Additional parameters for ssh_config
To allow the following options to be configured in ssh_config * StrictHostKeyChecking * EnableSSHKeysign * HostbasedAuthentication for ssh_client
This commit is contained in:
parent
21ca38dc88
commit
b48e066f21
22
README.md
22
README.md
@ -150,6 +150,28 @@ in ssh_config.
|
|||||||
|
|
||||||
- *Default*: undef
|
- *Default*: undef
|
||||||
|
|
||||||
|
ssh_hostbasedauthentication
|
||||||
|
-------------------------
|
||||||
|
String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'.
|
||||||
|
|
||||||
|
- *Default*: undef
|
||||||
|
|
||||||
|
|
||||||
|
ssh_strict_host_key_checking
|
||||||
|
-----------------------------
|
||||||
|
*string* For StrictHostKeyChecking setting in ssh_config. Valid values are
|
||||||
|
'yes', 'no' or ask.
|
||||||
|
|
||||||
|
- *Default*: ask
|
||||||
|
|
||||||
|
ssh_enable_ssh_keysign
|
||||||
|
-----------------------------
|
||||||
|
*string* For EnableSSHKeysign setting in ssh_config. Valid values are
|
||||||
|
'yes' and 'no' or to leave undef which will ensure the setting is not present
|
||||||
|
in ssh_config.
|
||||||
|
|
||||||
|
- *Default*: undef
|
||||||
|
|
||||||
sshd_addressfamily
|
sshd_addressfamily
|
||||||
----------------
|
----------------
|
||||||
Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.
|
Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.
|
||||||
|
@ -20,6 +20,8 @@ class ssh (
|
|||||||
$ssh_config_forward_agent = undef,
|
$ssh_config_forward_agent = undef,
|
||||||
$ssh_config_server_alive_interval = undef,
|
$ssh_config_server_alive_interval = undef,
|
||||||
$ssh_config_sendenv_xmodifiers = false,
|
$ssh_config_sendenv_xmodifiers = false,
|
||||||
|
$ssh_hostbasedauthentication = undef,
|
||||||
|
$ssh_strict_host_key_checking = undef,
|
||||||
$ssh_config_ciphers = undef,
|
$ssh_config_ciphers = undef,
|
||||||
$ssh_config_macs = undef,
|
$ssh_config_macs = undef,
|
||||||
$ssh_config_use_roaming = 'USE_DEFAULTS',
|
$ssh_config_use_roaming = 'USE_DEFAULTS',
|
||||||
@ -45,6 +47,7 @@ class ssh (
|
|||||||
$sshd_config_banner = 'none',
|
$sshd_config_banner = 'none',
|
||||||
$sshd_config_ciphers = undef,
|
$sshd_config_ciphers = undef,
|
||||||
$sshd_config_macs = undef,
|
$sshd_config_macs = undef,
|
||||||
|
$ssh_enable_ssh_keysign = undef,
|
||||||
$sshd_config_allowgroups = [],
|
$sshd_config_allowgroups = [],
|
||||||
$sshd_config_allowusers = [],
|
$sshd_config_allowusers = [],
|
||||||
$sshd_config_denygroups = [],
|
$sshd_config_denygroups = [],
|
||||||
@ -488,6 +491,14 @@ class ssh (
|
|||||||
validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
|
validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if $ssh_strict_host_key_checking != undef {
|
||||||
|
validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_ssh_strict_host_key_checking may be 'yes', 'no' or ask and is set to <${ssh_strict_host_key_checking}>.")
|
||||||
|
}
|
||||||
|
|
||||||
|
if $ssh_enable_ssh_keysign != undef {
|
||||||
|
validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
|
||||||
|
}
|
||||||
|
|
||||||
if $sshd_config_authkey_location != undef {
|
if $sshd_config_authkey_location != undef {
|
||||||
validate_string($sshd_config_authkey_location)
|
validate_string($sshd_config_authkey_location)
|
||||||
}
|
}
|
||||||
@ -527,6 +538,9 @@ class ssh (
|
|||||||
if $sshd_config_strictmodes != undef {
|
if $sshd_config_strictmodes != undef {
|
||||||
validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
|
validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
|
||||||
}
|
}
|
||||||
|
if $ssh_hostbasedauthentication != undef {
|
||||||
|
validate_re($ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.")
