diff --git a/README.md b/README.md index 8174610..8c52b43 100644 --- a/README.md +++ b/README.md @@ -300,6 +300,12 @@ Array of macs for the MACs setting in sshd_config. - *Default*: undef +sshd_config_denyusers +--------------------- +Array of users for the DenyUsers setting in sshd_config. + +- *Default*: undef + keys ---- Hash of keys for user's ~/.ssh/authorized_keys diff --git a/manifests/init.pp b/manifests/init.pp index a65598b..b6cca09 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,6 +39,7 @@ class ssh ( $sshd_config_banner = 'none', $sshd_config_ciphers = undef, $sshd_config_macs = undef, + $sshd_config_denyusers = undef, $sshd_banner_content = undef, $sshd_banner_owner = 'root', $sshd_banner_group = 'root', @@ -347,6 +348,10 @@ class ssh ( validate_array($sshd_config_macs) } + if $sshd_config_denyusers != undef { + validate_array($sshd_config_denyusers) + } + if $ssh_config_hash_known_hosts_real != undef { validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 4e3af10..29deb87 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -84,6 +84,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_service('sshd_service').with({ @@ -198,6 +199,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_service('sshd_service').with({ @@ -294,6 +296,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_service('sshd_service').with({ @@ -389,6 +392,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_service('sshd_service').with({ @@ -491,6 +495,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) } + it { should contain_file('ssh_config').without_content(/^\s*DenyUsers/) } it { should contain_service('sshd_service').with({ @@ -593,6 +598,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_service('sshd_service').with({ @@ -695,6 +701,7 @@ describe 'ssh' do it { should_not contain_file('sshd_config').with_content(/^StrictModes/) } it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) } it { should contain_file('sshd_config').without_content(/^\s*MACs/) } + it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) } it { should contain_service('sshd_service').with({ @@ -829,6 +836,9 @@ describe 'ssh' do :sshd_config_macs => [ 'hmac-md5-etm@openssh.com', 'hmac-sha1-etm@openssh.com', ], + :sshd_config_denyusers => [ 'root', + 'lusers', + ], } end @@ -872,6 +882,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } + it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) } it { should contain_file('sshd_banner').with({ @@ -1006,6 +1017,26 @@ describe 'ssh' do end end + [true,'invalid'].each do |denyusers| + context "with sshd_config_denyusers set to invalid value #{denyusers}" do + let(:params) { { :sshd_config_denyusers => denyusers } } + + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + [true,'invalid'].each do |macs| context "with sshd_config_macs set to invalid value #{macs}" do let(:params) { { :sshd_config_macs => macs } } diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index d24343c..a553505 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -165,3 +165,6 @@ Ciphers <%= @sshd_config_ciphers.join(',') %> <% if @sshd_config_macs -%> MACs <%= @sshd_config_macs.join(',') %> <% end -%> +<% if @sshd_config_denyusers -%> +DenyUsers <%= @sshd_config_denyusers.join(' ') %> +<% end -%>