Showing with 199 additions and 8 deletions.

+1 −1 Modulefile

+24 −0 README.md

+20 −0 manifests/init.pp

+7 −7 metadata.json

+134 −0 spec/classes/init_spec.rb

+6 −0 templates/ssh_config.erb

+7 −0 templates/sshd_config.erb
diff --git a/Modulefile b/Modulefile
@@ -1,5 +1,5 @@
 name    'ghoneycutt-ssh'
-version '3.12.0'
+version '3.13.0'
 source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
 author 'ghoneycutt'
 license 'Apache License, Version 2.0'

diff --git a/README.md b/README.md
@@ -95,6 +95,18 @@ Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on
 
 - *Default*: false
 
+ssh_config_ciphers
+------------------
+Array of ciphers to be used with the Ciphers option in ssh_config.
+
+- *Default*: undef
+
+ssh_config_macs
+---------------
+Array of ciphers to be used with the MACs option in ssh_config.
+
+- *Default*: undef
+
 ssh_sendenv
 -------------
 Boolean to enable SendEnv options for specifying environment variables. Default is set to true on Linux.
@@ -276,6 +288,18 @@ after approximately 45 seconds.  This option applies to protocol version 2 only.
 
 - *Default*: '3'
 
+sshd_config_ciphers
+-------------------
+Array of ciphers for the Ciphers setting in sshd_config.
+
+- *Default*: undef
+
+sshd_config_macs
+----------------
+Array of macs for the MACs setting in sshd_config.
+
+- *Default*: undef
+
 keys
 ----
 Hash of keys for user's ~/.ssh/authorized_keys

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -20,6 +20,8 @@
   $ssh_config_forward_agent         = undef,
   $ssh_config_server_alive_interval = undef,
   $ssh_config_sendenv_xmodifiers    = false,
+  $ssh_config_ciphers               = undef,
+  $ssh_config_macs                  = undef,
   $ssh_sendenv                      = 'USE_DEFAULTS',
   $sshd_config_path                 = '/etc/ssh/sshd_config',
   $sshd_config_owner                = 'root',
@@ -35,6 +37,8 @@
   $sshd_config_strictmodes          = undef,
   $sshd_config_serverkeybits        = 'USE_DEFAULTS',
   $sshd_config_banner               = 'none',
+  $sshd_config_ciphers              = undef,
+  $sshd_config_macs                 = undef,
   $sshd_banner_content              = undef,
   $sshd_banner_owner                = 'root',
   $sshd_banner_group                = 'root',
@@ -327,6 +331,22 @@
   }
 
   # validate params
+  if $ssh_config_ciphers != undef {
+    validate_array($ssh_config_ciphers)
+  }
+
+  if $sshd_config_ciphers != undef {
+    validate_array($sshd_config_ciphers)
+  }
+
+  if $ssh_config_macs != undef {
+    validate_array($ssh_config_macs)
+  }
+
+  if $sshd_config_macs != undef {
+    validate_array($sshd_config_macs)
+  }
+
   if $ssh_config_hash_known_hosts_real != undef {
     validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
   }

