diff --git a/git b/git new file mode 100644 index 0000000..e69de29 diff --git a/manifests/init.pp b/manifests/init.pp index 1fcb7fd..78d16b6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -83,7 +83,7 @@ class ssh ( $sshd_ignoreuserknownhosts = 'no', $sshd_ignorerhosts = 'yes', $manage_service = true, - $sshd_addressfamily = 'any', + $sshd_addressfamily = 'USE_DEFAULTS', $service_ensure = 'running', $service_name = 'USE_DEFAULTS', $service_enable = true, @@ -123,6 +123,7 @@ class ssh ( $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] + $default_sshd_addressfamily = 'any' } 'Suse': { $default_packages = 'openssh' @@ -143,6 +144,7 @@ class ssh ( $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] + $default_sshd_addressfamily = 'any' case $::architecture { 'x86_64': { if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) { @@ -180,6 +182,7 @@ class ssh ( $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] + $default_sshd_addressfamily = 'any' } 'Solaris': { $default_ssh_config_hash_known_hosts = undef @@ -197,6 +200,7 @@ class ssh ( $default_sshd_config_serverkeybits = '768' $default_ssh_package_adminfile = undef $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] + $default_sshd_addressfamily = undef case $::kernelrelease { '5.11': { $default_packages = ['network/ssh', @@ -425,6 +429,12 @@ class ssh ( } } + if $sshd_addressfamily == 'USE_DEFAULTS' { + $sshd_addressfamily_real = $default_sshd_addressfamily + } else { + $sshd_addressfamily_real = $sshd_addressfamily + } + # validate params if $ssh_config_ciphers != undef { validate_array($ssh_config_ciphers) @@ -809,8 +819,12 @@ class ssh ( create_resources('ssh_authorized_key', $keys_real) } - if $sshd_addressfamily != undef { - validate_re($sshd_addressfamily, '^(any|inet|inet6)$', - "ssh::sshd_addressfamily can be undef, 'any', 'inet' or 'inet6' and is set to ${sshd_addressfamily}.") + if $sshd_addressfamily_real != undef { + if $::osfamily == 'Solaris' { + fail("ssh::sshd_addressfamily is not supported on Solaris and is set to <${sshd_addressfamily}>.") + } else { + validate_re($sshd_addressfamily_real, '^(any|inet|inet6)$', + "ssh::sshd_addressfamily can be undef, 'any', 'inet' or 'inet6' and is set to ${sshd_addressfamily_real}.") + } } } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index aad22cb..2beea25 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -74,7 +74,7 @@ describe 'ssh' do 'Suse-10-x86_64' => { :architecture => 'x86_64', :osfamily => 'Suse', - :operatingsystem => 'SLED', + :operatingsystem => 'SLES', :operatingsystemrelease => '10.4', :ssh_version => 'OpenSSH_5.1p1', :ssh_version_numeric => '5.1', @@ -88,6 +88,7 @@ describe 'ssh' do 'Suse-10-i386' => { :architecture => 'i386', :osfamily => 'Suse', + :operatingsystem => 'SLES', :operatingsystemrelease => '10.4', :ssh_version => 'OpenSSH_5.1p1', :ssh_version_numeric => '5.1', @@ -101,7 +102,7 @@ describe 'ssh' do 'Suse-11-x86_64' => { :architecture => 'x86_64', :osfamily => 'Suse', - :operatingsystem => 'SLED', + :operatingsystem => 'SLES', :operatingsystemrelease => '11.4', :ssh_version => 'OpenSSH_6.6.1p1', :ssh_version_numeric => '6.6', @@ -115,6 +116,7 @@ describe 'ssh' do 'Suse-11-i386' => { :architecture => 'i386', :osfamily => 'Suse', + :operatingsystem => 'SLES', :operatingsystemrelease => '11.4', :ssh_version => 'OpenSSH_6.6.1p1', :ssh_version_numeric => '6.6', @@ -128,7 +130,7 @@ describe 'ssh' do 'Suse-12-x86_64' => { :architecture => 'x86_64', :osfamily => 'Suse', - :operatingsystem => 'SLED', + :operatingsystem => 'SLES', :operatingsystemrelease => '12.0', :ssh_version => 'OpenSSH_6.6.1p1', :ssh_version_numeric => '6.6', @@ -136,7 +138,7 @@ describe 'ssh' do :sshd_config_mode => '0600', :sshd_service_name => 'sshd', :sshd_service_hasstatus => true, - :sshd_config_fixture => 'sshd_config_suse_x86_64', + :sshd_config_fixture => 'sshd_config_sles_12_x86_64', :ssh_config_fixture => 'ssh_config_suse', }, 'Solaris-5.11' => { @@ -1473,11 +1475,12 @@ describe 'ssh' do let :facts do default_facts.merge( { - :osfamily => 'Suse', - :operatingsystem => 'SLED', - :fqdn => 'notinhiera.example.com', - :lsbmajdistrelease => '11', - :architecture => 'x86_64', + :osfamily => 'Suse', + :operatingsystem => 'SLES', + :fqdn => 'notinhiera.example.com', + :lsbmajdistrelease => '11', + :operatingsystemrelease => '11.4', + :architecture => 'x86_64', } ) end diff --git a/spec/fixtures/sshd_config_sles_12_x86_64 b/spec/fixtures/sshd_config_sles_12_x86_64 new file mode 100644 index 0000000..e2574ec --- /dev/null +++ b/spec/fixtures/sshd_config_sles_12_x86_64 @@ -0,0 +1,139 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +Port 22 +#Protocol 2,1 +Protocol 2 +#AddressFamily any +AddressFamily any + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_rsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 +ServerKeyBits 1024 +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTH +#LogLevel INFO +LogLevel INFO + +# Authentication: + +#LoginGraceTime 120 +LoginGraceTime 120 +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowTcpForwarding yes +AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +ClientAliveInterval 0 +ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#MaxSessions 10 + +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none +Banner none + +#XAuthLocation /usr/bin/xauth +XAuthLocation /usr/bin/xauth + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + diff --git a/spec/fixtures/sshd_config_solaris b/spec/fixtures/sshd_config_solaris index 3dd9a35..045b680 100644 --- a/spec/fixtures/sshd_config_solaris +++ b/spec/fixtures/sshd_config_solaris @@ -17,8 +17,6 @@ Port 22 #Protocol 2,1 Protocol 2 -#AddressFamily any -AddressFamily any # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index c795967..7dd0e42 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -17,9 +17,9 @@ Port <%= @sshd_config_port %> #Protocol 2,1 Protocol 2 +<% if @sshd_addressfamily_real != nil -%> #AddressFamily any -<% if @sshd_addressfamily != nil -%> -AddressFamily <%= @sshd_addressfamily %> +AddressFamily <%= @sshd_addressfamily_real %> <% end -%> <% if @sshd_listen_address.class == Array -%> <% @sshd_listen_address.each do |val| -%>