puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of github.com:ghoneycutt/puppet-module-ssh

Browse Source
This commit is contained in:
Garrett Honeycutt 2016-06-04 14:31:53 -04:00
commit d7d8692d3d
4 changed files with 161 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@ -150,6 +150,28 @@ in ssh_config.
- *Default*: undef - *Default*: undef
ssh_hostbasedauthentication
-------------------------
String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'.
- *Default*: undef
ssh_strict_host_key_checking
-----------------------------
*string* For StrictHostKeyChecking setting in ssh_config. Valid values are
'yes', 'no' or 'ask'.
- *Default*: undef
ssh_enable_ssh_keysign
-----------------------------
*string* For EnableSSHKeysign setting in ssh_config. Valid values are
'yes' and 'no' or to leave undef which will ensure the setting is not present
in ssh_config.
- *Default*: undef
sshd_addressfamily sshd_addressfamily
---------------- ----------------
Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration. Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.

14
manifests/init.pp
View File

@ -20,6 +20,8 @@ class ssh (
$ssh_config_forward_agent = undef, $ssh_config_forward_agent = undef,
$ssh_config_server_alive_interval = undef, $ssh_config_server_alive_interval = undef,
$ssh_config_sendenv_xmodifiers = false, $ssh_config_sendenv_xmodifiers = false,
$ssh_hostbasedauthentication = undef,
$ssh_strict_host_key_checking = undef,
$ssh_config_ciphers = undef, $ssh_config_ciphers = undef,
$ssh_config_macs = undef, $ssh_config_macs = undef,
$ssh_config_use_roaming = 'USE_DEFAULTS', $ssh_config_use_roaming = 'USE_DEFAULTS',
@ -45,6 +47,7 @@ class ssh (
$sshd_config_banner = 'none', $sshd_config_banner = 'none',
$sshd_config_ciphers = undef, $sshd_config_ciphers = undef,
$sshd_config_macs = undef, $sshd_config_macs = undef,
$ssh_enable_ssh_keysign = undef,
$sshd_config_allowgroups = [], $sshd_config_allowgroups = [],
$sshd_config_allowusers = [], $sshd_config_allowusers = [],
$sshd_config_denygroups = [], $sshd_config_denygroups = [],
@ -488,6 +491,14 @@ class ssh (
validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
} }
if $ssh_strict_host_key_checking != undef {
validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.")
}
if $ssh_enable_ssh_keysign != undef {
validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
}
if $sshd_config_authkey_location != undef { if $sshd_config_authkey_location != undef {
validate_string($sshd_config_authkey_location) validate_string($sshd_config_authkey_location)
} }
@ -527,6 +538,9 @@ class ssh (
if $sshd_config_strictmodes != undef { if $sshd_config_strictmodes != undef {
validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.") validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
} }
if $ssh_hostbasedauthentication != undef {
validate_re($ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.")
}
validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.") validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")