diff --git a/metadata.json b/metadata.json
@@ -66,7 +66,7 @@
     }
   ],
   "name": "ghoneycutt-ssh",
-  "version": "3.12.0",
+  "version": "3.13.0",
   "source": "git://github.com/ghoneycutt/puppet-module-ssh.git",
   "author": "ghoneycutt",
   "license": "Apache License, Version 2.0",
@@ -95,14 +95,14 @@
     "Gemfile": "6992d521994d948eb6e48acd733a07bf",
     "Gemfile.lock": "44926a4ba8c7b0f743f80b5428f68602",
     "LICENSE": "567e6cc3941d464d60c74d1f4abd5f46",
-    "Modulefile": "02f7ca273c079ae5b30053ca7ac82da6",
-    "README.md": "84baff5347b0fbae6b8fee5f4d20924b",
+    "Modulefile": "4ed3bc9b0cf23322b9833a8703923ecf",
+    "README.md": "5142cf1dea17b3807de22c2c4c6d6310",
     "Rakefile": "8ff6a0f7db638421d1742c5d365d0266",
-    "manifests/init.pp": "df8cd3072e6e86232debe2e45009f494",
-    "spec/classes/init_spec.rb": "7e826c9429f950b76992d8096e6d71c9",
+    "manifests/init.pp": "8882c6076300739497333d5fd6cd7b53",
+    "spec/classes/init_spec.rb": "1417340881748aad86e4a6c272e0d304",
     "spec/spec_helper.rb": "3ea886dd135e120afa31e0aab12e85b0",
-    "templates/ssh_config.erb": "9aaeaeb5931fc7fc4b82a89098441387",
-    "templates/sshd_config.erb": "b82a568d6d168ae33c65dc20c6f7d734",
+    "templates/ssh_config.erb": "4b811f9ebdebe44e66876957461f22d0",
+    "templates/sshd_config.erb": "881549e01eb8510377ec5c5b80feed9f",
     "tests/init.pp": "423466ae46899d6a0480aa9910b096d2"
   }
 }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -39,6 +39,8 @@
     it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) }
     it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
     it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
@@ -80,6 +82,8 @@
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
+    it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -161,6 +165,8 @@
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_file('sshd_config').with({
@@ -190,6 +196,8 @@
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
     it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
+    it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -253,6 +261,8 @@
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_file('sshd_config').with({
@@ -282,6 +292,8 @@
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
     it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
+    it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -344,6 +356,8 @@
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_file('sshd_config').with({
@@ -373,6 +387,8 @@
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
     it { should contain_file('sshd_config').with_content(/^ServerKeyBits 768$/) }
+    it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -434,6 +450,8 @@
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_file('sshd_config').with({
@@ -471,6 +489,8 @@
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -532,6 +552,8 @@
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_file('sshd_config').with({
@@ -569,6 +591,8 @@
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
+    it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -630,6 +654,8 @@
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_file('sshd_config').with({
@@ -667,6 +693,8 @@
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should_not contain_file('sshd_config').with_content(/^AuthorizedKeysFile/) }
     it { should_not contain_file('sshd_config').with_content(/^StrictModes/) }
+    it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -721,6 +749,17 @@
         :ssh_config_forward_x11           => 'yes',
         :ssh_config_server_alive_interval => '300',
         :ssh_config_sendenv_xmodifiers    => true,
+        :ssh_config_ciphers               => [ 'aes128-cbc',
+                                                '3des-cbc',
+                                                'blowfish-cbc',
+                                                'cast128-cbc',
+                                                'arcfour',
+                                                'aes192-cbc',
+                                                'aes256-cbc',
+        ],
+        :ssh_config_macs                  => [ 'hmac-md5-etm@openssh.com',
+                                                'hmac-sha1-etm@openssh.com',
+        ],
       }
     end
 
@@ -745,6 +784,8 @@
     it { should contain_file('ssh_config').with_content(/^  ForwardX11 yes$/) }
     it { should contain_file('ssh_config').with_content(/^  ServerAliveInterval 300$/) }
     it { should contain_file('ssh_config').with_content(/^  SendEnv XMODIFIERS$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
   end
 
   context 'with params used in sshd_config set on valid osfamily' do
@@ -777,6 +818,17 @@
         :sshd_client_alive_count_max     => '0',
         :sshd_config_authkey_location    => '.ssh/authorized_keys',
         :sshd_config_strictmodes         => 'yes',
+        :sshd_config_ciphers             => [ 'aes128-cbc',
+                                              '3des-cbc',
+                                              'blowfish-cbc',
+                                              'cast128-cbc',
+                                              'arcfour',
+                                              'aes192-cbc',
+                                              'aes256-cbc',
+        ],
+        :sshd_config_macs                => [ 'hmac-md5-etm@openssh.com',
+                                              'hmac-sha1-etm@openssh.com',
+        ],
       }
     end
 
@@ -818,6 +870,8 @@
     it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) }
     it { should contain_file('sshd_config').with_content(/^AuthorizedKeysFile .ssh\/authorized_keys/) }
     it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
+    it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
+    it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
 
     it {
       should contain_file('sshd_banner').with({
@@ -873,6 +927,46 @@
     }
   end
 
+  [true,'invalid'].each do |ciphers|
+    context "with ssh_config_ciphers set to invalid value #{ciphers}" do
+      let(:params) { { :ssh_config_ciphers => ciphers } }
+
+      let :facts do
+        {
+          :fqdn      => 'monkey.example.com',
+          :osfamily  => 'RedHat',
+          :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+        }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
+  [true,'invalid'].each do |macs|
+    context "with ssh_config_macs set to invalid value #{macs}" do
+      let(:params) { { :ssh_config_macs => macs } }
+
+      let :facts do
+        {
+          :fqdn      => 'monkey.example.com',
+          :osfamily  => 'RedHat',
+          :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+        }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
   context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do
     let :facts do
       {
@@ -892,6 +986,46 @@
     end
   end
 
+  [true,'invalid'].each do |ciphers|
+    context "with sshd_config_ciphers set to invalid value #{ciphers}" do
+      let(:params) { { :sshd_config_ciphers => ciphers } }
+
+      let :facts do
+        {
+          :fqdn      => 'monkey.example.com',
+          :osfamily  => 'RedHat',
+          :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+        }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
+  [true,'invalid'].each do |macs|
+    context "with sshd_config_macs set to invalid value #{macs}" do
+      let(:params) { { :sshd_config_macs => macs } }
+
+      let :facts do
+        {
+          :fqdn      => 'monkey.example.com',
+          :osfamily  => 'RedHat',
+          :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+        }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
   context 'with sshd_config_port not being a valid number' do
     let :facts do
       {