Additional parameters for ssh_config

To allow the following options to be configured in ssh_config
* StrictHostKeyChecking
* EnableSSHKeysign
* HostbasedAuthentication for ssh_client
This commit is contained in:
Abel Paz 2016-06-01 15:45:49 +02:00 committed by Garrett Honeycutt
parent 21ca38dc88
commit b48e066f21
4 changed files with 151 additions and 0 deletions

View File

@ -150,6 +150,28 @@ in ssh_config.
- *Default*: undef - *Default*: undef
ssh_hostbasedauthentication
-------------------------
String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'.
- *Default*: undef
ssh_strict_host_key_checking
-----------------------------
*string* For StrictHostKeyChecking setting in ssh_config. Valid values are
'yes', 'no' or ask.
- *Default*: ask
ssh_enable_ssh_keysign
-----------------------------
*string* For EnableSSHKeysign setting in ssh_config. Valid values are
'yes' and 'no' or to leave undef which will ensure the setting is not present
in ssh_config.
- *Default*: undef
sshd_addressfamily sshd_addressfamily
---------------- ----------------
Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration. Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.

View File

@ -20,6 +20,8 @@ class ssh (
$ssh_config_forward_agent = undef, $ssh_config_forward_agent = undef,
$ssh_config_server_alive_interval = undef, $ssh_config_server_alive_interval = undef,
$ssh_config_sendenv_xmodifiers = false, $ssh_config_sendenv_xmodifiers = false,
$ssh_hostbasedauthentication = undef,
$ssh_strict_host_key_checking = undef,
$ssh_config_ciphers = undef, $ssh_config_ciphers = undef,
$ssh_config_macs = undef, $ssh_config_macs = undef,
$ssh_config_use_roaming = 'USE_DEFAULTS', $ssh_config_use_roaming = 'USE_DEFAULTS',
@ -45,6 +47,7 @@ class ssh (
$sshd_config_banner = 'none', $sshd_config_banner = 'none',
$sshd_config_ciphers = undef, $sshd_config_ciphers = undef,
$sshd_config_macs = undef, $sshd_config_macs = undef,
$ssh_enable_ssh_keysign = undef,
$sshd_config_allowgroups = [], $sshd_config_allowgroups = [],
$sshd_config_allowusers = [], $sshd_config_allowusers = [],
$sshd_config_denygroups = [], $sshd_config_denygroups = [],
@ -488,6 +491,14 @@ class ssh (
validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
} }
if $ssh_strict_host_key_checking != undef {
validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_ssh_strict_host_key_checking may be 'yes', 'no' or ask and is set to <${ssh_strict_host_key_checking}>.")
}
if $ssh_enable_ssh_keysign != undef {
validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
}
if $sshd_config_authkey_location != undef { if $sshd_config_authkey_location != undef {
validate_string($sshd_config_authkey_location) validate_string($sshd_config_authkey_location)
} }
@ -527,6 +538,9 @@ class ssh (
if $sshd_config_strictmodes != undef { if $sshd_config_strictmodes != undef {
validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.") validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
} }
if $ssh_hostbasedauthentication != undef {
validate_re($ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.")
}
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.") validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")

View File

@ -1736,6 +1736,111 @@ describe 'ssh' do
end end
end end
describe 'with parameter ssh_hostbasedauthentication' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :ssh_hostbasedauthentication => value } }
it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :ssh_hostbasedauthentication => value } }
if value.is_a?(Array)
value = value.join
elsif value.is_a?(Hash)
value = '{ha => sh}'
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
end
end
end
end
describe 'with parameter ssh_strict_host_key_checking' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no', 'ask'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :ssh_strict_host_key_checking => value } }
it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :ssh_strict_host_key_checking => value } }
if value.is_a?(Array)
value = value.join
elsif value.is_a?(Hash)
value = '{ha => sh}'
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::ssh_strict_host_key_checking may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
end
end
end
end
describe 'with parameter ssh_enable_ssh_keysign' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :ssh_enable_ssh_keysign => value } }
it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :ssh_enable_ssh_keysign => value } }
if value.is_a?(Array)
value = value.join
elsif value.is_a?(Hash)
value = '{ha => sh}'
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
end
end
end
end
describe 'with parameter sshd_gssapiauthentication' do describe 'with parameter sshd_gssapiauthentication' do
let :facts do let :facts do
default_facts.merge( default_facts.merge(

View File

@ -28,11 +28,17 @@
PasswordAuthentication yes PasswordAuthentication yes
PubkeyAuthentication yes PubkeyAuthentication yes
# HostbasedAuthentication no # HostbasedAuthentication no
<% if @ssh_hostbasedauthentication -%>
HostbasedAuthentication <%= @ssh_hostbasedauthentication %>
<% end -%>
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
# ConnectTimeout 0 # ConnectTimeout 0
# StrictHostKeyChecking ask # StrictHostKeyChecking ask
<% if @ssh_strict_host_key_checking -%>
StrictHostKeyChecking <%= @ssh_strict_host_key_checking %>
<% end -%>
# IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_dsa
@ -90,3 +96,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
<% if @ssh_config_macs -%> <% if @ssh_config_macs -%>
MACs <%= @ssh_config_macs.join(',') %> MACs <%= @ssh_config_macs.join(',') %>
<% end -%> <% end -%>
<% if @ssh_enable_ssh_keysign -%>
# EnableSSHKeysign no
EnableSSHKeysign yes
<% end -%>