Merge pull request #85 from diddi-/sshd_hostkey

Add support for changing HostKey option in sshd_config
2014-10-21 11:49:05 -04:00 · 2014-10-21 11:49:05 -04:00 · fadfa3b3bc
commit fadfa3b3bc
parent 9a958b749a 2dfe01c0e3
4 changed files with 61 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -208,6 +208,12 @@ Specify location of authorized_keys file. Default is to not specify.

 - *Default*: undef

+sshd_config_hostkey
+----------------------------
+Specify an array of server side HostKey files to use. Default is to use only /etc/ssh/ssh_host_rsa_key
+
+- *Default*: /etc/ssh/ssh_host_rsa_key
+
 sshd_config_strictmodes
 ----------------------------
 Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no.
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -64,6 +64,7 @@ class ssh (
  $sshd_pamauthenticationviakbdint  = 'USE_DEFAULTS',
  $sshd_gssapicleanupcredentials    = 'USE_DEFAULTS',
  $sshd_acceptenv                   = 'USE_DEFAULTS',
+  $sshd_config_hostkey              = 'USE_DEFAULTS',
  $service_ensure                   = 'running',
  $service_name                     = 'USE_DEFAULTS',
  $service_enable                   = 'true',
@ -98,6 +99,7 @@ class ssh (
      $default_sshd_acceptenv                  = true
      $default_service_hasstatus               = true
      $default_sshd_config_serverkeybits       = '1024'
+      $default_sshd_config_hostkey             = [ '/etc/ssh/ssh_host_rsa_key' ]
    }
    'Suse': {
      $default_packages                        = 'openssh'
@ -117,6 +119,7 @@ class ssh (
      $default_sshd_acceptenv                  = true
      $default_service_hasstatus               = true
      $default_sshd_config_serverkeybits       = '1024'
+      $default_sshd_config_hostkey             = [ '/etc/ssh/ssh_host_rsa_key' ]
      case $::architecture {
        'x86_64': {
          $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
@ -149,6 +152,7 @@ class ssh (
      $default_sshd_acceptenv                  = true
      $default_service_hasstatus               = true
      $default_sshd_config_serverkeybits       = '1024'
+      $default_sshd_config_hostkey             = [ '/etc/ssh/ssh_host_rsa_key' ]
    }
    'Solaris': {
      $default_ssh_config_hash_known_hosts     = undef
@ -165,6 +169,7 @@ class ssh (
      $default_sshd_acceptenv                  = false
      $default_sshd_config_serverkeybits       = '768'
      $default_ssh_package_adminfile           = undef
+      $default_sshd_config_hostkey             = [ '/etc/ssh/ssh_host_rsa_key' ]
      case $::kernelrelease {
        '5.11': {
          $default_packages                      = ['network/ssh',
@ -335,6 +340,14 @@ class ssh (
    }
  }

+  if $sshd_config_hostkey == 'USE_DEFAULTS' {
+    $sshd_config_hostkey_real = $default_sshd_config_hostkey
+  } else {
+    validate_array($sshd_config_hostkey)
+    validate_absolute_path(join($sshd_config_hostkey))
+    $sshd_config_hostkey_real = $sshd_config_hostkey
+  }
+
  if $service_hasstatus == 'USE_DEFAULTS' {
    $service_hasstatus_real = $default_service_hasstatus
  } else {
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@ -855,6 +855,9 @@ describe 'ssh' do
        :sshd_config_serverkeybits       => '1024',
        :sshd_client_alive_count_max     => '0',
        :sshd_config_authkey_location    => '.ssh/authorized_keys',
+        :sshd_config_hostkey             => [ '/etc/ssh/ssh_host_rsa_key',
+                                              '/etc/ssh/ssh_host_dsa_key',
+        ],
        :sshd_config_strictmodes         => 'yes',
        :sshd_config_ciphers             => [ 'aes128-cbc',
                                              '3des-cbc',
@ -915,11 +918,12 @@ describe 'ssh' do
    it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) }
    it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
    it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
-    it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
    it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
    it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
    it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
    it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) }
+    it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
+    it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
    it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
    it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
    it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
@ -1459,6 +1463,39 @@ describe 'ssh' do
    end
  end

+  context 'with sshd_config_hostkey set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_config_hostkey => false } }
+    let(:facts) do
+      { :fqdn      => 'monkey.example.com',
+        :osfamily  => 'RedHat',
+        :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+      }
+    end
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/is not an Array/)
+    end
+  end
+
+  context 'with sshd_config_hostkey set to invalid path on valid osfamily' do
+    let(:params) { { :sshd_config_hostkey => ['not_a_path'] } }
+    let(:facts) do
+      { :fqdn      => 'monkey.example.com',
+        :osfamily  => 'RedHat',
+        :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+      }
+    end
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/is not an absolute path./)
+    end
+  end
+
+
  context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
    let :facts do
      {
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@ -24,8 +24,11 @@ Protocol 2
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
+<% @sshd_config_hostkey_real.each do |hostkey| -%>
+HostKey <%= hostkey %>
+<% end -%>

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h