From ec91c40a5ae6958c44644205d3aef95c84be0f51 Mon Sep 17 00:00:00 2001 From: gmcgrath Date: Mon, 21 Jul 2014 02:31:14 -0400 Subject: [PATCH] Ability to use hiera_array for sshd_config's deny/allow users --- manifests/init.pp | 50 ++++++++++++++++++++++++++------------- templates/sshd_config.erb | 8 +++---- 2 files changed, 38 insertions(+), 20 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index fc5765c..5de46f5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -366,22 +366,6 @@ class ssh ( validate_array($sshd_config_macs) } - if $sshd_config_denyusers != undef { - validate_array($sshd_config_denyusers) - } - - if $sshd_config_denygroups != undef { - validate_array($sshd_config_denygroups) - } - - if $sshd_config_allowusers != undef { - validate_array($sshd_config_allowusers) - } - - if $sshd_config_allowgroups != undef { - validate_array($sshd_config_allowgroups) - } - if $ssh_config_hash_known_hosts_real != undef { validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") } @@ -499,6 +483,40 @@ class ssh ( $supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE'] validate_re($sshd_config_loglevel, $supported_loglevel_vals) +#enable hiera merging for allow groups and allow users + if $hiera_merge_real == true { + $real_sshd_config_denygroups = hiera_array('ssh::sshd_config_denygroups', undef) + $real_sshd_config_denyusers = hiera_array('ssh::sshd_config_denyusers', undef) + $real_sshd_config_allowgroups = hiera_array('ssh::sshd_config_allowgroups', undef) + $real_sshd_config_allowusers = hiera_array('ssh::sshd_config_allowusers', undef) + } + else{ + $real_sshd_config_denygroups = $sshd_config_denygroups + $real_sshd_config_denyusers = $sshd_config_denyusers + $real_sshd_config_allowgroups = $sshd_config_allowgroups + $real_sshd_config_allowusers = $sshd_config_allowusers + } + + + + if $real_sshd_config_denyusers != undef { + validate_array($real_sshd_config_denyusers) + } + + if $real_sshd_config_denygroups != undef { + validate_array($real_sshd_config_denygroups) + } + + if $real_sshd_config_allowusers != undef { + validate_array($real_sshd_config_allowusers) + } + + if $real_sshd_config_allowgroups != undef { + validate_array($real_sshd_config_allowgroups) + } + + + package { $packages_real: ensure => installed, source => $ssh_package_source_real, diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 1b1bc63..40c41bd 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -167,14 +167,14 @@ Ciphers <%= @sshd_config_ciphers.join(',') %> MACs <%= @sshd_config_macs.join(',') %> <% end -%> <% if @sshd_config_denyusers -%> -DenyUsers <%= @sshd_config_denyusers.join(' ') %> +DenyUsers <%= @real_sshd_config_denyusers.join(' ') %> <% end -%> <% if @sshd_config_denygroups -%> -DenyGroups <%= @sshd_config_denygroups.join(' ') %> +DenyGroups <%= @real_sshd_config_denygroups.join(' ') %> <% end -%> <% if @sshd_config_allowusers -%> -AllowUsers <%= @sshd_config_allowusers.join(' ') %> +AllowUsers <%= @real_sshd_config_allowusers.join(' ') %> <% end -%> <% if @sshd_config_allowgroups -%> -AllowGroups <%= @sshd_config_allowgroups.join(' ') %> +AllowGroups <%= @real_sshd_config_allowgroups.join(' ') %> <% end -%>