Showing with 413 additions and 95 deletions.

+1 −1 Modulefile

+24 −0 README.md

+98 −79 manifests/init.pp

+1 −1 metadata.json

+286 −14 spec/classes/init_spec.rb

+3 −0 templates/ssh_config.erb
diff --git a/Modulefile b/Modulefile
@@ -1,5 +1,5 @@
 name    'ghoneycutt-ssh'
-version '3.23.1'
+version '3.24.0'
 source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
 author 'ghoneycutt'
 license 'Apache License, Version 2.0'

diff --git a/README.md b/README.md
@@ -503,6 +503,30 @@ Encryption type for SSH key. Valid values are 'rsa', 'dsa', 'ssh-dss' and 'ssh-r
 
 - *Default*: 'ssh-rsa'
 
+ssh_config_global_known_hosts_file
+----------------------------------
+File of the global known_hosts file
+
+- *Default*: '/etc/ssh/ssh_known_hosts'
+
+ssh_config_global_known_hosts_owner
+----------------------------------
+Owner of the global known_hosts file
+
+- *Default*: 'root'
+
+ssh_config_global_known_hosts_group
+----------------------------------
+Group of the global known_hosts file
+
+- *Default*: 'root'
+
+ssh_config_global_known_hosts_mode
+----------------------------------
+File mode of the global known_hosts file
+
+- *Default*: '0644'
+
 manage_root_ssh_config
 ----------------------
 Manage SSH config of root. Valid values are 'true' and 'false'.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -3,82 +3,86 @@
 # Manage ssh client and server
 #
 class ssh (
-  $hiera_merge                      = false,
-  $packages                         = 'USE_DEFAULTS',
-  $permit_root_login                = 'yes',
-  $purge_keys                       = 'true',
-  $manage_firewall                  = false,
-  $ssh_package_source               = 'USE_DEFAULTS',
-  $ssh_package_adminfile            = 'USE_DEFAULTS',
-  $ssh_config_hash_known_hosts      = 'USE_DEFAULTS',
-  $ssh_config_path                  = '/etc/ssh/ssh_config',
-  $ssh_config_owner                 = 'root',
-  $ssh_config_group                 = 'root',
-  $ssh_config_mode                  = '0644',
-  $ssh_config_forward_x11           = undef,
-  $ssh_config_forward_x11_trusted   = 'USE_DEFAULTS',
-  $ssh_config_forward_agent         = undef,
-  $ssh_config_server_alive_interval = undef,
-  $ssh_config_sendenv_xmodifiers    = false,
-  $ssh_config_ciphers               = undef,
-  $ssh_config_macs                  = undef,
-  $ssh_config_template              = 'ssh/ssh_config.erb',
-  $ssh_sendenv                      = 'USE_DEFAULTS',
-  $ssh_gssapidelegatecredentials    = undef,
-  $sshd_config_path                 = '/etc/ssh/sshd_config',
-  $sshd_config_owner                = 'root',
-  $sshd_config_group                = 'root',
-  $sshd_config_loglevel             = 'INFO',
-  $sshd_config_mode                 = 'USE_DEFAULTS',
-  $sshd_config_port                 = '22',
-  $sshd_config_syslog_facility      = 'AUTH',
-  $sshd_config_template             = 'ssh/sshd_config.erb',
-  $sshd_config_login_grace_time     = '120',
-  $sshd_config_challenge_resp_auth  = 'yes',
-  $sshd_config_print_motd           = 'yes',
-  $sshd_config_use_dns              = 'USE_DEFAULTS',
-  $sshd_config_authkey_location     = undef,
-  $sshd_config_strictmodes          = undef,
-  $sshd_config_serverkeybits        = 'USE_DEFAULTS',
-  $sshd_config_banner               = 'none',
-  $sshd_config_ciphers              = undef,
-  $sshd_config_macs                 = undef,
-  $sshd_config_denyusers            = undef,
-  $sshd_config_denygroups           = undef,
-  $sshd_config_allowusers           = undef,
-  $sshd_config_allowgroups          = undef,
-  $sshd_config_maxstartups          = undef,
-  $sshd_config_maxsessions          = undef,
-  $sshd_banner_content              = undef,
-  $sshd_banner_owner                = 'root',
-  $sshd_banner_group                = 'root',
-  $sshd_banner_mode                 = '0644',
-  $sshd_config_xauth_location       = 'USE_DEFAULTS',
-  $sshd_config_subsystem_sftp       = 'USE_DEFAULTS',
-  $sshd_password_authentication     = 'yes',
-  $sshd_allow_tcp_forwarding        = 'yes',
-  $sshd_x11_forwarding              = 'yes',
-  $sshd_use_pam                     = 'USE_DEFAULTS',
-  $sshd_client_alive_count_max      = '3',
-  $sshd_client_alive_interval       = '0',
-  $sshd_gssapiauthentication        = 'yes',
-  $sshd_gssapikeyexchange           = 'USE_DEFAULTS',
-  $sshd_pamauthenticationviakbdint  = 'USE_DEFAULTS',
-  $sshd_gssapicleanupcredentials    = 'USE_DEFAULTS',
-  $sshd_acceptenv                   = 'USE_DEFAULTS',
-  $sshd_config_hostkey              = 'USE_DEFAULTS',
-  $sshd_listen_address              = undef,
-  $service_ensure                   = 'running',
-  $service_name                     = 'USE_DEFAULTS',
