Merge pull request #116 from kTitan/parameterize_ignoreuserknownhosts_and_ignorerhosts
Add parameters for IgnoreUserKnownHosts and IgnoreRhosts options in sshd_config
This commit is contained in:
Garrett Honeycutt
commit
c81da2d6d0
12
README.md
12
README.md
@ -496,6 +496,18 @@ HostbasedAuthentication: Enables/disables Hostbased authentication. Valid values
|
||||
|
||||
- *Default*: 'no'
|
||||
|
||||
sshd_ignoreuserknownhosts
|
||||
-------------------------
|
||||
String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' and 'no. Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.
|
||||
|
||||
- *Default*: 'no'
|
||||
|
||||
sshd_ignorerhosts
|
||||
-------------------------
|
||||
String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.
|
||||
|
||||
- *Default*: 'yes'
|
||||
|
||||
purge_keys
|
||||
----------
|
||||
Remove keys not managed by puppet.
|
||||
|
||||
@ -75,6 +75,8 @@ class ssh (
|
||||
$sshd_config_hostkey = 'USE_DEFAULTS',
|
||||
$sshd_listen_address = undef,
|
||||
$sshd_hostbasedauthentication = 'no',
|
||||
$sshd_ignoreuserknownhosts = 'no',
|
||||
$sshd_ignorerhosts = 'yes',
|
||||
$service_ensure = 'running',
|
||||
$service_name = 'USE_DEFAULTS',
|
||||
$service_enable = true,
|
||||
@ -485,6 +487,10 @@ class ssh (
|
||||
|
||||
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
|
||||
|
||||
validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")
|
||||
|
||||
validate_re($sshd_ignorerhosts, '^(yes|no)$', "ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <${sshd_ignorerhosts}>.")
|
||||
|
||||
case type($hiera_merge) {
|
||||
'string': {
|
||||
validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.")
|
||||
|
||||
@ -102,6 +102,8 @@ describe 'ssh' do
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
|
||||
it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
|
||||
it { should contain_file('sshd_config').without_content(/^Match/) }
|
||||
@ -239,6 +241,8 @@ describe 'ssh' do
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
|
||||
it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
|
||||
it { should contain_file('sshd_config').without_content(/^Match/) }
|
||||
@ -359,6 +363,8 @@ describe 'ssh' do
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
|
||||
it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
|
||||
it { should contain_file('sshd_config').without_content(/^Match/) }
|
||||
@ -477,6 +483,8 @@ describe 'ssh' do
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
|
||||
it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
|
||||
it { should contain_file('sshd_config').without_content(/^Match/) }
|
||||
@ -604,6 +612,8 @@ describe 'ssh' do
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
|
||||
it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
|
||||
it { should contain_file('sshd_config').without_content(/^Match/) }
|
||||
@ -730,6 +740,8 @@ describe 'ssh' do
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
|
||||
it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
|
||||
it { should contain_file('sshd_config').without_content(/^Match/) }
|
||||
@ -856,6 +868,8 @@ describe 'ssh' do
|
||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||
it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
|
||||
it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
|
||||
it { should contain_file('sshd_config').without_content(/^Match/) }
|
||||
@ -1074,6 +1088,8 @@ describe 'ssh' do
|
||||
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^ForceCommand \/force\/command --with-parameter 242$/) }
|
||||
it { should contain_file('sshd_config').with_content(/^Match User JohnDoe\n AllowTcpForwarding yes\Z/) }
|
||||
@ -3017,4 +3033,68 @@ describe 'ssh' do
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with parameter sshd_ignoreuserknownhosts' do
|
||||
let(:facts) do
|
||||
{ :fqdn => 'monkey.example.com',
|
||||
:osfamily => 'RedHat',
|
||||
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
|
||||
}
|
||||
end
|
||||
|
||||
['yes','no'].each do |value|
|
||||
context "specified as valid #{value} (as #{value.class})" do
|
||||
let(:params) { { :sshd_ignoreuserknownhosts => value } }
|
||||
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||
context "specified as invalid value #{value} (as #{value.class})" do
|
||||
let(:params) { { :sshd_ignoreuserknownhosts => value } }
|
||||
if value.is_a?(Array)
|
||||
value = value.join
|
||||
end
|
||||
|
||||
it do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <#{value}>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with parameter sshd_ignorerhosts' do
|
||||
let(:facts) do
|
||||
{ :fqdn => 'monkey.example.com',
|
||||
:osfamily => 'RedHat',
|
||||
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
|
||||
}
|
||||
end
|
||||
|
||||
['yes','no'].each do |value|
|
||||
context "specified as valid #{value} (as #{value.class})" do
|
||||
let(:params) { { :sshd_ignorerhosts => value } }
|
||||
|
||||
it { should contain_file('sshd_config').with_content(/^IgnoreRhosts #{value}$/) }
|
||||
end
|
||||
end
|
||||
|
||||
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
|
||||
context "specified as invalid value #{value} (as #{value.class})" do
|
||||
let(:params) { { :sshd_ignorerhosts => value } }
|
||||
if value.is_a?(Array)
|
||||
value = value.join
|
||||
end
|
||||
|
||||
it do
|
||||
expect {
|
||||
should contain_class('ssh')
|
||||
}.to raise_error(Puppet::Error,/ssh::sshd_ignorerhosts may be either 'yes' or 'no' and is set to <#{value}>\./)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@ -81,8 +81,10 @@ HostbasedAuthentication <%= @sshd_hostbasedauthentication %>
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
IgnoreUserKnownHosts <%= @sshd_ignoreuserknownhosts %>
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
IgnoreRhosts <%= @sshd_ignorerhosts %>
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user