|
||||||
|
}
|
||||||
|
|
||||||
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
|
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
|
||||||
|
|
||||||
|
@ -1736,6 +1736,111 @@ describe 'ssh' do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'with parameter ssh_hostbasedauthentication' do
|
||||||
|
let :facts do
|
||||||
|
default_facts.merge(
|
||||||
|
{
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
['yes','no'].each do |value|
|
||||||
|
context "specified as valid #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :ssh_hostbasedauthentication => value } }
|
||||||
|
|
||||||
|
it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication #{value}$/) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||||
|
context "specified as invalid value #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :ssh_hostbasedauthentication => value } }
|
||||||
|
|
||||||
|
if value.is_a?(Array)
|
||||||
|
value = value.join
|
||||||
|
elsif value.is_a?(Hash)
|
||||||
|
value = '{ha => sh}'
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should fail' do
|
||||||
|
expect {
|
||||||
|
should contain_class('ssh')
|
||||||
|
}.to raise_error(Puppet::Error,/ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'with parameter ssh_strict_host_key_checking' do
|
||||||
|
let :facts do
|
||||||
|
default_facts.merge(
|
||||||
|
{
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
['yes','no', 'ask'].each do |value|
|
||||||
|
context "specified as valid #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :ssh_strict_host_key_checking => value } }
|
||||||
|
|
||||||
|
it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking #{value}$/) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||||
|
context "specified as invalid value #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :ssh_strict_host_key_checking => value } }
|
||||||
|
|
||||||
|
if value.is_a?(Array)
|
||||||
|
value = value.join
|
||||||
|
elsif value.is_a?(Hash)
|
||||||
|
value = '{ha => sh}'
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should fail' do
|
||||||
|
expect {
|
||||||
|
should contain_class('ssh')
|
||||||
|
}.to raise_error(Puppet::Error,/ssh::ssh_strict_host_key_checking may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'with parameter ssh_enable_ssh_keysign' do
|
||||||
|
let :facts do
|
||||||
|
default_facts.merge(
|
||||||
|
{
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
['yes','no'].each do |value|
|
||||||
|
context "specified as valid #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :ssh_enable_ssh_keysign => value } }
|
||||||
|
|
||||||
|
it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign #{value}$/) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||||
|
context "specified as invalid value #{value} (as #{value.class})" do
|
||||||
|
let(:params) { { :ssh_enable_ssh_keysign => value } }
|
||||||
|
|
||||||
|
if value.is_a?(Array)
|
||||||
|
value = value.join
|
||||||
|
elsif value.is_a?(Hash)
|
||||||
|
value = '{ha => sh}'
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should fail' do
|
||||||
|
expect {
|
||||||
|
should contain_class('ssh')
|
||||||
|
}.to raise_error(Puppet::Error,/ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'with parameter sshd_gssapiauthentication' do
|
describe 'with parameter sshd_gssapiauthentication' do
|
||||||
let :facts do
|
let :facts do
|
||||||
default_facts.merge(
|
default_facts.merge(
|
||||||
|
@ -28,11 +28,17 @@
|
|||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
PubkeyAuthentication yes
|
PubkeyAuthentication yes
|
||||||
# HostbasedAuthentication no
|
# HostbasedAuthentication no
|
||||||
|
<% if @ssh_hostbasedauthentication -%>
|
||||||
|
HostbasedAuthentication <%= @ssh_hostbasedauthentication %>
|
||||||
|
<% end -%>
|
||||||
# BatchMode no
|
# BatchMode no
|
||||||
# CheckHostIP yes
|
# CheckHostIP yes
|
||||||
# AddressFamily any
|
# AddressFamily any
|
||||||
# ConnectTimeout 0
|
# ConnectTimeout 0
|
||||||
# StrictHostKeyChecking ask
|
# StrictHostKeyChecking ask
|
||||||
|
<% if @ssh_strict_host_key_checking -%>
|
||||||
|
StrictHostKeyChecking <%= @ssh_strict_host_key_checking %>
|
||||||
|
<% end -%>
|
||||||
# IdentityFile ~/.ssh/identity
|
# IdentityFile ~/.ssh/identity
|
||||||
IdentityFile ~/.ssh/id_rsa
|
IdentityFile ~/.ssh/id_rsa
|
||||||
IdentityFile ~/.ssh/id_dsa
|
IdentityFile ~/.ssh/id_dsa
|
||||||
@ -90,3 +96,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
|
|||||||
<% if @ssh_config_macs -%>
|
<% if @ssh_config_macs -%>
|
||||||
MACs <%= @ssh_config_macs.join(',') %>
|
MACs <%= @ssh_config_macs.join(',') %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
|
<% if @ssh_enable_ssh_keysign -%>
|
||||||
|
# EnableSSHKeysign no
|
||||||
|
EnableSSHKeysign yes
|
||||||
|
<% end -%>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user