Showing with 493 additions and 39 deletions.

+1 −1 Modulefile

+84 −31 README.md

+41 −3 manifests/init.pp

+353 −0 spec/classes/init_spec.rb

+3 −0 templates/ssh_config.erb

+11 −4 templates/sshd_config.erb
diff --git a/Modulefile b/Modulefile
@@ -1,5 +1,5 @@
 name    'ghoneycutt-ssh'
-version '2.4.0'
+version '2.5.0'
 source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
 author 'ghoneycutt'
 license 'Apache License, Version 2.0'

diff --git a/README.md b/README.md
@@ -19,36 +19,6 @@ This module has been tested to work on the following systems with Puppet v3.
 
 # Parameters #
 
-keys
-----
-Hash of keys for user's ~/.ssh/authorized_keys
-
-- *Default*: undefined
-
-packages
---------
-Array of package names used for installation.
-
-- *Default*: 'openssh-server', 'openssh-server', 'openssh-clients'
-
-permit_root_login
------------------
-Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'.
-
-- *Default*: no
-
-purge_keys
-----------
-Remove keys not managed by puppet.
-
-- *Default*: 'true'
-
-manage_firewall
----------------
-Open firewall for SSH service.
-
-- *Default*: false
-
 ssh_config_path
 ---------------
 Path to ssh_config.
@@ -91,6 +61,12 @@ ServerAliveInterval option in ssh_config. Not set by default.
 
 - *Default*: undef
 
+ssh_config_sendenv_xmodifiers
+-----------------------
+Set 'SendEnv XMODIFIERS' in ssh_config.
+
+- *Default*: false
+
 sshd_config_path
 ----------------
 Path to sshd_config.
@@ -163,6 +139,83 @@ Path to sftp file transfer subsystem in sshd_config.
 
 - *Default*: '/usr/libexec/openssh/sftp-server'
 
+
+sshd_password_authentication
+-----------------------------
+PasswordAuthentication in sshd_config.
+Specifies whether password authentication is allowed.
+
+- *Default*: 'yes'
+
+sshd_allow_tcp_forwarding
+-------------------------
+AllowTcpForwarding in sshd_config.
+Specifies whether TCP forwarding is permitted.
+
+- *Default*: 'yes'
+
+sshd_x11_forwarding
+-------------------
+X11Forwarding in sshd_config.
+Specifies whether X11 forwarding is permitted.
+
+- *Default*: 'no'
+
+sshd_use_pam
+------------
+UsePam in sshd_config.
+Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM
+authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition
+to PAM account and session module processing for all authentication types.
+
+- *Default*: 'no'
+
+sshd_client_alive_interval
+--------------------------
+ClientAliveInterval in sshd_config.
+Sets a timeout interval in seconds after which if no data has been received from the client,
+sshd(8) will send a message through the encrypted channel to request a response from the
+client. The default is 0, indicating that these messages will not be sent to the client.
+This option applies to protocol version 2 only.
+
+- *Default*: '0'
+
+sshd_config_sendenv_xmodifiers
+-----------------------
+Set 'SendEnv XMODIFIERS' in sshd_config.
+
+- *Default*: false
+
+keys
+----
+Hash of keys for user's ~/.ssh/authorized_keys
+
+- *Default*: undefined
+
+packages
+--------
+Array of package names used for installation.
+
+- *Default*: 'openssh-server', 'openssh-server', 'openssh-clients'
+
+permit_root_login
+-----------------
+Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-only', 'no'.
+
+- *Default*: no
+
+purge_keys
+----------
+Remove keys not managed by puppet.
+
+- *Default*: 'true'
+
+manage_firewall
+---------------
+Open firewall for SSH service.
+
+- *Default*: false
+
 service_ensure
 --------------
 Ensure SSH service is running. Valid values are 'stopped' and 'running'.
@@ -217,8 +270,8 @@ Content of root's ~/.ssh/config.
 