-  $service_enable                   = 'true',
-  $service_hasrestart               = 'true',
-  $service_hasstatus                = 'USE_DEFAULTS',
-  $ssh_key_ensure                   = 'present',
-  $ssh_key_import                   = 'true',
-  $ssh_key_type                     = 'ssh-rsa',
-  $keys                             = undef,
-  $manage_root_ssh_config           = 'false',
-  $root_ssh_config_content          = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
+  $hiera_merge                         = false,
+  $packages                            = 'USE_DEFAULTS',
+  $permit_root_login                   = 'yes',
+  $purge_keys                          = 'true',
+  $manage_firewall                     = false,
+  $ssh_package_source                  = 'USE_DEFAULTS',
+  $ssh_package_adminfile               = 'USE_DEFAULTS',
+  $ssh_config_hash_known_hosts         = 'USE_DEFAULTS',
+  $ssh_config_path                     = '/etc/ssh/ssh_config',
+  $ssh_config_owner                    = 'root',
+  $ssh_config_group                    = 'root',
+  $ssh_config_mode                     = '0644',
+  $ssh_config_forward_x11              = undef,
+  $ssh_config_forward_x11_trusted      = 'USE_DEFAULTS',
+  $ssh_config_forward_agent            = undef,
+  $ssh_config_server_alive_interval    = undef,
+  $ssh_config_sendenv_xmodifiers       = false,
+  $ssh_config_ciphers                  = undef,
+  $ssh_config_macs                     = undef,
+  $ssh_config_template                 = 'ssh/ssh_config.erb',
+  $ssh_sendenv                         = 'USE_DEFAULTS',
+  $ssh_gssapidelegatecredentials       = undef,
+  $sshd_config_path                    = '/etc/ssh/sshd_config',
+  $sshd_config_owner                   = 'root',
+  $sshd_config_group                   = 'root',
+  $sshd_config_loglevel                = 'INFO',
+  $sshd_config_mode                    = 'USE_DEFAULTS',
+  $sshd_config_port                    = '22',
+  $sshd_config_syslog_facility         = 'AUTH',
+  $sshd_config_template                = 'ssh/sshd_config.erb',
+  $sshd_config_login_grace_time        = '120',
+  $sshd_config_challenge_resp_auth     = 'yes',
+  $sshd_config_print_motd              = 'yes',
+  $sshd_config_use_dns                 = 'USE_DEFAULTS',
+  $sshd_config_authkey_location        = undef,
+  $sshd_config_strictmodes             = undef,
+  $sshd_config_serverkeybits           = 'USE_DEFAULTS',
+  $sshd_config_banner                  = 'none',
+  $sshd_config_ciphers                 = undef,
+  $sshd_config_macs                    = undef,
+  $sshd_config_denyusers               = undef,
+  $sshd_config_denygroups              = undef,
+  $sshd_config_allowusers              = undef,
+  $sshd_config_allowgroups             = undef,
+  $sshd_config_maxstartups             = undef,
+  $sshd_config_maxsessions             = undef,
+  $sshd_banner_content                 = undef,
+  $sshd_banner_owner                   = 'root',
+  $sshd_banner_group                   = 'root',
+  $sshd_banner_mode                    = '0644',
+  $sshd_config_xauth_location          = 'USE_DEFAULTS',
+  $sshd_config_subsystem_sftp          = 'USE_DEFAULTS',
+  $sshd_password_authentication        = 'yes',
+  $sshd_allow_tcp_forwarding           = 'yes',
+  $sshd_x11_forwarding                 = 'yes',
+  $sshd_use_pam                        = 'USE_DEFAULTS',
+  $sshd_client_alive_count_max         = '3',
+  $sshd_client_alive_interval          = '0',
+  $sshd_gssapiauthentication           = 'yes',
+  $sshd_gssapikeyexchange              = 'USE_DEFAULTS',
+  $sshd_pamauthenticationviakbdint     = 'USE_DEFAULTS',
+  $sshd_gssapicleanupcredentials       = 'USE_DEFAULTS',
+  $sshd_acceptenv                      = 'USE_DEFAULTS',
+  $sshd_config_hostkey                 = 'USE_DEFAULTS',
+  $sshd_listen_address                 = undef,
+  $service_ensure                      = 'running',
+  $service_name                        = 'USE_DEFAULTS',
+  $service_enable                      = 'true',
+  $service_hasrestart                  = 'true',
+  $service_hasstatus                   = 'USE_DEFAULTS',
+  $ssh_key_ensure                      = 'present',
+  $ssh_key_import                      = 'true',
+  $ssh_key_type                        = 'ssh-rsa',
+  $ssh_config_global_known_hosts_file  = '/etc/ssh/ssh_known_hosts',
+  $ssh_config_global_known_hosts_owner = 'root',
+  $ssh_config_global_known_hosts_group = 'root',
+  $ssh_config_global_known_hosts_mode  = '0644',
+  $keys                                = undef,
+  $manage_root_ssh_config              = 'false',
+  $root_ssh_config_content             = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
 ) {
 
