Merge pull request #170 from ghoneycutt/maxauthtries

Add param to manage MaxAuthTries in sshd_config
2016-06-06 13:56:21 -04:00 · 2016-06-06 13:56:21 -04:00 · cbc1db4819
commit cbc1db4819
parent bbcf100545 e1841e04d8
4 changed files with 38 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -204,6 +204,12 @@ LogLevel option in sshd_config. Acceptable values are QUIET, FATAL, ERROR, INFO,

 - *Default*: 'INFO'

+sshd_config_maxauthtries
+---------------
+MaxAuthTries option in sshd_config.  Specifies the maximum number of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
+
+- *Default*: '6'
+
 sshd_config_mode
 ---------------
 sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris.
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -52,6 +52,7 @@ class ssh (
  $sshd_config_allowusers              = [],
  $sshd_config_denygroups              = [],
  $sshd_config_denyusers               = [],
+  $sshd_config_maxauthtries            = undef,
  $sshd_config_maxstartups             = undef,
  $sshd_config_maxsessions             = undef,
  $sshd_config_chrootdirectory         = undef,
@ -513,6 +514,12 @@ class ssh (
    validate_string($sshd_config_authkey_location)
  }

+  if $sshd_config_maxauthtries != undef {
+    if is_integer($sshd_config_maxauthtries) == false {
+      fail("ssh::sshd_config_maxauthtries must be a valid number and is set to <${sshd_config_maxauthtries}>.")
+    }
+  }
+
  if $sshd_config_maxstartups != undef {
    validate_re($sshd_config_maxstartups,'^(\d+)+(\d+?:\d+?:\d+)?$',
      "ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.")
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@ -466,6 +466,7 @@ describe 'ssh' do
    it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
    it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
    it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
+    it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
    it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
    it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
    it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
@ -2046,6 +2047,27 @@ describe 'ssh' do
    end
  end

+  describe 'with paramter sshd_config_maxauthtries specified'  do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+    context 'as a valid integer' do
+     let(:params) { { :sshd_config_maxauthtries => 6}}
+     it { should contain_file('sshd_config').with_content(/^MaxAuthTries 6$/)}
+    end
+    context 'as an invalid type' do
+      let(:params) {{ :sshd_config_maxauthtries => 'BOGUS'}}
+      it 'should fail' do
+        expect{
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_maxauthtries must be a valid number and is set to <BOGUS>\./)
+      end
+    end
+ end
+
  describe 'with parameter sshd_config_maxstartups specified' do
    let :facts do
      default_facts.merge(
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@ -62,6 +62,9 @@ PermitRootLogin <%= @permit_root_login %>
 StrictModes <%= @sshd_config_strictmodes %>
 <% end -%>
 #MaxAuthTries 6
+<% if @sshd_config_maxauthtries %>
+MaxAuthTries <%= @sshd_config_maxauthtries %>
+<% end -%>

 #RSAAuthentication yes
 #PubkeyAuthentication yes