From d68ebec55da403b608854b07581e3b77ac3ab6e0 Mon Sep 17 00:00:00 2001 From: Andrei Brezan Date: Wed, 29 Jun 2016 11:59:42 +0200 Subject: [PATCH] Expose TCPKeepAlive from sshd_config --- README.md | 13 +++++++++++++ manifests/init.pp | 2 ++ spec/classes/init_spec.rb | 21 +++++++++++++++++++++ spec/fixtures/sshd_config_debian | 1 + spec/fixtures/sshd_config_rhel | 1 + spec/fixtures/sshd_config_sles_12_x86_64 | 1 + spec/fixtures/sshd_config_solaris | 1 + spec/fixtures/sshd_config_suse_i386 | 1 + spec/fixtures/sshd_config_suse_x86_64 | 1 + templates/sshd_config.erb | 1 + 10 files changed, 43 insertions(+) diff --git a/README.md b/README.md index 816b5db..44be63b 100644 --- a/README.md +++ b/README.md @@ -421,6 +421,19 @@ after approximately 45 seconds. This option applies to protocol version 2 only. - *Default*: '3' +sshd_config_tcp_keepalive +------------------------ +TCPKeepAlive in sshd_config. +Specifies whether the system should send TCP keepalive messages to the other side. If they +are sent, death of the connection or crash of one of the machines will be properly noticed. +However, this means that connections will die if the route is down temporarily, and some +people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may +hang indefinitely on the server, leaving ``ghost'' users and consuming server resources. +The default is ``yes'' (to send TCP keepalive messages), and the server will notice if the +network goes down or the client host crashes. This avoids infinitely hanging sessions. + +- *Default*: 'yes' + sshd_config_ciphers ------------------- Array of ciphers for the Ciphers setting in sshd_config. diff --git a/manifests/init.pp b/manifests/init.pp index ee99870..8bbe0b6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -105,6 +105,7 @@ class ssh ( $keys = undef, $manage_root_ssh_config = false, $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", + $sshd_config_tcp_keepalive = 'yes', ) { case $::osfamily { @@ -750,6 +751,7 @@ class ssh ( validate_array($sshd_config_allowgroups_real) } + validate_re($sshd_config_tcp_keepalive, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes' or 'no' and is set to <${sshd_config_tcp_keepalive}>.") package { $packages_real: ensure => installed, source => $ssh_package_source_real, diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 457f29e..5c40c87 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -438,6 +438,7 @@ describe 'ssh' do :sshd_listen_address => [ '192.168.1.1', '2001:db8::dead:f00d', ], + :sshd_config_tcp_keepalive => 'yes', } end @@ -503,6 +504,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) } it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) } it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) } + it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) } it { should contain_file('sshd_banner').with({ @@ -2760,6 +2762,25 @@ describe 'ssh' do end end + describe 'sshd_config_tcp_keepalive param' do + let :facts do + default_facts.merge( + { + } + ) + end + + context 'when set to invalid' do + let (:params) { { :sshd_config_tcp_keepalive => 'invalid' } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::sshd_config_tcp_keepalive may be either \'yes\' or \'no\' and is set to \./) + end + end + end + describe 'with parameter sshd_addressfamily' do let :facts do default_facts.merge( diff --git a/spec/fixtures/sshd_config_debian b/spec/fixtures/sshd_config_debian index 355ce91..5f6e587 100644 --- a/spec/fixtures/sshd_config_debian +++ b/spec/fixtures/sshd_config_debian @@ -111,6 +111,7 @@ X11Forwarding yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes +TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no diff --git a/spec/fixtures/sshd_config_rhel b/spec/fixtures/sshd_config_rhel index d73a8a8..901b4e9 100644 --- a/spec/fixtures/sshd_config_rhel +++ b/spec/fixtures/sshd_config_rhel @@ -111,6 +111,7 @@ X11Forwarding yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes +TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no diff --git a/spec/fixtures/sshd_config_sles_12_x86_64 b/spec/fixtures/sshd_config_sles_12_x86_64 index c56fde8..bad554d 100644 --- a/spec/fixtures/sshd_config_sles_12_x86_64 +++ b/spec/fixtures/sshd_config_sles_12_x86_64 @@ -111,6 +111,7 @@ X11Forwarding yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes +TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no diff --git a/spec/fixtures/sshd_config_solaris b/spec/fixtures/sshd_config_solaris index 11b261a..1b934c6 100644 --- a/spec/fixtures/sshd_config_solaris +++ b/spec/fixtures/sshd_config_solaris @@ -100,6 +100,7 @@ X11Forwarding yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes +TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no diff --git a/spec/fixtures/sshd_config_suse_i386 b/spec/fixtures/sshd_config_suse_i386 index c56fde8..bad554d 100644 --- a/spec/fixtures/sshd_config_suse_i386 +++ b/spec/fixtures/sshd_config_suse_i386 @@ -111,6 +111,7 @@ X11Forwarding yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes +TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no diff --git a/spec/fixtures/sshd_config_suse_x86_64 b/spec/fixtures/sshd_config_suse_x86_64 index 1a91c74..4e47b68 100644 --- a/spec/fixtures/sshd_config_suse_x86_64 +++ b/spec/fixtures/sshd_config_suse_x86_64 @@ -111,6 +111,7 @@ X11Forwarding yes PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes +TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 4412b73..f617de7 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -165,6 +165,7 @@ X11Forwarding <%= @sshd_x11_forwarding %> PrintMotd <%= @sshd_config_print_motd %> #PrintLastLog yes #TCPKeepAlive yes +TCPKeepAlive <%= @sshd_config_tcp_keepalive %> #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no