Add configurable param X11UseLocalhost to sshd_config

This commit is contained in:
Bosse Andersson 2016-09-06 16:55:37 +02:00 committed by Bo Andersson
parent aacf3a7470
commit f41d7966ab
11 changed files with 29 additions and 0 deletions

View File

@ -376,6 +376,13 @@ X11Forwarding in sshd_config. Specifies whether X11 forwarding is permitted.
- *Default*: 'yes' - *Default*: 'yes'
sshd_x11_use_localhost
----------------------
X11UseLocalhost in sshd_config. Specifies if sshd should bind the X11 forwarding server
to the loopback address or to the wildcard address.
- *Default*: 'yes'
sshd_use_pam sshd_use_pam
------------ ------------
UsePam in sshd_config. UsePam in sshd_config.

View File

@ -72,6 +72,7 @@ class ssh (
$sshd_password_authentication = 'yes', $sshd_password_authentication = 'yes',
$sshd_allow_tcp_forwarding = 'yes', $sshd_allow_tcp_forwarding = 'yes',
$sshd_x11_forwarding = 'yes', $sshd_x11_forwarding = 'yes',
$sshd_x11_use_localhost = 'yes',
$sshd_use_pam = 'USE_DEFAULTS', $sshd_use_pam = 'USE_DEFAULTS',
$sshd_client_alive_count_max = '3', $sshd_client_alive_count_max = '3',
$sshd_client_alive_interval = '0', $sshd_client_alive_interval = '0',
@ -502,6 +503,7 @@ class ssh (
validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.") validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.")
if $sshd_use_pam_real != undef { if $sshd_use_pam_real != undef {
validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
} }

View File

@ -394,6 +394,7 @@ describe 'ssh' do
:sshd_pubkeyauthentication => 'no', :sshd_pubkeyauthentication => 'no',
:sshd_allow_tcp_forwarding => 'no', :sshd_allow_tcp_forwarding => 'no',
:sshd_x11_forwarding => 'no', :sshd_x11_forwarding => 'no',
:sshd_x11_use_localhost => 'no',
:sshd_use_pam => 'no', :sshd_use_pam => 'no',
:sshd_client_alive_interval => '242', :sshd_client_alive_interval => '242',
:sshd_config_serverkeybits => '1024', :sshd_config_serverkeybits => '1024',
@ -461,6 +462,7 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^KerberosAuthentication no$/) } it { should contain_file('sshd_config').with_content(/^KerberosAuthentication no$/) }
it { should contain_file('sshd_config').with_content(/^AllowTcpForwarding no$/) } it { should contain_file('sshd_config').with_content(/^AllowTcpForwarding no$/) }
it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
it { should contain_file('sshd_config').with_content(/^X11UseLocalhost no$/) }
it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) } it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
@ -948,6 +950,16 @@ describe 'ssh' do
end end
end end
context 'with sshd_x11_use_localhost set to invalid value on valid osfamily' do
let(:params) { { :sshd_x11_use_localhost => 'invalid' } }
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/ssh::sshd_x11_use_localhost may be either \'yes\' or \'no\' and is set to <invalid>\./)
end
end
context 'with sshd_use_pam set to invalid value on valid osfamily' do context 'with sshd_use_pam set to invalid value on valid osfamily' do
let(:params) { { :sshd_use_pam => 'invalid' } } let(:params) { { :sshd_use_pam => 'invalid' } }

View File

@ -107,6 +107,7 @@ AllowTcpForwarding yes
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes

View File

@ -107,6 +107,7 @@ AllowTcpForwarding yes
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes

View File

@ -107,6 +107,7 @@ AllowTcpForwarding yes
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes

View File

@ -96,6 +96,7 @@ AllowTcpForwarding yes
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes

View File

@ -107,6 +107,7 @@ AllowTcpForwarding yes
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes

View File

@ -107,6 +107,7 @@ AllowTcpForwarding yes
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes

View File

@ -110,6 +110,7 @@ AllowTcpForwarding yes
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
PrintMotd yes PrintMotd yes
#PrintLastLog yes #PrintLastLog yes

View File

@ -161,6 +161,7 @@ AllowTcpForwarding <%= @sshd_allow_tcp_forwarding %>
X11Forwarding <%= @sshd_x11_forwarding %> X11Forwarding <%= @sshd_x11_forwarding %>
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
X11UseLocalhost <%= @sshd_x11_use_localhost %>
#PrintMotd yes #PrintMotd yes
PrintMotd <%= @sshd_config_print_motd %> PrintMotd <%= @sshd_config_print_motd %>
#PrintLastLog yes #PrintLastLog yes