Merge branch 'master' of github.com:ghoneycutt/puppet-module-ssh

README.md

@@ -150,6 +150,28 @@ in ssh_config.
 
 - *Default*: undef
 
+ssh_hostbasedauthentication
+-------------------------
+String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
+
+ssh_strict_host_key_checking
+-----------------------------
+*string* For StrictHostKeyChecking setting in ssh_config. Valid values are
+'yes', 'no' or 'ask'.
+
+- *Default*: undef
+
+ssh_enable_ssh_keysign
+-----------------------------
+*string* For EnableSSHKeysign setting in ssh_config. Valid values are
+'yes' and 'no' or to leave undef which will ensure the setting is not present
+in ssh_config.
+
+- *Default*: undef
+
 sshd_addressfamily
 ----------------
 Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.

manifests/init.pp

@@ -20,6 +20,8 @@ class ssh (
   $ssh_config_forward_agent            = undef,
   $ssh_config_server_alive_interval    = undef,
   $ssh_config_sendenv_xmodifiers       = false,
+  $ssh_hostbasedauthentication         = undef,
+  $ssh_strict_host_key_checking        = undef,
   $ssh_config_ciphers                  = undef,
   $ssh_config_macs                     = undef,
   $ssh_config_use_roaming              = 'USE_DEFAULTS',
@@ -45,6 +47,7 @@ class ssh (
   $sshd_config_banner                  = 'none',
   $sshd_config_ciphers                 = undef,
   $sshd_config_macs                    = undef,
+  $ssh_enable_ssh_keysign              = undef,
   $sshd_config_allowgroups             = [],
   $sshd_config_allowusers              = [],
   $sshd_config_denygroups              = [],
@@ -488,6 +491,14 @@ class ssh (
     validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
   }
 
+  if $ssh_strict_host_key_checking != undef {
+    validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.")
+  }
+
+  if $ssh_enable_ssh_keysign != undef {
+    validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
+  }
+
   if $sshd_config_authkey_location != undef {
     validate_string($sshd_config_authkey_location)
   }
@@ -527,6 +538,9 @@ class ssh (
   if $sshd_config_strictmodes != undef {
     validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
   }
+  if $ssh_hostbasedauthentication != undef {
+    validate_re($ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.")
+  }
 
   validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
 

spec/classes/init_spec.rb

@@ -74,6 +74,7 @@ describe 'ssh' do
     'Suse-10-x86_64' => {
       :architecture           => 'x86_64',
       :osfamily               => 'Suse',
+      :operatingsystem        => 'SLED',
       :operatingsystemrelease => '10.4',
       :ssh_version            => 'OpenSSH_5.1p1',
       :ssh_version_numeric    => '5.1',
@@ -100,6 +101,7 @@ describe 'ssh' do
     'Suse-11-x86_64' => {
       :architecture           => 'x86_64',
       :osfamily               => 'Suse',
+      :operatingsystem        => 'SLED',
       :operatingsystemrelease => '11.4',
       :ssh_version            => 'OpenSSH_6.6.1p1',
       :ssh_version_numeric    => '6.6',
@@ -126,6 +128,7 @@ describe 'ssh' do
     'Suse-12-x86_64' => {
       :architecture           => 'x86_64',
       :osfamily               => 'Suse',
+      :operatingsystem        => 'SLED',
       :operatingsystemrelease => '12.0',
       :ssh_version            => 'OpenSSH_6.6.1p1',
       :ssh_version_numeric    => '6.6',
@@ -316,6 +319,9 @@ describe 'ssh' do
                                                  'hmac-sha1-etm@openssh.com',
         ],
         :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2',
+        :ssh_hostbasedauthentication        => 'yes',
+        :ssh_strict_host_key_checking       => 'ask',
+        :ssh_enable_ssh_keysign             => 'yes',
       }
     end
 
@@ -345,6 +351,9 @@ describe 'ssh' do
     it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
     it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
     it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking ask$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign yes$/) }
   end
 
   context 'with params used in sshd_config set on valid osfamily' do
@@ -1465,6 +1474,7 @@ describe 'ssh' do
         default_facts.merge(
           {
             :osfamily          => 'Suse',
+            :operatingsystem   => 'SLED',
             :fqdn              => 'notinhiera.example.com',
             :lsbmajdistrelease => '11',
             :architecture      => 'x86_64',
@@ -1736,6 +1746,111 @@ describe 'ssh' do
     end
   end
 
+  describe 'with parameter ssh_hostbasedauthentication' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "specified as valid #{value} (as #{value.class})" do
+        let(:params) { { :ssh_hostbasedauthentication => value } }
+
+        it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication #{value}$/) }
+      end
+    end
+
+    ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
+      context "specified as invalid value #{value} (as #{value.class})" do
+        let(:params) { { :ssh_hostbasedauthentication => value } }
+
+        if value.is_a?(Array)
+          value = value.join
+        elsif value.is_a?(Hash)
+          value = '{ha => sh}'
+        end
+
+        it 'should fail' do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
+        end
+      end
+    end
+  end
+
+  describe 'with parameter ssh_strict_host_key_checking' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no', 'ask'].each do |value|
+      context "specified as valid #{value} (as #{value.class})" do
+        let(:params) { { :ssh_strict_host_key_checking => value } }
+
+        it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking #{value}$/) }
+      end
+    end
+
+    ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
+      context "specified as invalid value #{value} (as #{value.class})" do
+        let(:params) { { :ssh_strict_host_key_checking => value } }
+
+        if value.is_a?(Array)
+          value = value.join
+        elsif value.is_a?(Hash)
+          value = '{ha => sh}'
+        end
+
+        it 'should fail' do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <#{Regexp.escape(value.to_s)}>\./)
+        end
+      end
+    end
+  end
+
+  describe 'with parameter ssh_enable_ssh_keysign' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "specified as valid #{value} (as #{value.class})" do
+        let(:params) { { :ssh_enable_ssh_keysign => value } }
+
+        it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign #{value}$/) }
+      end
+    end
+
+    ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
+      context "specified as invalid value #{value} (as #{value.class})" do
+        let(:params) { { :ssh_enable_ssh_keysign => value } }
+
+        if value.is_a?(Array)
+          value = value.join
+        elsif value.is_a?(Hash)
+          value = '{ha => sh}'
+        end
+
+        it 'should fail' do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
+        end
+      end
+    end
+  end
+
   describe 'with parameter sshd_gssapiauthentication' do
     let :facts do
       default_facts.merge(

templates/ssh_config.erb

@@ -28,11 +28,17 @@
    PasswordAuthentication yes
    PubkeyAuthentication yes
 #   HostbasedAuthentication no
+<% if @ssh_hostbasedauthentication -%>
+   HostbasedAuthentication <%= @ssh_hostbasedauthentication %>
+<% end -%>
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
+<% if @ssh_strict_host_key_checking -%>
+   StrictHostKeyChecking <%= @ssh_strict_host_key_checking %>
+<% end -%>
 #   IdentityFile ~/.ssh/identity
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_dsa
@@ -90,3 +96,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
 <% if @ssh_config_macs -%>
   MACs <%= @ssh_config_macs.join(',') %>
 <% end -%>
+<% if not @ssh_enable_ssh_keysign.nil? -%>
+# EnableSSHKeysign no
+  EnableSSHKeysign <%= @ssh_enable_ssh_keysign %>
+<% end -%>