Expose TCPKeepAlive from sshd_config
This commit is contained in:
Andrei Brezan
parent
38fe580232
commit
d68ebec55d
13
README.md
13
README.md
@ -421,6 +421,19 @@ after approximately 45 seconds. This option applies to protocol version 2 only.
|
|||||||
|
|
||||||
- *Default*: '3'
|
- *Default*: '3'
|
||||||
|
|
||||||
|
sshd_config_tcp_keepalive
|
||||||
|
------------------------
|
||||||
|
TCPKeepAlive in sshd_config.
|
||||||
|
Specifies whether the system should send TCP keepalive messages to the other side. If they
|
||||||
|
are sent, death of the connection or crash of one of the machines will be properly noticed.
|
||||||
|
However, this means that connections will die if the route is down temporarily, and some
|
||||||
|
people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may
|
||||||
|
hang indefinitely on the server, leaving ``ghost'' users and consuming server resources.
|
||||||
|
The default is ``yes'' (to send TCP keepalive messages), and the server will notice if the
|
||||||
|
network goes down or the client host crashes. This avoids infinitely hanging sessions.
|
||||||
|
|
||||||
|
- *Default*: 'yes'
|
||||||
|
|
||||||
sshd_config_ciphers
|
sshd_config_ciphers
|
||||||
-------------------
|
-------------------
|
||||||
Array of ciphers for the Ciphers setting in sshd_config.
|
Array of ciphers for the Ciphers setting in sshd_config.
|
||||||
|
|||||||
@ -105,6 +105,7 @@ class ssh (
|
|||||||
$keys = undef,
|
$keys = undef,
|
||||||
$manage_root_ssh_config = false,
|
$manage_root_ssh_config = false,
|
||||||
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
|
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
|
||||||
|
$sshd_config_tcp_keepalive = 'yes',
|
||||||
) {
|
) {
|
||||||
|
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
@ -750,6 +751,7 @@ class ssh (
|
|||||||
validate_array($sshd_config_allowgroups_real)
|
validate_array($sshd_config_allowgroups_real)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
validate_re($sshd_config_tcp_keepalive, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes' or 'no' and is set to <${sshd_config_tcp_keepalive}>.")
|
||||||
package { $packages_real:
|
package { $packages_real:
|
||||||
ensure => installed,
|
ensure => installed,
|
||||||
source => $ssh_package_source_real,
|
source => $ssh_package_source_real,
|
||||||
|
|||||||
@ -438,6 +438,7 @@ describe 'ssh' do
|
|||||||
:sshd_listen_address => [ '192.168.1.1',
|
:sshd_listen_address => [ '192.168.1.1',
|
||||||
'2001:db8::dead:f00d',
|
'2001:db8::dead:f00d',
|
||||||
],
|
],
|
||||||
|
:sshd_config_tcp_keepalive => 'yes',
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -503,6 +504,7 @@ describe 'ssh' do
|
|||||||
it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) }
|
it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
|
it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
|
||||||
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
|
it { should contain_file('sshd_config').with_content(/^ListenAddress 192.168.1.1\nListenAddress 2001:db8::dead:f00d$/) }
|
||||||
|
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
|
||||||
|
|
||||||
it {
|
it {
|
||||||
should contain_file('sshd_banner').with({
|
should contain_file('sshd_banner').with({
|
||||||
@ -2760,6 +2762,25 @@ describe 'ssh' do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'sshd_config_tcp_keepalive param' do
|
||||||
|
let :facts do
|
||||||
|
default_facts.merge(
|
||||||
|
{
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when set to invalid' do
|
||||||
|
let (:params) { { :sshd_config_tcp_keepalive => 'invalid' } }
|
||||||
|
|
||||||
|
it 'should fail' do
|
||||||
|
expect {
|
||||||
|
should contain_class('ssh')
|
||||||
|
}.to raise_error(Puppet::Error,/ssh::sshd_config_tcp_keepalive may be either \'yes\' or \'no\' and is set to <invalid>\./)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'with parameter sshd_addressfamily' do
|
describe 'with parameter sshd_addressfamily' do
|
||||||
let :facts do
|
let :facts do
|
||||||
default_facts.merge(
|
default_facts.merge(
|
||||||
|
|||||||
1
spec/fixtures/sshd_config_debian
vendored
1
spec/fixtures/sshd_config_debian
vendored
@ -111,6 +111,7 @@ X11Forwarding yes
|
|||||||
PrintMotd yes
|
PrintMotd yes
|
||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
|
TCPKeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation yes
|
#UsePrivilegeSeparation yes
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
|
|||||||
1
spec/fixtures/sshd_config_rhel
vendored
1
spec/fixtures/sshd_config_rhel
vendored
@ -111,6 +111,7 @@ X11Forwarding yes
|
|||||||
PrintMotd yes
|
PrintMotd yes
|
||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
|
TCPKeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation yes
|
#UsePrivilegeSeparation yes
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
|
|||||||
1
spec/fixtures/sshd_config_sles_12_x86_64
vendored
1
spec/fixtures/sshd_config_sles_12_x86_64
vendored
@ -111,6 +111,7 @@ X11Forwarding yes
|
|||||||
PrintMotd yes
|
PrintMotd yes
|
||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
|
TCPKeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation yes
|
#UsePrivilegeSeparation yes
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
|
|||||||
1
spec/fixtures/sshd_config_solaris
vendored
1
spec/fixtures/sshd_config_solaris
vendored
@ -100,6 +100,7 @@ X11Forwarding yes
|
|||||||
PrintMotd yes
|
PrintMotd yes
|
||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
|
TCPKeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation yes
|
#UsePrivilegeSeparation yes
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
|
|||||||
1
spec/fixtures/sshd_config_suse_i386
vendored
1
spec/fixtures/sshd_config_suse_i386
vendored
@ -111,6 +111,7 @@ X11Forwarding yes
|
|||||||
PrintMotd yes
|
PrintMotd yes
|
||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
|
TCPKeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation yes
|
#UsePrivilegeSeparation yes
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
|
|||||||
1
spec/fixtures/sshd_config_suse_x86_64
vendored
1
spec/fixtures/sshd_config_suse_x86_64
vendored
@ -111,6 +111,7 @@ X11Forwarding yes
|
|||||||
PrintMotd yes
|
PrintMotd yes
|
||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
|
TCPKeepAlive yes
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation yes
|
#UsePrivilegeSeparation yes
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
|
|||||||
@ -165,6 +165,7 @@ X11Forwarding <%= @sshd_x11_forwarding %>
|
|||||||
PrintMotd <%= @sshd_config_print_motd %>
|
PrintMotd <%= @sshd_config_print_motd %>
|
||||||
#PrintLastLog yes
|
#PrintLastLog yes
|
||||||
#TCPKeepAlive yes
|
#TCPKeepAlive yes
|
||||||
|
TCPKeepAlive <%= @sshd_config_tcp_keepalive %>
|
||||||
#UseLogin no
|
#UseLogin no
|
||||||
#UsePrivilegeSeparation yes
|
#UsePrivilegeSeparation yes
|
||||||
#PermitUserEnvironment no
|
#PermitUserEnvironment no
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user