puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add support for GSSAPIDelegateCredentials in ssh_config.

Browse Source 
By default this only applies to Solaris 11.
This commit is contained in:
Roy Victor Williams 2014-09-23 09:43:10 -04:00 committed by Garrett Honeycutt
parent c4aa7d6a9a
commit ab37372230
3 changed files with 79 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
manifests/init.pp
View File

@ -24,6 +24,7 @@ class ssh (
$ssh_config_macs = undef,
$ssh_config_template = 'ssh/ssh_config.erb',
$ssh_sendenv = 'USE_DEFAULTS',
$ssh_gssapidelegatecredentials = 'USE_DEFAULTS',
$sshd_config_path = '/etc/ssh/sshd_config',
$sshd_config_owner = 'root',
$sshd_config_group = 'root',
@ -86,6 +87,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_gssapidelegatecredentials = undef
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -105,6 +107,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_gssapidelegatecredentials = undef
$default_ssh_config_forward_x11_trusted = 'yes'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -137,6 +140,7 @@ class ssh (
$default_ssh_package_source = undef
$default_ssh_package_adminfile = undef
$default_ssh_sendenv = true
$default_ssh_gssapidelegatecredentials = undef
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes'
@ -172,6 +176,7 @@ class ssh (
$default_service_name = 'ssh'
$default_service_hasstatus = true
$default_ssh_package_source = undef
$default_ssh_gssapidelegatecredentials = 'yes'
}
'5.10': {
$default_packages = ['SUNWsshcu',
@ -182,6 +187,7 @@ class ssh (
$default_service_name = 'ssh'
$default_service_hasstatus = true
$default_ssh_package_source = '/var/spool/pkg'
$default_ssh_gssapidelegatecredentials = undef
}
'5.9' : {
$default_packages = ['SUNWsshcu',
@ -192,6 +198,7 @@ class ssh (
$default_service_name = 'sshd'
$default_service_hasstatus = false
$default_ssh_package_source = '/var/spool/pkg'
$default_ssh_gssapidelegatecredentials = undef
}
default: {
fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.')
@ -317,6 +324,13 @@ class ssh (
}
}
if $ssh_gssapidelegatecredentials == 'USE_DEFAULTS' {
$ssh_gssapidelegatecredentials_real = $default_ssh_gssapidelegateredentials
} else {
$ssh_gssapidelegatecredentials_real = $ssh_gssapidelegatecredentials
}
if $sshd_acceptenv == 'USE_DEFAULTS' {
$sshd_acceptenv_real = $default_sshd_acceptenv
} else {
@ -391,7 +405,13 @@ class ssh (
fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.')
}
if $ssh_gssapidelegatecredentials_real != undef {
validate_re($ssh_gssapidelegatecredentials_real, '^(yes|no)$', "ssh::ssh_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <${ssh_gssapidelegatecredentials_real}>.")
}
if $sshd_gssapiauthentication != undef {
validate_re($sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.")
}
if $sshd_gssapikeyexchange_real != undef {
validate_re($sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.")

33
spec/classes/init_spec.rb
View File

@ -1851,6 +1851,39 @@ describe 'ssh' do
end
end
describe 'with parameter ssh_gssapidelegatecredentials' do
['yes','no'].each do |value|
context "specified as #{value}" do
let(:params) { { :ssh_gssapidelegatecredentials => value } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'Solaris',
:kernelrelease => '5.11',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should contain_file('ssh_config').with_content(/^GSSAPIDelegateCredentials #{value}$/) }
end
end
['YES',true].each do |value|
context "specified an invalid value #{value}" do
let(:params) { { :ssh_gssapidelegatecredentials => value } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect { should raise_error(Puppet::Error,/^ssh::sshd_gssapidelegatecredentials may be either 'yes' or 'no' and is set to <#{value}>./) }
end
end
end
end
describe 'with parameter sshd_gssapiauthentication' do
['yes','no'].each do |value|
context "specified as #{value}" do

3
templates/ssh_config.erb
View File

@ -53,6 +53,9 @@
<% end -%>
Host *
GSSAPIAuthentication yes
<% if @ssh_gssapidelegatecredentials_real != nil -%>
GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials_real %>
<% end -%>
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.