Merge pull request #149 from ghoneycutt/use_roaming

Use roaming
This commit is contained in:
Garrett Honeycutt 2016-01-17 14:30:42 -05:00
commit f3b35f94f0
5 changed files with 98 additions and 2 deletions

View File

@ -8,9 +8,9 @@ end
gem 'metadata-json-lint' gem 'metadata-json-lint'
gem 'puppetlabs_spec_helper', '>= 0.1.0' gem 'puppetlabs_spec_helper', '>= 0.1.0'
gem 'puppet-lint', '>= 1.0.0'
gem 'facter', '>= 1.7.0' gem 'facter', '>= 1.7.0'
gem 'rspec-puppet', '~> 2.0' gem 'rspec-puppet'
gem 'puppet-lint', :git => 'https://github.com/rodjek/puppet-lint.git'
gem 'puppet-lint-absolute_classname-check' gem 'puppet-lint-absolute_classname-check'
gem 'puppet-lint-alias-check' gem 'puppet-lint-alias-check'
gem 'puppet-lint-empty_string-check' gem 'puppet-lint-empty_string-check'

View File

@ -340,6 +340,16 @@ This module sets this option to 'yes' on Linux and undef on Solaris.
- *Default*: 'USE_DEFAULTS' - *Default*: 'USE_DEFAULTS'
ssh_config_use_roaming
----------------------
String to enable or disable UseRoaming in client configuration ssh_config.
Valid values are 'yes', 'no' and 'unset'. Using 'unset' will not use (print)
this configuration parameter at all. Default is set to 'no' on Linux and
'unset' on Solaris. If you have OpenSSH >= version 5.4, this should be set to
'no' to mitigate CVE-2016-0777 and CVE-2016-0778.
- *Default*: 'USE_DEFAULTS'
sshd_client_alive_interval sshd_client_alive_interval
-------------------------- --------------------------
ClientAliveInterval in sshd_config. ClientAliveInterval in sshd_config.

View File

@ -22,6 +22,7 @@ class ssh (
$ssh_config_sendenv_xmodifiers = false, $ssh_config_sendenv_xmodifiers = false,
$ssh_config_ciphers = undef, $ssh_config_ciphers = undef,
$ssh_config_macs = undef, $ssh_config_macs = undef,
$ssh_config_use_roaming = 'USE_DEFAULTS',
$ssh_config_template = 'ssh/ssh_config.erb', $ssh_config_template = 'ssh/ssh_config.erb',
$ssh_sendenv = 'USE_DEFAULTS', $ssh_sendenv = 'USE_DEFAULTS',
$ssh_gssapiauthentication = 'yes', $ssh_gssapiauthentication = 'yes',
@ -107,6 +108,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_use_roaming = 'no'
$default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server'
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
@ -127,6 +129,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_use_roaming = 'no'
$default_ssh_config_forward_x11_trusted = 'yes' $default_ssh_config_forward_x11_trusted = 'yes'
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
@ -164,6 +167,7 @@ class ssh (
$default_ssh_package_source = undef $default_ssh_package_source = undef
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_ssh_sendenv = true $default_ssh_sendenv = true
$default_ssh_config_use_roaming = 'no'
$default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server'
$default_sshd_config_mode = '0600' $default_sshd_config_mode = '0600'
$default_sshd_config_use_dns = 'yes' $default_sshd_config_use_dns = 'yes'
@ -181,6 +185,7 @@ class ssh (
$default_ssh_config_hash_known_hosts = undef $default_ssh_config_hash_known_hosts = undef
$default_ssh_sendenv = false $default_ssh_sendenv = false
$default_ssh_config_forward_x11_trusted = undef $default_ssh_config_forward_x11_trusted = undef
$default_ssh_config_use_roaming = 'unset'
$default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server'
$default_sshd_config_mode = '0644' $default_sshd_config_mode = '0644'
$default_sshd_config_use_dns = undef $default_sshd_config_use_dns = undef
@ -337,6 +342,12 @@ class ssh (
$sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials $sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials
} }
if $ssh_config_use_roaming == 'USE_DEFAULTS' {
$ssh_config_use_roaming_real = $default_ssh_config_use_roaming
} else {
$ssh_config_use_roaming_real = $ssh_config_use_roaming
}
if $ssh_sendenv == 'USE_DEFAULTS' { if $ssh_sendenv == 'USE_DEFAULTS' {
$ssh_sendenv_real = $default_ssh_sendenv $ssh_sendenv_real = $default_ssh_sendenv
} else { } else {
@ -433,6 +444,9 @@ class ssh (
if $sshd_config_serverkeybits_real != undef { if $sshd_config_serverkeybits_real != undef {
if is_integer($sshd_config_serverkeybits_real) == false { fail("ssh::sshd_config_serverkeybits must be an integer and is set to <${sshd_config_serverkeybits}>.") } if is_integer($sshd_config_serverkeybits_real) == false { fail("ssh::sshd_config_serverkeybits must be an integer and is set to <${sshd_config_serverkeybits}>.") }
} }
if $ssh_config_use_roaming_real != undef {
validate_re($ssh_config_use_roaming_real, '^(yes|no|unset)$', "ssh::ssh_config_use_roaming may be either 'yes', 'no' or 'unset' and is set to <${$ssh_config_use_roaming}>.")
}
if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") } if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") }

