diff --git a/README.md b/README.md index 3da375e..0c26d24 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,28 @@ in ssh_config. - *Default*: undef +ssh_hostbasedauthentication +------------------------- +String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'. + +- *Default*: undef + + +ssh_strict_host_key_checking +----------------------------- +*string* For StrictHostKeyChecking setting in ssh_config. Valid values are +'yes', 'no' or 'ask'. + +- *Default*: undef + +ssh_enable_ssh_keysign +----------------------------- +*string* For EnableSSHKeysign setting in ssh_config. Valid values are +'yes' and 'no' or to leave undef which will ensure the setting is not present +in ssh_config. + +- *Default*: undef + sshd_addressfamily ---------------- Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration. diff --git a/manifests/init.pp b/manifests/init.pp index 5c71ea5..1fcb7fd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,6 +20,8 @@ class ssh ( $ssh_config_forward_agent = undef, $ssh_config_server_alive_interval = undef, $ssh_config_sendenv_xmodifiers = false, + $ssh_hostbasedauthentication = undef, + $ssh_strict_host_key_checking = undef, $ssh_config_ciphers = undef, $ssh_config_macs = undef, $ssh_config_use_roaming = 'USE_DEFAULTS', @@ -45,6 +47,7 @@ class ssh ( $sshd_config_banner = 'none', $sshd_config_ciphers = undef, $sshd_config_macs = undef, + $ssh_enable_ssh_keysign = undef, $sshd_config_allowgroups = [], $sshd_config_allowusers = [], $sshd_config_denygroups = [], @@ -488,6 +491,14 @@ class ssh ( validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") } + if $ssh_strict_host_key_checking != undef { + validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.") + } + + if $ssh_enable_ssh_keysign != undef { + validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.") + } + if $sshd_config_authkey_location != undef { validate_string($sshd_config_authkey_location) } @@ -527,6 +538,9 @@ class ssh ( if $sshd_config_strictmodes != undef { validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.") } + if $ssh_hostbasedauthentication != undef { + validate_re($ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.") + } validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.") diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 4c8cb58..aad22cb 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -74,6 +74,7 @@ describe 'ssh' do 'Suse-10-x86_64' => { :architecture => 'x86_64', :osfamily => 'Suse', + :operatingsystem => 'SLED', :operatingsystemrelease => '10.4', :ssh_version => 'OpenSSH_5.1p1', :ssh_version_numeric => '5.1', @@ -100,6 +101,7 @@ describe 'ssh' do 'Suse-11-x86_64' => { :architecture => 'x86_64', :osfamily => 'Suse', + :operatingsystem => 'SLED', :operatingsystemrelease => '11.4', :ssh_version => 'OpenSSH_6.6.1p1', :ssh_version_numeric => '6.6', @@ -126,6 +128,7 @@ describe 'ssh' do 'Suse-12-x86_64' => { :architecture => 'x86_64', :osfamily => 'Suse', + :operatingsystem => 'SLED', :operatingsystemrelease => '12.0', :ssh_version => 'OpenSSH_6.6.1p1', :ssh_version_numeric => '6.6', @@ -316,6 +319,9 @@ describe 'ssh' do 'hmac-sha1-etm@openssh.com', ], :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2', + :ssh_hostbasedauthentication => 'yes', + :ssh_strict_host_key_checking => 'ask', + :ssh_enable_ssh_keysign => 'yes', } end @@ -345,6 +351,9 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) } + it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) } + it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking ask$/) } + it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign yes$/) } end context 'with params used in sshd_config set on valid osfamily' do @@ -1465,6 +1474,7 @@ describe 'ssh' do default_facts.merge( { :osfamily => 'Suse', + :operatingsystem => 'SLED', :fqdn => 'notinhiera.example.com', :lsbmajdistrelease => '11', :architecture => 'x86_64', @@ -1736,6 +1746,111 @@ describe 'ssh' do end end + describe 'with parameter ssh_hostbasedauthentication' do + let :facts do + default_facts.merge( + { + } + ) + end + + ['yes','no'].each do |value| + context "specified as valid #{value} (as #{value.class})" do + let(:params) { { :ssh_hostbasedauthentication => value } } + + it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication #{value}$/) } + end + end + + ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value| + context "specified as invalid value #{value} (as #{value.class})" do + let(:params) { { :ssh_hostbasedauthentication => value } } + + if value.is_a?(Array) + value = value.join + elsif value.is_a?(Hash) + value = '{ha => sh}' + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./) + end + end + end + end + + describe 'with parameter ssh_strict_host_key_checking' do + let :facts do + default_facts.merge( + { + } + ) + end + + ['yes','no', 'ask'].each do |value| + context "specified as valid #{value} (as #{value.class})" do + let(:params) { { :ssh_strict_host_key_checking => value } } + + it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking #{value}$/) } + end + end + + ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value| + context "specified as invalid value #{value} (as #{value.class})" do + let(:params) { { :ssh_strict_host_key_checking => value } } + + if value.is_a?(Array) + value = value.join + elsif value.is_a?(Hash) + value = '{ha => sh}' + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <#{Regexp.escape(value.to_s)}>\./) + end + end + end + end + + describe 'with parameter ssh_enable_ssh_keysign' do + let :facts do + default_facts.merge( + { + } + ) + end + + ['yes','no'].each do |value| + context "specified as valid #{value} (as #{value.class})" do + let(:params) { { :ssh_enable_ssh_keysign => value } } + + it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign #{value}$/) } + end + end + + ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value| + context "specified as invalid value #{value} (as #{value.class})" do + let(:params) { { :ssh_enable_ssh_keysign => value } } + + if value.is_a?(Array) + value = value.join + elsif value.is_a?(Hash) + value = '{ha => sh}' + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./) + end + end + end + end + describe 'with parameter sshd_gssapiauthentication' do let :facts do default_facts.merge( diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index f34f435..d83f9ed 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -28,11 +28,17 @@ PasswordAuthentication yes PubkeyAuthentication yes # HostbasedAuthentication no +<% if @ssh_hostbasedauthentication -%> + HostbasedAuthentication <%= @ssh_hostbasedauthentication %> +<% end -%> # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask +<% if @ssh_strict_host_key_checking -%> + StrictHostKeyChecking <%= @ssh_strict_host_key_checking %> +<% end -%> # IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa @@ -90,3 +96,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %> <% if @ssh_config_macs -%> MACs <%= @ssh_config_macs.join(',') %> <% end -%> +<% if not @ssh_enable_ssh_keysign.nil? -%> +# EnableSSHKeysign no + EnableSSHKeysign <%= @ssh_enable_ssh_keysign %> +<% end -%>