From 5be19cd1d7c75309782c1f493523bf9520444d5f Mon Sep 17 00:00:00 2001 From: Sergii Kipot Date: Wed, 15 Jun 2016 17:49:53 +0200 Subject: [PATCH 1/3] Add support for UserKnownHostsFile ssh option Array option ssh_config_user_known_hosts_file implemented --- README.md | 6 ++++++ manifests/init.pp | 6 ++++++ spec/classes/init_spec.rb | 35 +++++++++++++++++++++++++++++++++++ templates/ssh_config.erb | 3 +++ 4 files changed, 50 insertions(+) diff --git a/README.md b/README.md index 6c6a627..cf71032 100644 --- a/README.md +++ b/README.md @@ -658,6 +658,12 @@ File mode of the global known_hosts file - *Default*: '0644' +ssh_config_user_known_hosts_file +---------------------------------- +Array of user's known_hosts files + +- *Default*: undefined + manage_root_ssh_config ---------------------- Manage SSH config of root. Valid values are 'true' and 'false'. diff --git a/manifests/init.pp b/manifests/init.pp index 9aab5b1..a8fb773 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -98,6 +98,7 @@ class ssh ( $ssh_config_global_known_hosts_owner = 'root', $ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_mode = '0644', + $ssh_config_user_known_hosts_file = undef, $keys = undef, $manage_root_ssh_config = false, $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", @@ -647,6 +648,11 @@ class ssh ( } validate_absolute_path($ssh_config_global_known_hosts_file) + + if $ssh_config_user_known_hosts_file != undef { + validate_array($ssh_config_user_known_hosts_file) + } + validate_string($ssh_config_global_known_hosts_owner) validate_string($ssh_config_global_known_hosts_group) validate_re($ssh_config_global_known_hosts_mode, '^[0-7]{4}$', diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index aba34d1..ea778a3 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -327,6 +327,9 @@ describe 'ssh' do 'hmac-sha1-etm@openssh.com', ], :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2', + :ssh_config_user_known_hosts_file => [ '.ssh/known_hosts1', + '.ssh/known_hosts2', + ], :ssh_hostbasedauthentication => 'yes', :ssh_strict_host_key_checking => 'ask', :ssh_enable_ssh_keysign => 'yes', @@ -359,6 +362,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) } + it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) } it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) } it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking ask$/) } it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign yes$/) } @@ -2290,6 +2294,37 @@ describe 'ssh' do end end + describe 'with parameter ssh_config_user_known_hosts_file' do + let :facts do + default_facts.merge( + { + } + ) + end + + context 'when set to an array of paths' do + let (:params) {{'ssh_config_user_known_hosts_file' => ['valid/path1','/valid/path2'] }} + + it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile valid\/path1 \/valid\/path2$/) } + end + + ['YES',true,2.42,a = { 'ha' => 'sh' }].each do |value| + context "specified as invalid value #{value} (as #{value.class})" do + let(:params) { { :ssh_config_user_known_hosts_file => value } } + + if value.is_a?(Hash) + value = '{ha => sh}' + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error, /is not an Array/) + end + end + end + end + describe 'with parameter ssh_config_global_known_hosts_owner' do let :facts do default_facts.merge( diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index d83f9ed..6f1d6b2 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -100,3 +100,6 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> # EnableSSHKeysign no EnableSSHKeysign <%= @ssh_enable_ssh_keysign %> <% end -%> +<% if @ssh_config_user_known_hosts_file -%> + UserKnownHostsFile <%= @ssh_config_user_known_hosts_file.join(' ') %> +<% end -%> From 0d936a954cdc935b872989a38412d2a7c5065261 Mon Sep 17 00:00:00 2001 From: Sergii Kipot Date: Wed, 15 Jun 2016 17:50:26 +0200 Subject: [PATCH 2/3] Add support for multiple files in GlobalKnownHostsFile ssh option Array option ssh_config_global_known_hosts_list implemented --- README.md | 6 +++++ manifests/init.pp | 10 +++++++++ spec/classes/init_spec.rb | 46 ++++++++++++++++++++++++++++++++++++++- templates/ssh_config.erb | 4 ++-- 4 files changed, 63 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cf71032..1c1b394 100644 --- a/README.md +++ b/README.md @@ -640,6 +640,12 @@ File of the global known_hosts file - *Default*: '/etc/ssh/ssh_known_hosts' +ssh_config_global_known_hosts_list +---------------------------------- +Array of additional known_hosts files to be added to GlobalKnownHostsFile option together with ssh_config_global_known_hosts_file + +- *Default*: undefined + ssh_config_global_known_hosts_owner ---------------------------------- Owner of the global known_hosts file diff --git a/manifests/init.pp b/manifests/init.pp index a8fb773..bee42a6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -95,6 +95,7 @@ class ssh ( $ssh_key_import = true, $ssh_key_type = 'ssh-rsa', $ssh_config_global_known_hosts_file = '/etc/ssh/ssh_known_hosts', + $ssh_config_global_known_hosts_list = undef, $ssh_config_global_known_hosts_owner = 'root', $ssh_config_global_known_hosts_group = 'root', $ssh_config_global_known_hosts_mode = '0644', @@ -648,6 +649,15 @@ class ssh ( } validate_absolute_path($ssh_config_global_known_hosts_file) + $ssh_config_global_known_hosts_file_real = any2array($ssh_config_global_known_hosts_file) + + if $ssh_config_global_known_hosts_list != undef { + validate_array($ssh_config_global_known_hosts_list) + validate_absolute_path($ssh_config_global_known_hosts_list) + $ssh_config_global_known_hosts_list_real = concat($ssh_config_global_known_hosts_file_real, $ssh_config_global_known_hosts_list) + } else { + $ssh_config_global_known_hosts_list_real = $ssh_config_global_known_hosts_file_real + } if $ssh_config_user_known_hosts_file != undef { validate_array($ssh_config_user_known_hosts_file) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index ea778a3..6f5aa4b 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -327,6 +327,9 @@ describe 'ssh' do 'hmac-sha1-etm@openssh.com', ], :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2', + :ssh_config_global_known_hosts_list => [ '/etc/ssh/ssh_known_hosts3', + '/etc/ssh/ssh_known_hosts4', + ], :ssh_config_user_known_hosts_file => [ '.ssh/known_hosts1', '.ssh/known_hosts2', ], @@ -361,7 +364,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } - it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) } + it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2 \/etc\/ssh\/ssh_known_hosts3 \/etc\/ssh\/ssh_known_hosts4$/) } it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) } it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) } it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking ask$/) } @@ -2294,6 +2297,47 @@ describe 'ssh' do end end + describe 'with parameter ssh_config_global_known_hosts_list' do + let :facts do + default_facts.merge( + { + } + ) + end + + context 'when set to an array of valid absolute paths' do + let (:params) {{'ssh_config_global_known_hosts_list' => ['/valid/path1','/valid/path2'] }} + + it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile.*\/valid\/path1 \/valid\/path2$/) } + end + + context 'specified as an invalid path' do + let(:params) {{ :ssh_config_global_known_hosts_list => ['/valid/path','invalid/path'] }} + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/\"invalid\/path\" is not an absolute path\./) + end + end + + ['YES',true,2.42,a = { 'ha' => 'sh' }].each do |value| + context "specified as invalid value #{value} (as #{value.class})" do + let(:params) { { :ssh_config_global_known_hosts_list => value } } + + if value.is_a?(Hash) + value = '{ha => sh}' + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error, /is not an Array/) + end + end + end + end + describe 'with parameter ssh_config_user_known_hosts_file' do let :facts do default_facts.merge( diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 6f1d6b2..ced3f41 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -57,8 +57,8 @@ <% if @ssh_config_hash_known_hosts_real != nil -%> HashKnownHosts <%= @ssh_config_hash_known_hosts_real %> <% end -%> -<% if @ssh_config_global_known_hosts_file -%> - GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_file %> +<% if @ssh_config_global_known_hosts_list_real -%> + GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_list_real.join(' ') %> <% end -%> Host * # GSSAPIAuthentication yes From ab88a5e86f3bafb5cbcc0553c1642a786e5866a6 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Mon, 20 Jun 2016 12:38:24 -0400 Subject: [PATCH 3/3] Working with sergiik to improve documentation of new params --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 1c1b394..caccc50 100644 --- a/README.md +++ b/README.md @@ -642,9 +642,10 @@ File of the global known_hosts file ssh_config_global_known_hosts_list ---------------------------------- -Array of additional known_hosts files to be added to GlobalKnownHostsFile option together with ssh_config_global_known_hosts_file +Array of additional known_hosts files to be added to GlobalKnownHostsFile +option together with `ssh_config_global_known_hosts_file`. -- *Default*: undefined +- *Default*: undef ssh_config_global_known_hosts_owner ---------------------------------- @@ -665,10 +666,11 @@ File mode of the global known_hosts file - *Default*: '0644' ssh_config_user_known_hosts_file ----------------------------------- -Array of user's known_hosts files +-------------------------------- +Array of user's known_hosts files used in the ssh config option +UserKnownHostsFile. -- *Default*: undefined +- *Default*: undef manage_root_ssh_config ----------------------