From cb09aedee6d32c3479f1f7cebab2d47c8a6ba205 Mon Sep 17 00:00:00 2001
From: jthiesfeld <john.thiesfeld@gmail.com>
Date: Wed, 8 Jun 2016 15:02:41 -0500
Subject: [PATCH] Adding two new options for sshd_config PermitEmptyPasswords
 and PermitUserEnvironment

---
 README.md                 | 15 ++++++++++
 manifests/init.pp         |  8 +++++
 spec/classes/init_spec.rb | 62 +++++++++++++++++++++++++++++++++++++++
 templates/sshd_config.erb |  6 ++++
 4 files changed, 91 insertions(+)

diff --git a/README.md b/README.md
index caccc50..49e5a41 100644
--- a/README.md
+++ b/README.md
@@ -220,6 +220,21 @@ sshd_listen_address
 -------------------
 String or Array to specify address(es) for which sshd will bind. Corresponds to ListenAddress in sshd_config.
 
+- *Default*: undef
+
+sshd_config_permitemptypasswords
+--------------------------------
+PermitEmptyPasswords option in sshd_config.  When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
+Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
+sshd_config_permituserenvironment
+---------------------------------
+PermitUserEnvironment option in sshd_config.  Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8).  The default is “no”.  Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.
+Valid values are 'yes' and 'no'.
+
+
 - *Default*: undef
 
 sshd_config_port
diff --git a/manifests/init.pp b/manifests/init.pp
index bee42a6..ee99870 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -34,6 +34,8 @@ class ssh (
   $sshd_config_group                   = 'root',
   $sshd_config_loglevel                = 'INFO',
   $sshd_config_mode                    = 'USE_DEFAULTS',
+  $sshd_config_permitemptypasswords    = undef,
+  $sshd_config_permituserenvironment   = undef,
   $sshd_config_port                    = '22',
   $sshd_config_syslog_facility         = 'AUTH',
   $sshd_config_template                = 'ssh/sshd_config.erb',
@@ -459,6 +461,12 @@ class ssh (
   if $ssh_config_hash_known_hosts_real != undef {
     validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
   }
+  if $sshd_config_permitemptypasswords != undef {
+    validate_re($sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.")
+  }
+  if $sshd_config_permituserenvironment != undef {
+    validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.")
+  }
   case type3x($sshd_config_port) {
     'string': {
       validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 6f5aa4b..457f29e 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -398,6 +398,8 @@ describe 'ssh' do
         :sshd_config_subsystem_sftp        => '/opt/ssh/bin/sftp',
         :sshd_kerberos_authentication      => 'no',
         :sshd_password_authentication      => 'no',
+        :sshd_config_permitemptypasswords  => 'no',
+        :sshd_config_permituserenvironment => 'no',
         :sshd_pubkeyauthentication         => 'no',
         :sshd_allow_tcp_forwarding         => 'no',
         :sshd_x11_forwarding               => 'no',
@@ -480,6 +482,8 @@ describe 'ssh' do
     it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
     it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
     it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
+    it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) }
+    it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
@@ -977,6 +981,64 @@ describe 'ssh' do
     end
   end
 
+  describe 'with sshd_config_permitemptypasswords' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        let (:params) {{ 'sshd_config_permitemptypasswords' => value }}
+
+        it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords #{value}$/) }
+      end
+    end
+
+    context 'set to invalid value on valid osfamily' do
+      let :params do
+        { :sshd_config_permitemptypasswords => 'invalid' }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_permitemptypasswords may be either \'yes\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+
+  describe 'with sshd_config_permituserenvironment' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        let (:params) {{ 'sshd_config_permituserenvironment' => value }}
+
+        it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment #{value}$/) }
+      end
+    end
+
+    context 'set to invalid value on valid osfamily' do
+      let :params do
+        { :sshd_config_permituserenvironment => 'invalid' }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_permituserenvironment may be either \'yes\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+
   describe 'sshd_config_port param' do
     let :facts do
       default_facts.merge(
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index e3eabe3..4412b73 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -107,6 +107,9 @@ PasswordAuthentication <%= @sshd_password_authentication %>
 PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %>
 <% end -%>
 #PermitEmptyPasswords no
+<% if @sshd_config_permitemptypasswords != nil -%>
+PermitEmptyPasswords <%= @sshd_config_permitemptypasswords %>
+<% end -%>
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
@@ -165,6 +168,9 @@ PrintMotd <%= @sshd_config_print_motd %>
 #UseLogin no
 #UsePrivilegeSeparation yes
 #PermitUserEnvironment no
+<% if @sshd_config_permituserenvironment != nil -%>
+PermitUserEnvironment <%= @sshd_config_permituserenvironment %>
+<% end -%>
 #Compression delayed
 #ClientAliveInterval 0
 ClientAliveInterval <%= @sshd_client_alive_interval %>