diff --git a/Gemfile b/Gemfile index c507344..d0dd164 100644 --- a/Gemfile +++ b/Gemfile @@ -16,7 +16,6 @@ gem 'puppet-lint-alias-check' gem 'puppet-lint-empty_string-check' gem 'puppet-lint-file_ensure-check' gem 'puppet-lint-file_source_rights-check' -gem 'puppet-lint-fileserver-check' gem 'puppet-lint-leading_zero-check' gem 'puppet-lint-spaceship_operator_without_tag-check' gem 'puppet-lint-trailing_comma-check' diff --git a/README.md b/README.md index 44be63b..0f5c667 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ only), 1.9.3, 2.0.0, 2.1.0 and 2.3.1 (Puppet v4 only). * SLES 12 * Ubuntu 12.04 LTS * Ubuntu 14.04 LTS + * Ubuntu 16.04 LTS * Solaris 9 * Solaris 10 * Solaris 11 diff --git a/manifests/init.pp b/manifests/init.pp index 8bbe0b6..4716e4e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -169,18 +169,31 @@ class ssh ( } } 'Debian': { + # Ubuntu 16.04 + if $::operatingsystemrelease == '16.04' { + $default_sshd_config_hostkey = [ + '/etc/ssh/ssh_host_rsa_key', + '/etc/ssh/ssh_host_dsa_key', + '/etc/ssh/ssh_host_ecdsa_key', + '/etc/ssh/ssh_host_ed25519_key', + ] + $default_ssh_config_hash_known_hosts = 'yes' + $default_sshd_config_xauth_location = undef + } else { + $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] + $default_ssh_config_hash_known_hosts = 'no' + $default_sshd_config_xauth_location = '/usr/bin/xauth' + } $default_packages = ['openssh-server', 'openssh-client'] $default_service_name = 'ssh' $default_ssh_config_forward_x11_trusted = 'yes' - $default_ssh_config_hash_known_hosts = 'no' $default_ssh_package_source = undef $default_ssh_package_adminfile = undef $default_ssh_sendenv = true $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' - $default_sshd_config_xauth_location = '/usr/bin/xauth' $default_sshd_use_pam = 'yes' $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef @@ -188,7 +201,6 @@ class ssh ( $default_sshd_acceptenv = true $default_service_hasstatus = true $default_sshd_config_serverkeybits = '1024' - $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] $default_sshd_addressfamily = 'any' } 'Solaris': { diff --git a/metadata.json b/metadata.json index 456f596..5384ab5 100644 --- a/metadata.json +++ b/metadata.json @@ -84,7 +84,8 @@ "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "12.04", - "14.04" + "14.04", + "16.04" ] } ], diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 5c40c87..f4726ca 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -184,6 +184,19 @@ describe 'ssh' do :sshd_config_fixture => 'sshd_config_solaris', :ssh_config_fixture => 'ssh_config_solaris', }, + 'Ubuntu-1604' => { + :architecture => 'x86_64', + :osfamily => 'Debian', + :operatingsystemrelease => '16.04', + :ssh_version => 'OpenSSH_7.2p2', + :ssh_version_numeric => '7.2', + :ssh_packages => ['openssh-server', 'openssh-client'], + :sshd_config_mode => '0600', + :sshd_service_name => 'ssh', + :sshd_service_hasstatus => true, + :sshd_config_fixture => 'sshd_config_ubuntu1604', + :ssh_config_fixture => 'ssh_config_ubuntu1604', + }, } osfamily_matrix.each do |os, facts| diff --git a/spec/fixtures/ssh_config_ubuntu1604 b/spec/fixtures/ssh_config_ubuntu1604 new file mode 100644 index 0000000..d13cc55 --- /dev/null +++ b/spec/fixtures/ssh_config_ubuntu1604 @@ -0,0 +1,61 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes + PasswordAuthentication yes + PubkeyAuthentication yes +# HostbasedAuthentication no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity + IdentityFile ~/.ssh/id_rsa + IdentityFile ~/.ssh/id_dsa +# Port 22 + Protocol 2 +# Cipher 3des +# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# HashKnownHosts no + HashKnownHosts yes + GlobalKnownHostsFile /etc/ssh/ssh_known_hosts +Host * +# GSSAPIAuthentication yes + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes + UseRoaming no +# Send locale-related environment variables + SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL diff --git a/spec/fixtures/sshd_config_ubuntu1604 b/spec/fixtures/sshd_config_ubuntu1604 new file mode 100644 index 0000000..85643c8 --- /dev/null +++ b/spec/fixtures/sshd_config_ubuntu1604 @@ -0,0 +1,141 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +Port 22 +#Protocol 2,1 +Protocol 2 +#AddressFamily any +AddressFamily any + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 +ServerKeyBits 1024 +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTH +#LogLevel INFO +LogLevel INFO + +# Authentication: + +#LoginGraceTime 120 +LoginGraceTime 120 +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 + +#RSAAuthentication yes +#PubkeyAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowTcpForwarding yes +AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +ClientAliveInterval 0 +ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#MaxSessions 10 + +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none +Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index f617de7..3a80b63 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -207,9 +207,11 @@ ForceCommand <%= @sshd_config_forcecommand %> #Banner none Banner <%= @sshd_config_banner %> +<% if @sshd_config_xauth_location_real -%> #XAuthLocation /usr/bin/xauth XAuthLocation <%= @sshd_config_xauth_location_real %> +<% end -%> # override default of no subsystems Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>