puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #40 from ghoneycutt/add_banner_file

Browse Source 
(#244) Add banner file
This commit is contained in:
Garrett Honeycutt 2013-12-20 23:32:32 -08:00
commit d027d56e49
4 changed files with 145 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -29,3 +29,4 @@ metadata.json
coverage/
spec/fixtures/modules/*
Gemfile.lock
spec/fixtures/

24
README.md
View File

@ -147,6 +147,30 @@ Banner option in sshd_config.
- *Default*: 'none'
sshd_banner_content
-------------------
content parameter for file specified in sshd_config_banner
- *Default*: undef
sshd_banner_owner
-----------------
owner parameter for file specified in sshd_config_banner
- *Default*: 'root'
sshd_banner_group
-----------------
group parameter for file specified in sshd_config_banner
- *Default*: 'root'
sshd_banner_mode
----------------
mode parameter for file specified in sshd_config_banner
- *Default*: '0644'
sshd_config_xauth_location
--------------------------
XAuthLocation option in sshd_config.

45
manifests/init.pp
View File

@ -27,6 +27,10 @@ class ssh (
$sshd_config_print_motd = 'yes',
$sshd_config_use_dns = 'yes',
$sshd_config_banner = 'none',
$sshd_banner_content = undef,
$sshd_banner_owner = 'root',
$sshd_banner_group = 'root',
$sshd_banner_mode = '0644',
$sshd_config_xauth_location = '/usr/bin/xauth',
$sshd_config_subsystem_sftp = 'USE_DEFAULTS',
$service_ensure = 'running',
@ -48,12 +52,19 @@ class ssh (
# validate params
validate_re($ssh_config_hash_known_hosts, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts}>.")
validate_re($sshd_config_port, '^\d+$', "sshd_config_port must be a valid number and is set to <${sshd_config_port}>")
validate_re($sshd_password_authentication, '^(yes|no)$', "sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
validate_re($sshd_x11_forwarding, '^(yes|no)$', "sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
validate_re($sshd_use_pam, '^(yes|no)$', "sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.")
if is_integer($sshd_client_alive_interval) == false { fail("sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
validate_re($sshd_use_pam, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.")
if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
if $sshd_config_banner != 'none' {
validate_absolute_path($sshd_config_banner)
}
if $sshd_banner_content != undef and $sshd_config_banner == 'none' {
fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.')
}
case type($ssh_config_sendenv_xmodifiers) {
'string': {
@ -63,7 +74,7 @@ class ssh (
$ssh_config_sendenv_xmodifiers_real = $ssh_config_sendenv_xmodifiers
}
default: {
fail('ssh_config_sendenv_xmodifiers type must be true or false.')
fail('ssh::ssh_config_sendenv_xmodifiers type must be true or false.')
}
}
@ -72,7 +83,7 @@ class ssh (
# noop
}
default: {
fail("permit_root_login may be either 'yes', 'without-password', 'forced-commands-only' or 'no' and is set to <${permit_root_login}>")
fail("ssh::permit_root_login may be either 'yes', 'without-password', 'forced-commands-only' or 'no' and is set to <${permit_root_login}>.")
}
}
@ -84,7 +95,7 @@ class ssh (
$key = $::sshdsakey
}
default: {
fail("ssh_key_type must be 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is <${ssh_key_type}>")
fail("ssh::ssh_key_type must be 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is <${ssh_key_type}>.")
}
}
@ -93,7 +104,7 @@ class ssh (
# noop
}
default: {
fail("purge_keys must be 'true' or 'false' and is <${purge_keys}>")
fail("ssh::purge_keys must be 'true' or 'false' and is <${purge_keys}>.")
}
}
@ -173,6 +184,18 @@ class ssh (
require => Package['ssh_packages'],
}
if $sshd_config_banner != 'none' and $sshd_banner_content != undef {
file { 'sshd_banner' :
ensure => file,
path => $sshd_config_banner,
owner => $sshd_banner_owner,
group => $sshd_banner_group,
mode => $sshd_banner_mode,
content => $sshd_banner_content,
require => Package['ssh_packages'],
}
}
case $manage_root_ssh_config {
'true': {
@ -202,7 +225,7 @@ class ssh (
# noop
}
default: {
fail("manage_root_ssh_config is <${manage_root_ssh_config}> and must be \'true\' or \'false\'.")
fail("ssh::manage_root_ssh_config is <${manage_root_ssh_config}> and must be \'true\' or \'false\'.")
}
}

