Add param to manage MaxAuthTries in sshd_config

This commit is contained in:
jthiesfeld 2016-05-25 15:34:00 -05:00 committed by Garrett Honeycutt
parent e29c06349d
commit e1841e04d8
4 changed files with 38 additions and 0 deletions

View File

@ -204,6 +204,12 @@ LogLevel option in sshd_config. Acceptable values are QUIET, FATAL, ERROR, INFO,
- *Default*: 'INFO' - *Default*: 'INFO'
sshd_config_maxauthtries
---------------
MaxAuthTries option in sshd_config. Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
- *Default*: '6'
sshd_config_mode sshd_config_mode
--------------- ---------------
sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris. sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris.

View File

@ -52,6 +52,7 @@ class ssh (
$sshd_config_allowusers = [], $sshd_config_allowusers = [],
$sshd_config_denygroups = [], $sshd_config_denygroups = [],
$sshd_config_denyusers = [], $sshd_config_denyusers = [],
$sshd_config_maxauthtries = undef,
$sshd_config_maxstartups = undef, $sshd_config_maxstartups = undef,
$sshd_config_maxsessions = undef, $sshd_config_maxsessions = undef,
$sshd_config_chrootdirectory = undef, $sshd_config_chrootdirectory = undef,
@ -503,6 +504,12 @@ class ssh (
validate_string($sshd_config_authkey_location) validate_string($sshd_config_authkey_location)
} }
if $sshd_config_maxauthtries != undef {
if is_integer($sshd_config_maxauthtries) == false {
fail("ssh::sshd_config_maxauthtries must be a valid number and is set to <${sshd_config_maxauthtries}>.")
}
}
if $sshd_config_maxstartups != undef { if $sshd_config_maxstartups != undef {
validate_re($sshd_config_maxstartups,'^(\d+)+(\d+?:\d+?:\d+)?$', validate_re($sshd_config_maxstartups,'^(\d+)+(\d+?:\d+?:\d+)?$',
"ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.") "ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.")

View File

@ -464,6 +464,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) } it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) } it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
@ -2043,6 +2044,27 @@ describe 'ssh' do
end end
end end
describe 'with paramter sshd_config_maxauthtries specified' do
let :facts do
default_facts.merge(
{
}
)
end
context 'as a valid integer' do
let(:params) { { :sshd_config_maxauthtries => 6}}
it { should contain_file('sshd_config').with_content(/^MaxAuthTries 6$/)}
end
context 'as an invalid type' do
let(:params) {{ :sshd_config_maxauthtries => 'BOGUS'}}
it 'should fail' do
expect{
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_config_maxauthtries must be a valid number and is set to <BOGUS>\./)
end
end
end
describe 'with parameter sshd_config_maxstartups specified' do describe 'with parameter sshd_config_maxstartups specified' do
let :facts do let :facts do
default_facts.merge( default_facts.merge(

View File

@ -62,6 +62,9 @@ PermitRootLogin <%= @permit_root_login %>
StrictModes <%= @sshd_config_strictmodes %> StrictModes <%= @sshd_config_strictmodes %>
<% end -%> <% end -%>
#MaxAuthTries 6 #MaxAuthTries 6
<% if @sshd_config_maxauthtries %>
MaxAuthTries <%= @sshd_config_maxauthtries %>
<% end -%>
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes