Showing with 60 additions and 10 deletions.

+1 −1 Modulefile

+6 −0 README.md

+14 −0 manifests/init.pp

+6 −6 metadata.json

+30 −2 spec/classes/init_spec.rb

+3 −1 templates/sshd_config.erb
diff --git a/Modulefile b/Modulefile
@@ -1,5 +1,5 @@
 name    'ghoneycutt-ssh'
-version '3.11.0'
+version '3.12.0'
 source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
 author 'ghoneycutt'
 license 'Apache License, Version 2.0'

diff --git a/README.md b/README.md
@@ -173,6 +173,12 @@ Specifies whether sshd should check file modes and ownership of the user's files
 
 - *Default*: undef
 
+sshd_config_serverkeybits
+----------------------------
+Defines the number of bits in the ephemeral protocol version 1 server key.  The minimum value is 512, and the default is 1024 except for Solaris default value is 768. 
+
+- *Default*: '1024' except for Solaris which is '768'
+
 sshd_config_banner
 ------------------
 Banner option in sshd_config.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -33,6 +33,7 @@
   $sshd_config_use_dns              = 'USE_DEFAULTS',
   $sshd_config_authkey_location     = undef,
   $sshd_config_strictmodes          = undef,
+  $sshd_config_serverkeybits        = 'USE_DEFAULTS',
   $sshd_config_banner               = 'none',
   $sshd_banner_content              = undef,
   $sshd_banner_owner                = 'root',
@@ -84,6 +85,7 @@
       $default_sshd_gssapicleanupcredentials   = 'yes'
       $default_sshd_acceptenv                  = true
       $default_service_hasstatus               = true
+      $default_sshd_config_serverkeybits       = '1024'
     }
     'Suse': {
       $default_packages                        = 'openssh'
@@ -102,6 +104,7 @@
       $default_sshd_gssapicleanupcredentials   = 'yes'
       $default_sshd_acceptenv                  = true
       $default_service_hasstatus               = true
+      $default_sshd_config_serverkeybits       = '1024'
       case $::architecture {
         'x86_64': {
           $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server'
@@ -133,6 +136,7 @@
       $default_sshd_gssapicleanupcredentials   = 'yes'
       $default_sshd_acceptenv                  = true
       $default_service_hasstatus               = true
+      $default_sshd_config_serverkeybits       = '1024'
     }
     'Solaris': {
       $default_packages                        = ['SUNWsshcu',
@@ -154,6 +158,7 @@
       $default_sshd_pamauthenticationviakbdint = 'yes'
       $default_sshd_gssapicleanupcredentials   = undef
       $default_sshd_acceptenv                  = false
+      $default_sshd_config_serverkeybits       = '768'
       case $::kernelrelease {
         '5.10','5.11': {
           $default_service_name      = 'ssh'
@@ -237,6 +242,12 @@
     $sshd_use_pam_real = $sshd_use_pam
   }
 
+  if $sshd_config_serverkeybits == 'USE_DEFAULTS' {
+    $sshd_config_serverkeybits_real = $default_sshd_config_serverkeybits
+  } else {
+    $sshd_config_serverkeybits_real = $sshd_config_serverkeybits
+  }
+
   if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' {
     $ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted
   } else {
@@ -326,6 +337,9 @@
   if $sshd_use_pam_real != undef {
     validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.")
   }
+  if $sshd_config_serverkeybits_real != undef {
+    if is_integer($sshd_config_serverkeybits_real) == false { fail("ssh::sshd_config_serverkeybits must be an integer and is set to <${sshd_config_serverkeybits}>.") }
+  }
   if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
   if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") }
 