115
spec/classes/init_spec.rb
View File

@ -74,6 +74,7 @@ describe 'ssh' do
'Suse-10-x86_64' => { 'Suse-10-x86_64' => {
:architecture => 'x86_64', :architecture => 'x86_64',
:osfamily => 'Suse', :osfamily => 'Suse',
:operatingsystem => 'SLED',
:operatingsystemrelease => '10.4', :operatingsystemrelease => '10.4',
:ssh_version => 'OpenSSH_5.1p1', :ssh_version => 'OpenSSH_5.1p1',
:ssh_version_numeric => '5.1', :ssh_version_numeric => '5.1',
@ -100,6 +101,7 @@ describe 'ssh' do
'Suse-11-x86_64' => { 'Suse-11-x86_64' => {
:architecture => 'x86_64', :architecture => 'x86_64',
:osfamily => 'Suse', :osfamily => 'Suse',
:operatingsystem => 'SLED',
:operatingsystemrelease => '11.4', :operatingsystemrelease => '11.4',
:ssh_version => 'OpenSSH_6.6.1p1', :ssh_version => 'OpenSSH_6.6.1p1',
:ssh_version_numeric => '6.6', :ssh_version_numeric => '6.6',
@ -126,6 +128,7 @@ describe 'ssh' do
'Suse-12-x86_64' => { 'Suse-12-x86_64' => {
:architecture => 'x86_64', :architecture => 'x86_64',
:osfamily => 'Suse', :osfamily => 'Suse',
:operatingsystem => 'SLED',
:operatingsystemrelease => '12.0', :operatingsystemrelease => '12.0',
:ssh_version => 'OpenSSH_6.6.1p1', :ssh_version => 'OpenSSH_6.6.1p1',
:ssh_version_numeric => '6.6', :ssh_version_numeric => '6.6',
@ -316,6 +319,9 @@ describe 'ssh' do
'hmac-sha1-etm@openssh.com', 'hmac-sha1-etm@openssh.com',
], ],
:ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2', :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2',
:ssh_hostbasedauthentication => 'yes',
:ssh_strict_host_key_checking => 'ask',
:ssh_enable_ssh_keysign => 'yes',
} }
end end
@ -345,6 +351,9 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) } it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2$/) }
it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking ask$/) }
it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign yes$/) }
end end
context 'with params used in sshd_config set on valid osfamily' do context 'with params used in sshd_config set on valid osfamily' do
@ -1465,6 +1474,7 @@ describe 'ssh' do
default_facts.merge( default_facts.merge(
{ {
:osfamily => 'Suse', :osfamily => 'Suse',
:operatingsystem => 'SLED',
:fqdn => 'notinhiera.example.com', :fqdn => 'notinhiera.example.com',
:lsbmajdistrelease => '11', :lsbmajdistrelease => '11',
:architecture => 'x86_64', :architecture => 'x86_64',
@ -1736,6 +1746,111 @@ describe 'ssh' do
end end
end end
describe 'with parameter ssh_hostbasedauthentication' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :ssh_hostbasedauthentication => value } }
it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :ssh_hostbasedauthentication => value } }
if value.is_a?(Array)
value = value.join
elsif value.is_a?(Hash)
value = '{ha => sh}'
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
end
end
end
end
describe 'with parameter ssh_strict_host_key_checking' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no', 'ask'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :ssh_strict_host_key_checking => value } }
it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :ssh_strict_host_key_checking => value } }
if value.is_a?(Array)
value = value.join
elsif value.is_a?(Hash)
value = '{ha => sh}'
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <#{Regexp.escape(value.to_s)}>\./)
end
end
end
end
describe 'with parameter ssh_enable_ssh_keysign' do
let :facts do
default_facts.merge(
{
}
)
end
['yes','no'].each do |value|
context "specified as valid #{value} (as #{value.class})" do
let(:params) { { :ssh_enable_ssh_keysign => value } }
it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign #{value}$/) }
end
end
['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
context "specified as invalid value #{value} (as #{value.class})" do
let(:params) { { :ssh_enable_ssh_keysign => value } }
if value.is_a?(Array)
value = value.join
elsif value.is_a?(Hash)
value = '{ha => sh}'
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
end
end
end
end
describe 'with parameter sshd_gssapiauthentication' do describe 'with parameter sshd_gssapiauthentication' do
let :facts do let :facts do
default_facts.merge( default_facts.merge(

10
templates/ssh_config.erb
View File

@ -28,11 +28,17 @@
PasswordAuthentication yes PasswordAuthentication yes
PubkeyAuthentication yes PubkeyAuthentication yes
# HostbasedAuthentication no # HostbasedAuthentication no
<% if @ssh_hostbasedauthentication -%>
HostbasedAuthentication <%= @ssh_hostbasedauthentication %>
<% end -%>
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
# ConnectTimeout 0 # ConnectTimeout 0
# StrictHostKeyChecking ask # StrictHostKeyChecking ask
<% if @ssh_strict_host_key_checking -%>
StrictHostKeyChecking <%= @ssh_strict_host_key_checking %>
<% end -%>
# IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_dsa
@ -90,3 +96,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
<% if @ssh_config_macs -%> <% if @ssh_config_macs -%>
MACs <%= @ssh_config_macs.join(',') %> MACs <%= @ssh_config_macs.join(',') %>
<% end -%> <% end -%>
<% if not @ssh_enable_ssh_keysign.nil? -%>
# EnableSSHKeysign no
EnableSSHKeysign <%= @ssh_enable_ssh_keysign %>
<% end -%>