 - *Default*: "# This file is being maintained by Puppet.\n# DO NOT EDIT\n"
 
-===
 
+===
 # Manage user's ssh_authorized_keys
 This works by passing the ssh::keys hash to the ssh_authorized_keys type with create_resources(). Because of this, you may specify any valid parameter for ssh_authorized_key. See the [Type Reference](http://docs.puppetlabs.com/references/stable/type.html#ssh_authorized_key) for a complete list.
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -14,6 +14,7 @@
   $ssh_config_forward_x11           = undef,
   $ssh_config_forward_agent         = undef,
   $ssh_config_server_alive_interval = undef,
+  $ssh_config_sendenv_xmodifiers    = false,
   $sshd_config_path                 = '/etc/ssh/sshd_config',
   $sshd_config_owner                = 'root',
   $sshd_config_group                = 'root',
@@ -26,6 +27,7 @@
   $sshd_config_banner               = 'none',
   $sshd_config_xauth_location       = '/usr/bin/xauth',
   $sshd_config_subsystem_sftp       = 'USE_DEFAULTS',
+  $sshd_config_sendenv_xmodifiers   = false,
   $service_ensure                   = 'running',
   $service_name                     = 'USE_DEFAULTS',
   $service_enable                   = 'true',
@@ -36,14 +38,50 @@
   $keys                             = undef,
   $manage_root_ssh_config           = 'false',
   $root_ssh_config_content          = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
+  $sshd_password_authentication     = 'yes',
+  $sshd_allow_tcp_forwarding        = 'yes',
+  $sshd_x11_forwarding              = 'yes',
+  $sshd_use_pam                     = 'yes',
+  $sshd_client_alive_interval       = '0',
 ) {
 
+  # validate params
+  validate_re($sshd_password_authentication, '^(yes|no)$', "sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
+  validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
+  validate_re($sshd_x11_forwarding, '^(yes|no)$', "sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
+  validate_re($sshd_use_pam, '^(yes|no)$', "sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.")
+  if is_integer($sshd_client_alive_interval) == false { fail("sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
+
+  case type($ssh_config_sendenv_xmodifiers) {
+    'string': {
+      $ssh_config_sendenv_xmodifiers_real = str2bool($ssh_config_sendenv_xmodifiers)
+    }
+    'boolean': {
+      $ssh_config_sendenv_xmodifiers_real = $ssh_config_sendenv_xmodifiers
+    }
+    default: {
+      fail("ssh_config_sendenv_xmodifiers type must be true or false.")
+    }
+  }
+
+  case type($sshd_config_sendenv_xmodifiers) {
+    'string': {
+      $sshd_config_sendenv_xmodifiers_real = str2bool($sshd_config_sendenv_xmodifiers)
+    }
+    'boolean': {
+      $sshd_config_sendenv_xmodifiers_real = $sshd_config_sendenv_xmodifiers
+    }
+    default: {
+      fail("sshd_config_sendenv_xmodifiers type must be true or false.")
+    }
+  }
+
   case $permit_root_login {
     'no', 'yes', 'without-password', 'forced-commands-only': {
       # noop
     }
     default: {
-      fail("permit_root_login may be either 'yes', 'without-password', 'forced-commands-only' or 'no' and is set to ${permit_root_login}")
+      fail("permit_root_login may be either 'yes', 'without-password', 'forced-commands-only' or 'no' and is set to <${permit_root_login}>")
     }
   }
 
@@ -55,7 +93,7 @@
       $key = $::sshdsakey
     }
     default: {
-      fail("ssh_key_type must be 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is ${ssh_key_type}")
+      fail("ssh_key_type must be 'ssh-rsa', 'rsa', 'ssh-dsa', or 'dsa' and is <${ssh_key_type}>")
     }
   }
 
@@ -64,7 +102,7 @@
       # noop
     }
     default: {
-      fail("purge_keys must be 'true' or 'false' and is ${purge_keys}")
+      fail("purge_keys must be 'true' or 'false' and is <${purge_keys}>")
     }
   }