Showing with 56 additions and 10 deletions.

+1 −0 .fixtures.yml

+2 −0 .travis.yml

+2 −2 Modulefile

+6 −0 README.md

+5 −0 manifests/init.pp

+9 −8 metadata.json

+28 −0 spec/classes/init_spec.rb

+3 −0 templates/sshd_config.erb
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -8,5 +8,6 @@ fixtures:
       ref: 'v1.0.2'
     firewall:
       repo: 'git://github.com/puppetlabs/puppetlabs-firewall.git'
+      ref: '0.2.1'
   symlinks:
     ssh: "#{source_dir}"
diff --git a/.travis.yml b/.travis.yml
@@ -2,6 +2,8 @@
 env:
 - PUPPET_VERSION=3.3.2
 - PUPPET_VERSION=3.4.2
+- PUPPET_VERSION=3.5.1
+- PUPPET_VERSION=3.6.0
 notifications:
 email: false
 rvm:

diff --git a/Modulefile b/Modulefile
@@ -1,5 +1,5 @@
 name    'ghoneycutt-ssh'
-version '3.10.0'
+version '3.11.0'
 source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
 author 'ghoneycutt'
 license 'Apache License, Version 2.0'
@@ -9,4 +9,4 @@ project_page 'https://github.com/ghoneycutt/puppet-module-ssh'
 
 dependency 'puppetlabs/stdlib',   '>= 3.2.0'
 dependency 'ghoneycutt/common',   '>= 1.0.2'
-dependency 'puppetlabs/firewall'
+dependency 'puppetlabs/firewall', '>= 0.2.1'
diff --git a/README.md b/README.md
@@ -167,6 +167,12 @@ Specify location of authorized_keys file. Default is to not specify.
 
 - *Default*: undef
 
+sshd_config_strictmodes
+----------------------------
+Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Valid values are yes and no.
+
+- *Default*: undef
+
 sshd_config_banner
 ------------------
 Banner option in sshd_config.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -32,6 +32,7 @@
   $sshd_config_print_motd           = 'yes',
   $sshd_config_use_dns              = 'USE_DEFAULTS',
   $sshd_config_authkey_location     = undef,
+  $sshd_config_strictmodes          = undef,
   $sshd_config_banner               = 'none',
   $sshd_banner_content              = undef,
   $sshd_banner_owner                = 'root',
@@ -353,6 +354,10 @@
     validate_string($sshd_config_authkey_location)
   }
 
+  if $sshd_config_strictmodes != undef {
+    validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
+  }
+
   case type($hiera_merge) {
     'string': {
       validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.")

diff --git a/metadata.json b/metadata.json
@@ -66,7 +66,7 @@
     }
   ],
   "name": "ghoneycutt-ssh",
-  "version": "3.10.0",
+  "version": "3.11.0",
   "source": "git://github.com/ghoneycutt/puppet-module-ssh.git",
   "author": "ghoneycutt",
   "license": "Apache License, Version 2.0",
@@ -83,7 +83,8 @@
       "version_requirement": ">= 1.0.2"
     },
     {
-      "name": "puppetlabs/firewall"
+      "name": "puppetlabs/firewall",
+      "version_requirement": ">= 0.2.1"
     }
   ],
   "types": [
@@ -94,14 +95,14 @@
     "Gemfile": "6992d521994d948eb6e48acd733a07bf",
     "Gemfile.lock": "44926a4ba8c7b0f743f80b5428f68602",
     "LICENSE": "567e6cc3941d464d60c74d1f4abd5f46",
-    "Modulefile": "ef6767f25726fe378913ea8f88dc097d",
-    "README.md": "2739cdd6115cb712fe4d55e478a0c296",
+    "Modulefile": "7bd54a30f18985b17b6c081b048fc46d",
+    "README.md": "66e9b1a4cbb986dd7539695eb2b199f7",
     "Rakefile": "8ff6a0f7db638421d1742c5d365d0266",
-    "manifests/init.pp": "07418faad419147d9812da263ebc0752",
-    "spec/classes/init_spec.rb": "7ee09d72141365fbe0c7d58e01612d34",
+    "manifests/init.pp": "747e85d8bbfc62f9e9919e26d8e614e1",
+    "spec/classes/init_spec.rb": "a9a24bc66c920b5724cff2baacb14720",
     "spec/spec_helper.rb": "3ea886dd135e120afa31e0aab12e85b0",
     "templates/ssh_config.erb": "9aaeaeb5931fc7fc4b82a89098441387",
-    "templates/sshd_config.erb": "f7e701d2b44ca6737b838690d0d2ca77",
+    "templates/sshd_config.erb": "48de672e1a2696b060cfb31b07da4ad4",
     "tests/init.pp": "423466ae46899d6a0480aa9910b096d2"
   }
-}
+}
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -77,6 +77,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange no$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
+    it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
 
     it {
@@ -186,6 +187,7 @@
     it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
+    it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -276,6 +278,7 @@
     it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
+    it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -365,6 +368,7 @@
     it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
+    it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -461,6 +465,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
+    it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -557,6 +562,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
+    it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -653,6 +659,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
+    it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -761,6 +768,7 @@
         :sshd_client_alive_interval      => '242',
         :sshd_client_alive_count_max     => '0',
         :sshd_config_authkey_location    => '.ssh/authorized_keys',
+        :sshd_config_strictmodes         => 'yes',
       }
     end
 
@@ -800,6 +808,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) }
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) }
+    it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
 
     it {
       should contain_file('sshd_banner').with({
@@ -1058,7 +1067,26 @@
       }.to raise_error(Puppet::Error,/is not a string/)
     end
   end
+
+  context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
+    let :facts do
+      {
+        :fqdn      => 'monkey.example.com',
+        :osfamily  => 'RedHat',
+        :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+      }
+    end
+    let :params do
+      { :sshd_config_strictmodes => 'invalid' }
+    end
 
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/^ssh::sshd_config_strictmodes may be either \'yes\' or \'no\' and is set to <invalid>\./)
+    end
+  end
+
   context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do
     let(:params) { { :sshd_banner_content => 'textinbanner' } }
     let :facts do

diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -44,6 +44,9 @@ LoginGraceTime <%= @sshd_config_login_grace_time %>
 #PermitRootLogin yes
 PermitRootLogin <%= @permit_root_login %>
 #StrictModes yes
+<% if @sshd_config_strictmodes -%>
+StrictModes <%= @sshd_config_strictmodes %>
+<% end -%>
 #MaxAuthTries 6
 
 #RSAAuthentication yes