diff --git a/README.md b/README.md index b7e0322..897e032 100644 --- a/README.md +++ b/README.md @@ -729,6 +729,12 @@ String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' an - *Default*: 'no' +sshd_config_authenticationmethods +------------------------- +Array of AuthenticationMethods in sshd_config. + +- *Default*: undef + sshd_ignorerhosts ------------------------- String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. diff --git a/manifests/init.pp b/manifests/init.pp index a9cd4c8..df43f20 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -93,6 +93,7 @@ class ssh ( $sshd_pubkeyauthentication = 'yes', $sshd_ignoreuserknownhosts = 'no', $sshd_ignorerhosts = 'yes', + $sshd_config_authenticationmethods = undef, $manage_service = true, $sshd_addressfamily = 'USE_DEFAULTS', $service_ensure = 'running', @@ -669,6 +670,10 @@ class ssh ( validate_array($sshd_pubkeyacceptedkeytypes) } + if $sshd_config_authenticationmethods != undef { + validate_array($sshd_config_authenticationmethods) + } + validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.") validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.") diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 43563f0..5974e9a 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -419,6 +419,9 @@ describe 'ssh' do 'ssh-ed25519', 'ssh-rsa', ], + :sshd_config_authenticationmethods => [ 'publickey', + 'keyboard-interactive', + ], :sshd_pubkeyauthentication => 'no', :sshd_allow_tcp_forwarding => 'no', :sshd_x11_forwarding => 'no', @@ -526,6 +529,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa$/) } + it { should contain_file('sshd_config').with_content(/^AuthenticationMethods publickey,keyboard-interactive$/) } it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) } @@ -2401,6 +2405,18 @@ describe 'sshd_config_print_last_log param' do end end + [true,'invalid'].each do |authenticationmethods| + context "with sshd_config_authenticationmethods set to invalid value #{authenticationmethods}" do + let(:params) { { :sshd_config_authenticationmethods => authenticationmethods } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/is not/) + end + end + end + describe 'with parameter sshd_pubkeyauthentication' do ['yes','no'].each do |value| context "specified as valid #{value} (as #{value.class})" do diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index b3b9ca1..e363978 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -98,6 +98,9 @@ IgnoreUserKnownHosts <%= @sshd_ignoreuserknownhosts %> #IgnoreRhosts yes IgnoreRhosts <%= @sshd_ignorerhosts %> +<%- if @sshd_config_authenticationmethods -%> +AuthenticationMethods <%= @sshd_config_authenticationmethods.join(',') %> +<%- end -%> # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PasswordAuthentication <%= @sshd_password_authentication %> @@ -275,4 +278,4 @@ TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %> <% end -%> <% if @sshd_config_authorized_principals_file_real -%> AuthorizedPrincipalsFile <%= @sshd_config_authorized_principals_file_real %> -<% end -%> \ No newline at end of file +<% end -%>