validate_string($ssh_config_global_known_hosts_owner)
validate_string($ssh_config_global_known_hosts_group)
validate_re($ssh_config_global_known_hosts_mode, '^[0-7]{4}$',
"ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is <${ssh_config_global_known_hosts_mode}>.")
case $purge_keys { case $purge_keys {
'true','false': { 'true','false': {
# noop # noop
@ -526,7 +536,6 @@ class ssh (
#sshd_config template #sshd_config template
validate_string($sshd_config_template) validate_string($sshd_config_template)
#loglevel #loglevel
$supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE'] $supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE']
validate_re($sshd_config_loglevel, $supported_loglevel_vals) validate_re($sshd_config_loglevel, $supported_loglevel_vals)
@ -655,9 +664,19 @@ class ssh (
key => $key, key => $key,
} }
if $ssh_key_import_real == true { file { 'ssh_known_hosts':
ensure => file,
path => $ssh_config_global_known_hosts_file,
owner => $ssh_config_global_known_hosts_owner,
group => $ssh_config_global_known_hosts_group,
mode => $ssh_config_global_known_hosts_mode,
}
# import all nodes' ssh keys # import all nodes' ssh keys
Sshkey <<||>> if $ssh_key_import_real == true {
Sshkey <<||>> {
target => $ssh_config_global_known_hosts_file,
}
} }
# remove ssh key's not managed by puppet # remove ssh key's not managed by puppet

272
spec/classes/init_spec.rb
View File

@ -26,6 +26,16 @@ describe 'ssh' do
} }
end end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { it {
should contain_file('ssh_config').with({ should contain_file('ssh_config').with({
'ensure' => 'file', 'ensure' => 'file',
@ -44,6 +54,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@ -156,6 +167,16 @@ describe 'ssh' do
} }
end end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { it {
should contain_file('ssh_config').with({ should contain_file('ssh_config').with({
'ensure' => 'file', 'ensure' => 'file',
@ -260,6 +281,16 @@ describe 'ssh' do
} }
end end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { it {
should contain_file('ssh_config').with({ should contain_file('ssh_config').with({
'ensure' => 'file', 'ensure' => 'file',
@ -363,6 +394,16 @@ describe 'ssh' do
} }
end end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { it {
should contain_file('ssh_config').with({ should contain_file('ssh_config').with({
'ensure' => 'file', 'ensure' => 'file',
@ -465,6 +506,16 @@ describe 'ssh' do
} }
end end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { it {
should contain_file('ssh_config').with({ should contain_file('ssh_config').with({
'ensure' => 'file', 'ensure' => 'file',
@ -575,6 +626,16 @@ describe 'ssh' do
}) })
} }
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { it {
should contain_file('ssh_config').with({ should contain_file('ssh_config').with({
'ensure' => 'file', 'ensure' => 'file',
@ -685,6 +746,16 @@ describe 'ssh' do
}) })
} }
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { it {
should contain_file('ssh_config').with({ should contain_file('ssh_config').with({
'ensure' => 'file', 'ensure' => 'file',
@ -819,6 +890,7 @@ describe 'ssh' do
:ssh_config_macs => [ 'hmac-md5-etm@openssh.com', :ssh_config_macs => [ 'hmac-md5-etm@openssh.com',
'hmac-sha1-etm@openssh.com', 'hmac-sha1-etm@openssh.com',
], ],
:ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2',
} }
end end
@ -845,6 +917,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) }
end end
context 'with params used in sshd_config set on valid osfamily' do context 'with params used in sshd_config set on valid osfamily' do
@ -2419,6 +2492,194 @@ describe 'ssh' do
end end
end end
describe 'with parameter ssh_config_global_known_hosts_file' do
context 'specified as a valid path' do
let(:params) { { :ssh_config_global_known_hosts_file => '/valid/path' } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/valid/path',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/valid\/path$/) }
end
context 'specified as an invalid path' do
let(:params) { { :ssh_config_global_known_hosts_file => 'invalid/path' } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^\"invalid\/path\" is not an absolute path./)
end
end
context 'specified as an invalid type' do
let(:params) { { :ssh_config_global_known_hosts_file => ['invalid','type'] } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^\[\"invalid\", \"type\"\] is not an absolute path./)
end
end
end
describe 'with parameter ssh_config_global_known_hosts_owner' do
context 'specified as a valid string' do
let(:params) { { :ssh_config_global_known_hosts_owner => 'gh' } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'gh',
'group' => 'root',
'mode' => '0644',
})
}
end
context 'specified as an invalid type [non-string]' do
let(:params) { { :ssh_config_global_known_hosts_owner => ['invalid','type'] } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^\[\"invalid\", \"type\"\] is not a string. It looks to be a Array/)
end
end
end
describe 'with parameter ssh_config_global_known_hosts_group' do
context 'specified as a valid string' do
let(:params) { { :ssh_config_global_known_hosts_group => 'gh' } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'gh',
'mode' => '0644',
})
}
end
context 'specified as an invalid type [non-string]' do
let(:params) { { :ssh_config_global_known_hosts_group => ['invalid','type'] } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^\[\"invalid\", \"type\"\] is not a string. It looks to be a Array/)
end
end
end
describe 'with parameter ssh_config_global_known_hosts_mode' do
context 'specified as a valid mode' do
let(:params) { { :ssh_config_global_known_hosts_mode => '0666' } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0666',
})
}
end
['666','0842','06666'].each do |value|
context "specified as invalid mode - #{value}" do
let(:params) { { :ssh_config_global_known_hosts_mode => value } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is <#{value}>./)
end
end
end
context 'specified as an invalid type [non-string]' do
let(:params) { { :ssh_config_global_known_hosts_mode => ['invalid','type'] } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is <invalidtype>./)
end
end
end
describe 'with ssh_key_import parameter specified' do describe 'with ssh_key_import parameter specified' do
context 'as a non-boolean or non-string' do context 'as a non-boolean or non-string' do
let(:params) { { :ssh_key_import => ['not_a_boolean','or_a_string'] } } let(:params) { { :ssh_key_import => ['not_a_boolean','or_a_string'] } }
@ -2453,6 +2714,17 @@ describe 'ssh' do
it { should compile.with_all_deps } it { should compile.with_all_deps }
it { should contain_class('ssh') } it { should contain_class('ssh') }
it {
should contain_file('ssh_known_hosts').with({
'ensure' => 'file',
'path' => '/etc/ssh/ssh_known_hosts',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
end end
end end

3
templates/ssh_config.erb
View File

@ -51,6 +51,9 @@
<% if @ssh_config_hash_known_hosts_real != nil -%> <% if @ssh_config_hash_known_hosts_real != nil -%>
HashKnownHosts <%= @ssh_config_hash_known_hosts_real %> HashKnownHosts <%= @ssh_config_hash_known_hosts_real %>
<% end -%> <% end -%>
<% if @ssh_config_global_known_hosts_file -%>
GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %>
<% end -%>
Host * Host *
GSSAPIAuthentication yes GSSAPIAuthentication yes
<% if @ssh_gssapidelegatecredentials != nil -%> <% if @ssh_gssapidelegatecredentials != nil -%>