puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #73 from ghoneycutt/sshd_config_denyusers

Browse Source 
Add ability to specify DenyUsers in sshd_config
This commit is contained in:
Garrett Honeycutt 2014-05-29 10:37:20 -04:00
commit f362fe3f90
4 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -300,6 +300,12 @@ Array of macs for the MACs setting in sshd_config.
- *Default*: undef
sshd_config_denyusers
---------------------
Array of users for the DenyUsers setting in sshd_config.
- *Default*: undef
keys
----
Hash of keys for user's ~/.ssh/authorized_keys

5
manifests/init.pp
View File

@ -39,6 +39,7 @@ class ssh (
$sshd_config_banner = 'none',
$sshd_config_ciphers = undef,
$sshd_config_macs = undef,
$sshd_config_denyusers = undef,
$sshd_banner_content = undef,
$sshd_banner_owner = 'root',
$sshd_banner_group = 'root',
@ -347,6 +348,10 @@ class ssh (
validate_array($sshd_config_macs)
}
if $sshd_config_denyusers != undef {
validate_array($sshd_config_denyusers)
}
if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
}

31
spec/classes/init_spec.rb
View File

@ -84,6 +84,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it {
should contain_service('sshd_service').with({
@ -198,6 +199,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it {
should contain_service('sshd_service').with({
@ -294,6 +296,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it {
should contain_service('sshd_service').with({
@ -389,6 +392,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it {
should contain_service('sshd_service').with({
@ -491,6 +495,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
it { should contain_file('ssh_config').without_content(/^\s*DenyUsers/) }
it {
should contain_service('sshd_service').with({
@ -593,6 +598,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it {
should contain_service('sshd_service').with({
@ -695,6 +701,7 @@ describe 'ssh' do
it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
it {
should contain_service('sshd_service').with({
@ -829,6 +836,9 @@ describe 'ssh' do
:sshd_config_macs => [ 'hmac-md5-etm@openssh.com',
'hmac-sha1-etm@openssh.com',
],
:sshd_config_denyusers => [ 'root',
'lusers',
],
}
end
@ -872,6 +882,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) }
it {
should contain_file('sshd_banner').with({
@ -1006,6 +1017,26 @@ describe 'ssh' do
end
end
[true,'invalid'].each do |denyusers|
context "with sshd_config_denyusers set to invalid value #{denyusers}" do
let(:params) { { :sshd_config_denyusers => denyusers } }
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error)
end
end
end
[true,'invalid'].each do |macs|
context "with sshd_config_macs set to invalid value #{macs}" do
let(:params) { { :sshd_config_macs => macs } }

3
templates/sshd_config.erb
View File

@ -165,3 +165,6 @@ Ciphers <%= @sshd_config_ciphers.join(',') %>
<% if @sshd_config_macs -%>
MACs <%= @sshd_config_macs.join(',') %>
<% end -%>
<% if @sshd_config_denyusers -%>
DenyUsers <%= @sshd_config_denyusers.join(' ') %>
<% end -%>