puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add sshd_config_authenticationmethods parameter

Browse Source 
This commit adds support for AuthenticationMethods by adding the
sshd_config_authenticationmethods parameter. Credits to @Saford91 for
the first implementation.
This commit is contained in:
Matthias Baur 2017-12-10 20:12:42 +01:00
parent 7b8adfb451
commit bc4c8a82a6
4 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -729,6 +729,12 @@ String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' an
- *Default*: 'no' - *Default*: 'no'
sshd_config_authenticationmethods
-------------------------
Array of AuthenticationMethods in sshd_config.
- *Default*: undef
sshd_ignorerhosts sshd_ignorerhosts
------------------------- -------------------------
String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.

5
manifests/init.pp
View File

@ -93,6 +93,7 @@ class ssh (
$sshd_pubkeyauthentication = 'yes', $sshd_pubkeyauthentication = 'yes',
$sshd_ignoreuserknownhosts = 'no', $sshd_ignoreuserknownhosts = 'no',
$sshd_ignorerhosts = 'yes', $sshd_ignorerhosts = 'yes',
$sshd_config_authenticationmethods = undef,
$manage_service = true, $manage_service = true,
$sshd_addressfamily = 'USE_DEFAULTS', $sshd_addressfamily = 'USE_DEFAULTS',
$service_ensure = 'running', $service_ensure = 'running',
@ -669,6 +670,10 @@ class ssh (
validate_array($sshd_pubkeyacceptedkeytypes) validate_array($sshd_pubkeyacceptedkeytypes)
} }
if $sshd_config_authenticationmethods != undef {
validate_array($sshd_config_authenticationmethods)
}
validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.") validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.")
validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.") validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")

16
spec/classes/init_spec.rb
View File

@ -419,6 +419,9 @@ describe 'ssh' do
'ssh-ed25519', 'ssh-ed25519',
'ssh-rsa', 'ssh-rsa',
], ],
:sshd_config_authenticationmethods => [ 'publickey',
'keyboard-interactive',
],
:sshd_pubkeyauthentication => 'no', :sshd_pubkeyauthentication => 'no',
:sshd_allow_tcp_forwarding => 'no', :sshd_allow_tcp_forwarding => 'no',
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
@ -526,6 +529,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa$/) } it { should contain_file('sshd_config').with_content(/^PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa$/) }
it { should contain_file('sshd_config').with_content(/^AuthenticationMethods publickey,keyboard-interactive$/) }
it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) } it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) } it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
@ -2401,6 +2405,18 @@ describe 'sshd_config_print_last_log param' do
end end
end end
[true,'invalid'].each do |authenticationmethods|
context "with sshd_config_authenticationmethods set to invalid value #{authenticationmethods}" do
let(:params) { { :sshd_config_authenticationmethods => authenticationmethods } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/is not/)
end
end
end
describe 'with parameter sshd_pubkeyauthentication' do describe 'with parameter sshd_pubkeyauthentication' do
['yes','no'].each do |value| ['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do context "specified as valid #{value} (as #{value.class})" do

3
templates/sshd_config.erb
View File

@ -98,6 +98,9 @@ IgnoreUserKnownHosts <%= @sshd_ignoreuserknownhosts %>
#IgnoreRhosts yes #IgnoreRhosts yes
IgnoreRhosts <%= @sshd_ignorerhosts %> IgnoreRhosts <%= @sshd_ignorerhosts %>
<%- if @sshd_config_authenticationmethods -%>
AuthenticationMethods <%= @sshd_config_authenticationmethods.join(',') %>
<%- end -%>
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes
PasswordAuthentication <%= @sshd_password_authentication %> PasswordAuthentication <%= @sshd_password_authentication %>