Merge pull request #170 from ghoneycutt/maxauthtries
Add param to manage MaxAuthTries in sshd_config
This commit is contained in:
commit
cbc1db4819
@ -204,6 +204,12 @@ LogLevel option in sshd_config. Acceptable values are QUIET, FATAL, ERROR, INFO,
|
|||||||
|
|
||||||
- *Default*: 'INFO'
|
- *Default*: 'INFO'
|
||||||
|
|
||||||
|
sshd_config_maxauthtries
|
||||||
|
---------------
|
||||||
|
MaxAuthTries option in sshd_config. Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
|
||||||
|
|
||||||
|
- *Default*: '6'
|
||||||
|
|
||||||
sshd_config_mode
|
sshd_config_mode
|
||||||
---------------
|
---------------
|
||||||
sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris.
|
sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris.
|
||||||
|
@ -52,6 +52,7 @@ class ssh (
|
|||||||
$sshd_config_allowusers = [],
|
$sshd_config_allowusers = [],
|
||||||
$sshd_config_denygroups = [],
|
$sshd_config_denygroups = [],
|
||||||
$sshd_config_denyusers = [],
|
$sshd_config_denyusers = [],
|
||||||
|
$sshd_config_maxauthtries = undef,
|
||||||
$sshd_config_maxstartups = undef,
|
$sshd_config_maxstartups = undef,
|
||||||
$sshd_config_maxsessions = undef,
|
$sshd_config_maxsessions = undef,
|
||||||
$sshd_config_chrootdirectory = undef,
|
$sshd_config_chrootdirectory = undef,
|
||||||
@ -513,6 +514,12 @@ class ssh (
|
|||||||
validate_string($sshd_config_authkey_location)
|
validate_string($sshd_config_authkey_location)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if $sshd_config_maxauthtries != undef {
|
||||||
|
if is_integer($sshd_config_maxauthtries) == false {
|
||||||
|
fail("ssh::sshd_config_maxauthtries must be a valid number and is set to <${sshd_config_maxauthtries}>.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if $sshd_config_maxstartups != undef {
|
if $sshd_config_maxstartups != undef {
|
||||||
validate_re($sshd_config_maxstartups,'^(\d+)+(\d+?:\d+?:\d+)?$',
|
validate_re($sshd_config_maxstartups,'^(\d+)+(\d+?:\d+?:\d+)?$',
|
||||||
"ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.")
|
"ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.")
|
||||||
|
@ -466,6 +466,7 @@ describe 'ssh' do
|
|||||||
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
|
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
|
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
|
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
|
||||||
|
it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
|
||||||
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
|
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
|
||||||
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
|
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
|
||||||
@ -2046,6 +2047,27 @@ describe 'ssh' do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'with paramter sshd_config_maxauthtries specified' do
|
||||||
|
let :facts do
|
||||||
|
default_facts.merge(
|
||||||
|
{
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
context 'as a valid integer' do
|
||||||
|
let(:params) { { :sshd_config_maxauthtries => 6}}
|
||||||
|
it { should contain_file('sshd_config').with_content(/^MaxAuthTries 6$/)}
|
||||||
|
end
|
||||||
|
context 'as an invalid type' do
|
||||||
|
let(:params) {{ :sshd_config_maxauthtries => 'BOGUS'}}
|
||||||
|
it 'should fail' do
|
||||||
|
expect{
|
||||||
|
should contain_class('ssh')
|
||||||
|
}.to raise_error(Puppet::Error,/ssh::sshd_config_maxauthtries must be a valid number and is set to <BOGUS>\./)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'with parameter sshd_config_maxstartups specified' do
|
describe 'with parameter sshd_config_maxstartups specified' do
|
||||||
let :facts do
|
let :facts do
|
||||||
default_facts.merge(
|
default_facts.merge(
|
||||||
|
@ -62,6 +62,9 @@ PermitRootLogin <%= @permit_root_login %>
|
|||||||
StrictModes <%= @sshd_config_strictmodes %>
|
StrictModes <%= @sshd_config_strictmodes %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
#MaxAuthTries 6
|
#MaxAuthTries 6
|
||||||
|
<% if @sshd_config_maxauthtries %>
|
||||||
|
MaxAuthTries <%= @sshd_config_maxauthtries %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
#RSAAuthentication yes
|
#RSAAuthentication yes
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
Loading…
x
Reference in New Issue
Block a user