diff --git a/README.md b/README.md index 479045b..a645437 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ latest Puppet v3, v3 with future parser, v4, v5 and v6. See `.travis.yml` for the exact matrix of supported Puppet and ruby versions. * Debian 7 + * Debian 9 * EL 5 * EL 6 * EL 7 diff --git a/manifests/init.pp b/manifests/init.pp index e0732dd..cd1174b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -193,41 +193,90 @@ class ssh ( } } 'Debian': { - # Ubuntu 16.04 - if $::operatingsystemrelease == '16.04' { - $default_sshd_config_hostkey = [ - '/etc/ssh/ssh_host_rsa_key', - '/etc/ssh/ssh_host_dsa_key', - '/etc/ssh/ssh_host_ecdsa_key', - '/etc/ssh/ssh_host_ed25519_key', - ] - $default_ssh_config_hash_known_hosts = 'yes' - $default_sshd_config_xauth_location = undef - } else { - $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] - $default_ssh_config_hash_known_hosts = 'no' - $default_sshd_config_xauth_location = '/usr/bin/xauth' - } + # common for debian and ubuntu $default_packages = ['openssh-server', 'openssh-client'] $default_service_name = 'ssh' - $default_ssh_config_forward_x11_trusted = 'yes' - $default_ssh_package_source = undef - $default_ssh_package_adminfile = undef - $default_ssh_sendenv = true - $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' - $default_sshd_config_mode = '0600' - $default_sshd_config_use_dns = 'yes' - $default_sshd_use_pam = 'yes' - $default_sshd_gssapikeyexchange = undef - $default_sshd_pamauthenticationviakbdint = undef - $default_sshd_gssapicleanupcredentials = 'yes' - $default_sshd_acceptenv = true - $default_service_hasstatus = true - $default_sshd_config_serverkeybits = '1024' - $default_sshd_addressfamily = 'any' - $default_sshd_config_tcp_keepalive = 'yes' - $default_sshd_config_permittunnel = 'no' + + case $::operatingsystemrelease { + '16.04': { + $default_sshd_config_hostkey = [ + '/etc/ssh/ssh_host_rsa_key', + '/etc/ssh/ssh_host_dsa_key', + '/etc/ssh/ssh_host_ecdsa_key', + '/etc/ssh/ssh_host_ed25519_key', + ] + $default_ssh_config_hash_known_hosts = 'yes' + $default_sshd_config_xauth_location = undef + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_ssh_sendenv = true + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_sshd_config_mode = '0600' + $default_sshd_config_use_dns = 'yes' + $default_sshd_use_pam = 'yes' + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_gssapicleanupcredentials = 'yes' + $default_sshd_acceptenv = true + $default_service_hasstatus = true + $default_sshd_config_serverkeybits = '1024' + $default_sshd_addressfamily = 'any' + $default_sshd_config_tcp_keepalive = 'yes' + $default_sshd_config_permittunnel = 'no' + } + /^9.*/: { + $default_sshd_config_hostkey = [ + '/etc/ssh/ssh_host_rsa_key', + '/etc/ssh/ssh_host_ecdsa_key', + '/etc/ssh/ssh_host_ed25519_key', + ] + $default_sshd_config_mode = '0600' + $default_sshd_use_pam = 'yes' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_sshd_acceptenv = true + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_ssh_config_hash_known_hosts = 'yes' + $default_ssh_sendenv = true + $default_sshd_addressfamily = undef + $default_sshd_config_serverkeybits = undef + $default_sshd_gssapicleanupcredentials = undef + $default_sshd_config_use_dns = undef + $default_sshd_config_xauth_location = undef + $default_sshd_config_permittunnel = undef + $default_sshd_config_tcp_keepalive = undef + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_service_hasstatus = true + } + /^[7-8].*/: { + # this is debian 7 conf file and suppose to work with debian 8 + $default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ] + $default_ssh_config_hash_known_hosts = 'no' + $default_sshd_config_xauth_location = '/usr/bin/xauth' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_ssh_sendenv = true + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_sshd_config_mode = '0600' + $default_sshd_config_use_dns = 'yes' + $default_sshd_use_pam = 'yes' + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_gssapicleanupcredentials = 'yes' + $default_sshd_acceptenv = true + $default_service_hasstatus = true + $default_sshd_config_serverkeybits = '1024' + $default_sshd_addressfamily = 'any' + $default_sshd_config_tcp_keepalive = 'yes' + $default_sshd_config_permittunnel = 'no' + } + default: { fail ("Operating System : ${::operatingsystemrelease} not supported") } + } } 'Solaris': { $default_ssh_config_hash_known_hosts = undef diff --git a/metadata.json b/metadata.json index d097824..1a98761 100644 --- a/metadata.json +++ b/metadata.json @@ -17,7 +17,8 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "7" + "7", + "9" ] }, { diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index fd91a1c..72ad108 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -45,6 +45,19 @@ describe 'ssh' do :sshd_config_fixture => 'sshd_config_debian', :ssh_config_fixture => 'ssh_config_debian', }, + 'Debian-9' => { + :architecture => 'x86_64', + :osfamily => 'Debian', + :operatingsystemrelease => '9', + :ssh_version => 'OpenSSH_7.4p1', + :ssh_version_numeric => '7.4', + :ssh_packages => ['openssh-server', 'openssh-client'], + :sshd_config_mode => '0600', + :sshd_service_name => 'ssh', + :sshd_service_hasstatus => true, + :sshd_config_fixture => 'sshd_config_debian9', + :ssh_config_fixture => 'ssh_config_debian9', + }, 'RedHat-5' => { :architecture => 'x86_64', :osfamily => 'RedHat', diff --git a/spec/fixtures/ssh_config_debian9 b/spec/fixtures/ssh_config_debian9 new file mode 100644 index 0000000..d13cc55 --- /dev/null +++ b/spec/fixtures/ssh_config_debian9 @@ -0,0 +1,61 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes + PasswordAuthentication yes + PubkeyAuthentication yes +# HostbasedAuthentication no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity + IdentityFile ~/.ssh/id_rsa + IdentityFile ~/.ssh/id_dsa +# Port 22 + Protocol 2 +# Cipher 3des +# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# HashKnownHosts no + HashKnownHosts yes + GlobalKnownHostsFile /etc/ssh/ssh_known_hosts +Host * +# GSSAPIAuthentication yes + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes + UseRoaming no +# Send locale-related environment variables + SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL diff --git a/spec/fixtures/sshd_config_debian9 b/spec/fixtures/sshd_config_debian9 new file mode 100644 index 0000000..5b150ee --- /dev/null +++ b/spec/fixtures/sshd_config_debian9 @@ -0,0 +1,133 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT + +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +Port 22 +#Protocol 2,1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTH +#LogLevel INFO +LogLevel INFO + +# Authentication: + +#LoginGraceTime 120 +LoginGraceTime 120 +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 + +#RSAAuthentication yes +#PubkeyAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowTcpForwarding yes +AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +X11UseLocalhost yes +#PrintMotd yes +PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +ClientAliveInterval 0 +ClientAliveCountMax 3 +#ShowPatchLevel no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#MaxSessions 10 + +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none +Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server +