From f41d7966ab3db06531962f4e900469ade56045e3 Mon Sep 17 00:00:00 2001
From: Bosse Andersson <bandersson@hpe.com>
Date: Tue, 6 Sep 2016 16:55:37 +0200
Subject: [PATCH] Add configurable param X11UseLocalhost to sshd_config

---
 README.md                                |  7 +++++++
 manifests/init.pp                        |  2 ++
 spec/classes/init_spec.rb                | 12 ++++++++++++
 spec/fixtures/sshd_config_debian         |  1 +
 spec/fixtures/sshd_config_rhel           |  1 +
 spec/fixtures/sshd_config_sles_12_x86_64 |  1 +
 spec/fixtures/sshd_config_solaris        |  1 +
 spec/fixtures/sshd_config_suse_i386      |  1 +
 spec/fixtures/sshd_config_suse_x86_64    |  1 +
 spec/fixtures/sshd_config_ubuntu1604     |  1 +
 templates/sshd_config.erb                |  1 +
 11 files changed, 29 insertions(+)

diff --git a/README.md b/README.md
index 0f5c667..f773f03 100644
--- a/README.md
+++ b/README.md
@@ -376,6 +376,13 @@ X11Forwarding in sshd_config. Specifies whether X11 forwarding is permitted.
 
 - *Default*: 'yes'
 
+sshd_x11_use_localhost
+----------------------
+X11UseLocalhost in sshd_config. Specifies if sshd should bind the X11 forwarding server 
+to the loopback address or to the wildcard address.
+
+- *Default*: 'yes'
+
 sshd_use_pam
 ------------
 UsePam in sshd_config.
diff --git a/manifests/init.pp b/manifests/init.pp
index 4716e4e..4811efe 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -72,6 +72,7 @@ class ssh (
   $sshd_password_authentication        = 'yes',
   $sshd_allow_tcp_forwarding           = 'yes',
   $sshd_x11_forwarding                 = 'yes',
+  $sshd_x11_use_localhost              = 'yes',
   $sshd_use_pam                        = 'USE_DEFAULTS',
   $sshd_client_alive_count_max         = '3',
   $sshd_client_alive_interval          = '0',
@@ -502,6 +503,7 @@ class ssh (
   validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
   validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
   validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
+  validate_re($sshd_x11_use_localhost, '^(yes|no)$', "ssh::sshd_x11_use_localhost may be either 'yes' or 'no' and is set to <${sshd_x11_use_localhost}>.")
   if $sshd_use_pam_real != undef {
     validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
   }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index aa9a00d..8bc96e8 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -394,6 +394,7 @@ describe 'ssh' do
         :sshd_pubkeyauthentication         => 'no',
         :sshd_allow_tcp_forwarding         => 'no',
         :sshd_x11_forwarding               => 'no',
+        :sshd_x11_use_localhost            => 'no',
         :sshd_use_pam                      => 'no',
         :sshd_client_alive_interval        => '242',
         :sshd_config_serverkeybits         => '1024',
@@ -461,6 +462,7 @@ describe 'ssh' do
     it { should contain_file('sshd_config').with_content(/^KerberosAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^AllowTcpForwarding no$/) }
     it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
+    it { should contain_file('sshd_config').with_content(/^X11UseLocalhost no$/) }
     it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
     it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
@@ -948,6 +950,16 @@ describe 'ssh' do
     end
   end
 
+  context 'with sshd_x11_use_localhost set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_x11_use_localhost => 'invalid' } }
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/ssh::sshd_x11_use_localhost may be either \'yes\' or \'no\' and is set to <invalid>\./)
+    end
+  end
+
   context 'with sshd_use_pam set to invalid value on valid osfamily' do
     let(:params) { { :sshd_use_pam => 'invalid' } }
 
diff --git a/spec/fixtures/sshd_config_debian b/spec/fixtures/sshd_config_debian
index 5f6e587..b0d9d02 100644
--- a/spec/fixtures/sshd_config_debian
+++ b/spec/fixtures/sshd_config_debian
@@ -107,6 +107,7 @@ AllowTcpForwarding yes
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost yes
 #PrintMotd yes
 PrintMotd yes
 #PrintLastLog yes
diff --git a/spec/fixtures/sshd_config_rhel b/spec/fixtures/sshd_config_rhel
index 901b4e9..7f4e7bd 100644
--- a/spec/fixtures/sshd_config_rhel
+++ b/spec/fixtures/sshd_config_rhel
@@ -107,6 +107,7 @@ AllowTcpForwarding yes
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost yes
 #PrintMotd yes
 PrintMotd yes
 #PrintLastLog yes
diff --git a/spec/fixtures/sshd_config_sles_12_x86_64 b/spec/fixtures/sshd_config_sles_12_x86_64
index bad554d..2d27b90 100644
--- a/spec/fixtures/sshd_config_sles_12_x86_64
+++ b/spec/fixtures/sshd_config_sles_12_x86_64
@@ -107,6 +107,7 @@ AllowTcpForwarding yes
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost yes
 #PrintMotd yes
 PrintMotd yes
 #PrintLastLog yes
diff --git a/spec/fixtures/sshd_config_solaris b/spec/fixtures/sshd_config_solaris
index 1b934c6..c4f0a25 100644
--- a/spec/fixtures/sshd_config_solaris
+++ b/spec/fixtures/sshd_config_solaris
@@ -96,6 +96,7 @@ AllowTcpForwarding yes
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost yes
 #PrintMotd yes
 PrintMotd yes
 #PrintLastLog yes
diff --git a/spec/fixtures/sshd_config_suse_i386 b/spec/fixtures/sshd_config_suse_i386
index bad554d..2d27b90 100644
--- a/spec/fixtures/sshd_config_suse_i386
+++ b/spec/fixtures/sshd_config_suse_i386
@@ -107,6 +107,7 @@ AllowTcpForwarding yes
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost yes
 #PrintMotd yes
 PrintMotd yes
 #PrintLastLog yes
diff --git a/spec/fixtures/sshd_config_suse_x86_64 b/spec/fixtures/sshd_config_suse_x86_64
index 4e47b68..b9092aa 100644
--- a/spec/fixtures/sshd_config_suse_x86_64
+++ b/spec/fixtures/sshd_config_suse_x86_64
@@ -107,6 +107,7 @@ AllowTcpForwarding yes
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost yes
 #PrintMotd yes
 PrintMotd yes
 #PrintLastLog yes
diff --git a/spec/fixtures/sshd_config_ubuntu1604 b/spec/fixtures/sshd_config_ubuntu1604
index 85643c8..7d7ad87 100644
--- a/spec/fixtures/sshd_config_ubuntu1604
+++ b/spec/fixtures/sshd_config_ubuntu1604
@@ -110,6 +110,7 @@ AllowTcpForwarding yes
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost yes
 #PrintMotd yes
 PrintMotd yes
 #PrintLastLog yes
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index 3a80b63..313581c 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -161,6 +161,7 @@ AllowTcpForwarding <%= @sshd_allow_tcp_forwarding %>
 X11Forwarding <%= @sshd_x11_forwarding %>
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+X11UseLocalhost <%= @sshd_x11_use_localhost %>
 #PrintMotd yes
 PrintMotd <%= @sshd_config_print_motd %>
 #PrintLastLog yes