puppet/ssh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #85 from diddi-/sshd_hostkey

Browse Source 
Add support for changing HostKey option in sshd_config
This commit is contained in:
Garrett Honeycutt 2014-10-21 11:49:05 -04:00
commit fadfa3b3bc
4 changed files with 61 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -208,6 +208,12 @@ Specify location of authorized_keys file. Default is to not specify.
- *Default*: undef - *Default*: undef
sshd_config_hostkey
----------------------------
Specify an array of server side HostKey files to use. Default is to use only /etc/ssh/ssh_host_rsa_key
- *Default*: /etc/ssh/ssh_host_rsa_key
sshd_config_strictmodes sshd_config_strictmodes
---------------------------- ----------------------------
Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no. Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no.

13
manifests/init.pp
View File

@ -64,6 +64,7 @@ class ssh (
$sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS',
$sshd_gssapicleanupcredentials = 'USE_DEFAULTS', $sshd_gssapicleanupcredentials = 'USE_DEFAULTS',
$sshd_acceptenv = 'USE_DEFAULTS', $sshd_acceptenv = 'USE_DEFAULTS',
$sshd_config_hostkey = 'USE_DEFAULTS',
$service_ensure = 'running', $service_ensure = 'running',
$service_name = 'USE_DEFAULTS', $service_name = 'USE_DEFAULTS',
$service_enable = 'true', $service_enable = 'true',
@ -98,6 +99,7 @@ class ssh (
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
} }
'Suse': { 'Suse': {
$default_packages = 'openssh' $default_packages = 'openssh'
@ -117,6 +119,7 @@ class ssh (
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
case $::architecture { case $::architecture {
'x86_64': { 'x86_64': {
$default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
@ -149,6 +152,7 @@ class ssh (
$default_sshd_acceptenv = true $default_sshd_acceptenv = true
$default_service_hasstatus = true $default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024' $default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
} }
'Solaris': { 'Solaris': {
$default_ssh_config_hash_known_hosts = undef $default_ssh_config_hash_known_hosts = undef
@ -165,6 +169,7 @@ class ssh (
$default_sshd_acceptenv = false $default_sshd_acceptenv = false
$default_sshd_config_serverkeybits = '768' $default_sshd_config_serverkeybits = '768'
$default_ssh_package_adminfile = undef $default_ssh_package_adminfile = undef
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
case $::kernelrelease { case $::kernelrelease {
'5.11': { '5.11': {
$default_packages = ['network/ssh', $default_packages = ['network/ssh',
@ -335,6 +340,14 @@ class ssh (
} }
} }
if $sshd_config_hostkey == 'USE_DEFAULTS' {
$sshd_config_hostkey_real = $default_sshd_config_hostkey
} else {
validate_array($sshd_config_hostkey)
validate_absolute_path(join($sshd_config_hostkey))
$sshd_config_hostkey_real = $sshd_config_hostkey
}
if $service_hasstatus == 'USE_DEFAULTS' { if $service_hasstatus == 'USE_DEFAULTS' {
$service_hasstatus_real = $default_service_hasstatus $service_hasstatus_real = $default_service_hasstatus
} else { } else {

39
spec/classes/init_spec.rb
View File

@ -855,6 +855,9 @@ describe 'ssh' do
:sshd_config_serverkeybits => '1024', :sshd_config_serverkeybits => '1024',
:sshd_client_alive_count_max => '0', :sshd_client_alive_count_max => '0',
:sshd_config_authkey_location => '.ssh/authorized_keys', :sshd_config_authkey_location => '.ssh/authorized_keys',
:sshd_config_hostkey => [ '/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
],
:sshd_config_strictmodes => 'yes', :sshd_config_strictmodes => 'yes',
:sshd_config_ciphers => [ 'aes128-cbc', :sshd_config_ciphers => [ 'aes128-cbc',
'3des-cbc', '3des-cbc',
@ -915,11 +918,12 @@ describe 'ssh' do
it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) } it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) } it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
@ -1459,6 +1463,39 @@ describe 'ssh' do
end end
end end
context 'with sshd_config_hostkey set to invalid value on valid osfamily' do
let(:params) { { :sshd_config_hostkey => false } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/is not an Array/)
end
end
context 'with sshd_config_hostkey set to invalid path on valid osfamily' do
let(:params) { { :sshd_config_hostkey => ['not_a_path'] } }
let(:facts) do
{ :fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/is not an absolute path./)
end
end
context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
let :facts do let :facts do
{ {

5
templates/sshd_config.erb
View File

@ -24,8 +24,11 @@ Protocol 2
# HostKey for protocol version 1 # HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2 # HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_dsa_key
<% @sshd_config_hostkey_real.each do |hostkey| -%>
HostKey <%= hostkey %>
<% end -%>
# Lifetime and size of ephemeral version 1 server key # Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h #KeyRegenerationInterval 1h