diff --git a/README.md b/README.md index 0c26d24..1875739 100644 --- a/README.md +++ b/README.md @@ -204,6 +204,12 @@ LogLevel option in sshd_config. Acceptable values are QUIET, FATAL, ERROR, INFO, - *Default*: 'INFO' +sshd_config_maxauthtries +--------------- +MaxAuthTries option in sshd_config. Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. + +- *Default*: '6' + sshd_config_mode --------------- sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris. diff --git a/manifests/init.pp b/manifests/init.pp index 78d16b6..8627d26 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -52,6 +52,7 @@ class ssh ( $sshd_config_allowusers = [], $sshd_config_denygroups = [], $sshd_config_denyusers = [], + $sshd_config_maxauthtries = undef, $sshd_config_maxstartups = undef, $sshd_config_maxsessions = undef, $sshd_config_chrootdirectory = undef, @@ -513,6 +514,12 @@ class ssh ( validate_string($sshd_config_authkey_location) } + if $sshd_config_maxauthtries != undef { + if is_integer($sshd_config_maxauthtries) == false { + fail("ssh::sshd_config_maxauthtries must be a valid number and is set to <${sshd_config_maxauthtries}>.") + } + } + if $sshd_config_maxstartups != undef { validate_re($sshd_config_maxstartups,'^(\d+)+(\d+?:\d+?:\d+)?$', "ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.") diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 2beea25..fac2447 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -466,6 +466,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } + it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) } it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) } @@ -2046,6 +2047,27 @@ describe 'ssh' do end end + describe 'with paramter sshd_config_maxauthtries specified' do + let :facts do + default_facts.merge( + { + } + ) + end + context 'as a valid integer' do + let(:params) { { :sshd_config_maxauthtries => 6}} + it { should contain_file('sshd_config').with_content(/^MaxAuthTries 6$/)} + end + context 'as an invalid type' do + let(:params) {{ :sshd_config_maxauthtries => 'BOGUS'}} + it 'should fail' do + expect{ + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::sshd_config_maxauthtries must be a valid number and is set to \./) + end + end + end + describe 'with parameter sshd_config_maxstartups specified' do let :facts do default_facts.merge( diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 7dd0e42..59b57f4 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -62,6 +62,9 @@ PermitRootLogin <%= @permit_root_login %> StrictModes <%= @sshd_config_strictmodes %> <% end -%> #MaxAuthTries 6 +<% if @sshd_config_maxauthtries %> +MaxAuthTries <%= @sshd_config_maxauthtries %> +<% end -%> #RSAAuthentication yes #PubkeyAuthentication yes