View File

@ -59,6 +59,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { it {
@ -204,6 +205,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
@ -326,6 +328,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
@ -446,6 +449,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
@ -567,6 +571,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@ -695,6 +700,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@ -825,6 +831,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').without_content(/^\s*ForwardAgent$/) } it { should contain_file('ssh_config').without_content(/^\s*ForwardAgent$/) }
it { should contain_file('ssh_config').without_content(/^\s*ForwardX11$/) } it { should contain_file('ssh_config').without_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
it { should contain_file('ssh_config').without_content(/^\s*ServerAliveInterval$/) } it { should contain_file('ssh_config').without_content(/^\s*ServerAliveInterval$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@ -953,6 +960,7 @@ describe 'ssh' do
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) } it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
it { should contain_file('ssh_config').without_content(/^\s*MACs/) } it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@ -1062,6 +1070,7 @@ describe 'ssh' do
:ssh_config_hash_known_hosts => 'yes', :ssh_config_hash_known_hosts => 'yes',
:ssh_config_forward_agent => 'yes', :ssh_config_forward_agent => 'yes',
:ssh_config_forward_x11 => 'yes', :ssh_config_forward_x11 => 'yes',
:ssh_config_use_roaming => 'yes',
:ssh_config_server_alive_interval => '300', :ssh_config_server_alive_interval => '300',
:ssh_config_sendenv_xmodifiers => true, :ssh_config_sendenv_xmodifiers => true,
:ssh_config_ciphers => [ 'aes128-cbc', :ssh_config_ciphers => [ 'aes128-cbc',
@ -1099,6 +1108,7 @@ describe 'ssh' do
it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) } it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
it { should contain_file('ssh_config').with_content(/^\s*UseRoaming yes$/) }
it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) }
it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) }
it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
@ -3440,4 +3450,63 @@ describe 'ssh' do
end end
end end
end end
describe 'with parameter ssh_config_use_roaming' do
let(:facts) { { :osfamily => 'RedHat' } }
['yes','no','unset'].each do |value|
context "set to valid value #{value}" do
let(:params) { { :ssh_config_use_roaming => value } }
if value == 'unset'
it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
else
it { should contain_file('ssh_config').with_content(/^\s*UseRoaming #{value}$/) }
end
end
end
end
describe 'variable type and content validations' do
# set needed custom facts and variables
let(:facts) do
{
:osfamily => 'RedHat',
}
end
let(:mandatory_params) do
{
#:param => 'value',
}
end
validations = {
'regex (yes|no|unset)' => {
:name => %w(ssh_config_use_roaming),
:valid => ['yes', 'no', 'unset'],
:invalid => ['string', %w(array), { 'ha' => 'sh' }, 3, 2.42, true, false, nil],
:message => 'may be either \'yes\', \'no\' or \'unset\'',
},
}
validations.sort.each do |type, var|
var[:name].each do |var_name|
var[:params] = {} if var[:params].nil?
var[:valid].each do |valid|
context "when #{var_name} (#{type}) is set to valid #{valid} (as #{valid.class})" do
let(:params) { [mandatory_params, var[:params], { :"#{var_name}" => valid, }].reduce(:merge) }
it { should compile }
end
end
var[:invalid].each do |invalid|
context "when #{var_name} (#{type}) is set to invalid #{invalid} (as #{invalid.class})" do
let(:params) { [mandatory_params, var[:params], { :"#{var_name}" => invalid, }].reduce(:merge) }
it 'should fail' do
expect { should contain_class(subject) }.to raise_error(Puppet::Error, /#{var[:message]}/)
end
end
end
end # var[:name].each
end # validations.sort.each
end # describe 'variable type and content validations'
end end

View File

@ -72,6 +72,9 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
<% if @ssh_config_forward_x11 != nil -%> <% if @ssh_config_forward_x11 != nil -%>
ForwardX11 <%= @ssh_config_forward_x11 %> ForwardX11 <%= @ssh_config_forward_x11 %>
<% end -%> <% end -%>
<% if (@ssh_config_use_roaming_real == 'yes') or (@ssh_config_use_roaming_real == 'no') -%>
UseRoaming <%= @ssh_config_use_roaming_real %>
<% end -%>
<% if @ssh_config_server_alive_interval != nil -%> <% if @ssh_config_server_alive_interval != nil -%>
ServerAliveInterval <%= @ssh_config_server_alive_interval %> ServerAliveInterval <%= @ssh_config_server_alive_interval %>
<% end -%> <% end -%>