95
spec/classes/init_spec.rb
View File

@ -9,6 +9,9 @@ describe 'ssh' do
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should compile.with_all_deps }
it { should contain_class('ssh')}
it { should_not contain_class('common')}
@ -92,6 +95,8 @@ describe 'ssh' do
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should compile.with_all_deps }
it { should contain_class('ssh')}
it { should_not contain_class('common')}
@ -176,6 +181,9 @@ describe 'ssh' do
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should compile.with_all_deps }
it { should contain_class('ssh')}
it { should_not contain_class('common')}
@ -260,6 +268,9 @@ describe 'ssh' do
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it { should compile.with_all_deps }
it { should contain_class('ssh')}
it { should_not contain_class('common')}
@ -351,7 +362,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <C64>./)
}.to raise_error(Puppet::Error,/^ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <C64>\./)
end
end
@ -373,6 +384,8 @@ describe 'ssh' do
}
end
it { should compile.with_all_deps }
it {
should contain_file('ssh_config').with({
'ensure' => 'file',
@ -411,6 +424,7 @@ describe 'ssh' do
:sshd_config_print_motd => 'no',
:sshd_config_use_dns => 'no',
:sshd_config_banner => '/etc/sshd_banner',
:sshd_banner_content => 'textinbanner',
:sshd_config_xauth_location => '/opt/ssh/bin/xauth',
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
:sshd_password_authentication => 'no',
@ -421,6 +435,8 @@ describe 'ssh' do
}
end
it { should compile.with_all_deps }
it {
should contain_file('sshd_config').with({
'ensure' => 'file',
@ -447,6 +463,18 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
it {
should contain_file('sshd_banner').with({
'ensure' => 'file',
'path' => '/etc/sshd_banner',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'content' => 'textinbanner',
'require' => 'Package[ssh_packages]',
})
}
end
context 'with manage_root_ssh_config set to \'true\' on valid osfamily' do
@ -462,6 +490,8 @@ describe 'ssh' do
{ :manage_root_ssh_config => 'true' }
end
it { should compile.with_all_deps }
it { should contain_class('ssh')}
it { should contain_class('common')}
@ -522,7 +552,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/sshd_config_port must be a valid number and is set to <22invalid>./)
}.to raise_error(Puppet::Error,/^ssh::sshd_config_port must be a valid number and is set to <22invalid>\./)
end
end
@ -542,7 +572,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/manage_root_ssh_config is <invalid> and must be \'true\' or \'false\'./)
}.to raise_error(Puppet::Error,/^ssh::manage_root_ssh_config is <invalid> and must be \'true\' or \'false\'\./)
end
end
@ -561,7 +591,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/sshd_password_authentication may be either \'yes\' or \'no\' and is set to <invalid>./)
}.to raise_error(Puppet::Error,/^ssh::sshd_password_authentication may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
@ -580,7 +610,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/sshd_allow_tcp_forwarding may be either \'yes\' or \'no\' and is set to <invalid>./)
}.to raise_error(Puppet::Error,/^ssh::sshd_allow_tcp_forwarding may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
@ -599,7 +629,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/sshd_x11_forwarding may be either \'yes\' or \'no\' and is set to <invalid>./)
}.to raise_error(Puppet::Error,/^ssh::sshd_x11_forwarding may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
@ -618,7 +648,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/sshd_use_pam may be either \'yes\' or \'no\' and is set to <invalid>./)
}.to raise_error(Puppet::Error,/^ssh::sshd_use_pam may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
@ -637,10 +667,51 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/sshd_client_alive_interval must be an integer and is set to <invalid>./)
}.to raise_error(Puppet::Error,/^ssh::sshd_client_alive_interval must be an integer and is set to <invalid>\./)
end
end
context 'with sshd_config_banner set to invalid value on valid osfamily' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{ :sshd_config_banner => 'invalid/path' }
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/is not an absolute path/)
end
end
context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{
:sshd_banner_content => 'textinbanner'
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/^ssh::sshd_config_banner must be set to be able to use sshd_banner_content\./)
end
end
context 'with ssh_config_sendenv_xmodifiers set to invalid type, array' do
let :facts do
{
@ -656,7 +727,7 @@ describe 'ssh' do
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh_config_sendenv_xmodifiers type must be true or false./)
}.to raise_error(Puppet::Error,/^ssh::ssh_config_sendenv_xmodifiers type must be true or false\./)
end
end
@ -674,6 +745,8 @@ describe 'ssh' do
}
end
it { should compile.with_all_deps }
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
end
@ -689,6 +762,8 @@ describe 'ssh' do
{ :manage_firewall => true }
end
it { should compile.with_all_deps }
it { should contain_class('ssh')}
it { should_not contain_class('common')}
@ -726,6 +801,8 @@ describe 'ssh' do
}
} } }
it { should compile.with_all_deps }
it {
should contain_ssh_authorized_key('root_for_userX').with({
'ensure' => 'present',