   case $::osfamily {
@@ -511,6 +515,12 @@
     }
   }
 
+  validate_absolute_path($ssh_config_global_known_hosts_file)
+  validate_string($ssh_config_global_known_hosts_owner)
+  validate_string($ssh_config_global_known_hosts_group)
+  validate_re($ssh_config_global_known_hosts_mode, '^[0-7]{4}$',
+    "ssh::ssh_config_global_known_hosts_mode must be a valid 4 digit mode in octal notation. Detected value is <${ssh_config_global_known_hosts_mode}>.")
+
   case $purge_keys {
     'true','false': {
       # noop
@@ -526,7 +536,6 @@
   #sshd_config template
   validate_string($sshd_config_template)
 
-
   #loglevel
   $supported_loglevel_vals=['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE']
   validate_re($sshd_config_loglevel, $supported_loglevel_vals)
@@ -655,9 +664,19 @@
     key    => $key,
   }
 
+  file { 'ssh_known_hosts':
+    ensure => file,
+    path   => $ssh_config_global_known_hosts_file,
+    owner  => $ssh_config_global_known_hosts_owner,
+    group  => $ssh_config_global_known_hosts_group,
+    mode   => $ssh_config_global_known_hosts_mode,
+  }
+
+  # import all nodes' ssh keys
   if $ssh_key_import_real == true {
-    # import all nodes' ssh keys
-    Sshkey <<||>>
+    Sshkey <<||>> {
+      target => $ssh_config_global_known_hosts_file,
+    }
   }
 
   # remove ssh key's not managed by puppet

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.23.1",
+  "version": "3.24.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache License, Version 2.0",