diff --git a/metadata.json b/metadata.json
@@ -66,7 +66,7 @@
     }
   ],
   "name": "ghoneycutt-ssh",
-  "version": "3.11.0",
+  "version": "3.12.0",
   "source": "git://github.com/ghoneycutt/puppet-module-ssh.git",
   "author": "ghoneycutt",
   "license": "Apache License, Version 2.0",
@@ -95,14 +95,14 @@
     "Gemfile": "6992d521994d948eb6e48acd733a07bf",
     "Gemfile.lock": "44926a4ba8c7b0f743f80b5428f68602",
     "LICENSE": "567e6cc3941d464d60c74d1f4abd5f46",
-    "Modulefile": "7bd54a30f18985b17b6c081b048fc46d",
-    "README.md": "66e9b1a4cbb986dd7539695eb2b199f7",
+    "Modulefile": "02f7ca273c079ae5b30053ca7ac82da6",
+    "README.md": "84baff5347b0fbae6b8fee5f4d20924b",
     "Rakefile": "8ff6a0f7db638421d1742c5d365d0266",
-    "manifests/init.pp": "747e85d8bbfc62f9e9919e26d8e614e1",
-    "spec/classes/init_spec.rb": "a9a24bc66c920b5724cff2baacb14720",
+    "manifests/init.pp": "df8cd3072e6e86232debe2e45009f494",
+    "spec/classes/init_spec.rb": "7e826c9429f950b76992d8096e6d71c9",
     "spec/spec_helper.rb": "3ea886dd135e120afa31e0aab12e85b0",
     "templates/ssh_config.erb": "9aaeaeb5931fc7fc4b82a89098441387",
-    "templates/sshd_config.erb": "48de672e1a2696b060cfb31b07da4ad4",
+    "templates/sshd_config.erb": "b82a568d6d168ae33c65dc20c6f7d734",
     "tests/init.pp": "423466ae46899d6a0480aa9910b096d2"
   }
 }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -70,6 +70,7 @@
     it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
     it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@@ -188,6 +189,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -279,6 +281,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -369,6 +372,7 @@
     it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -457,6 +461,7 @@
     it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
     it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@@ -554,6 +559,7 @@
     it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
     it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@@ -651,6 +657,7 @@
     it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) }
     it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@@ -766,6 +773,7 @@
         :sshd_x11_forwarding             => 'no',
         :sshd_use_pam                    => 'no',
         :sshd_client_alive_interval      => '242',
+        :sshd_config_serverkeybits       => '1024',
         :sshd_client_alive_count_max     => '0',
         :sshd_config_authkey_location    => '.ssh/authorized_keys',
         :sshd_config_strictmodes         => 'yes',
@@ -800,6 +808,7 @@
     it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
     it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) }
+    it { should contain_file('sshd_config').with_content(/^ServerKeyBits 1024$/) }
     it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) }
     it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) }
@@ -998,6 +1007,25 @@
     end
   end
 
+  context 'with sshd_config_serverkeybits set to invalid value on valid osfamily' do
+    let :facts do
+      {
+        :fqdn      => 'monkey.example.com',
+        :osfamily  => 'RedHat',
+        :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+      }
+    end
+    let :params do
+      { :sshd_config_serverkeybits => 'invalid' }
+    end
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/^ssh::sshd_config_serverkeybits must be an integer and is set to <invalid>\./)
+    end
+  end
+
   context 'with sshd_client_alive_interval set to invalid value on valid osfamily' do
     let :facts do
       {
@@ -1067,7 +1095,7 @@
       }.to raise_error(Puppet::Error,/is not a string/)
     end
   end
-  
+
   context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
     let :facts do
       {
@@ -1086,7 +1114,7 @@
       }.to raise_error(Puppet::Error,/^ssh::sshd_config_strictmodes may be either \'yes\' or \'no\' and is set to <invalid>\./)
     end
   end
-  
+
   context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do
     let(:params) { { :sshd_banner_content => 'textinbanner' } }
     let :facts do

diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -30,7 +30,9 @@ HostKey /etc/ssh/ssh_host_rsa_key
 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
 #ServerKeyBits 1024
-
+<% if @sshd_config_serverkeybits_real != nil -%>
+ServerKeyBits <%= @sshd_config_serverkeybits_real %>
+<% end -%>
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH