Showing with 51 additions and 1 deletion.

+6 −0 README.md

+3 −0 manifests/init.pp

+1 −1 metadata.json

+40 −0 spec/classes/init_spec.rb

+1 −0 templates/sshd_config.erb
diff --git a/README.md b/README.md
@@ -490,6 +490,12 @@ Boolean to enable AcceptEnv options for specifying environment variables. Defaul
 
 - *Default*: 'USE_DEFAULTS'
 
+sshd_hostbasedauthentication
+-------------------------
+HostbasedAuthentication: Enables/disables Hostbased authentication. Valid values are 'yes' and 'no'.
+
+- *Default*: 'no'
+
 purge_keys
 ----------
 Remove keys not managed by puppet.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -74,6 +74,7 @@
   $sshd_acceptenv                      = 'USE_DEFAULTS',
   $sshd_config_hostkey                 = 'USE_DEFAULTS',
   $sshd_listen_address                 = undef,
+  $sshd_hostbasedauthentication        = 'no',
   $service_ensure                      = 'running',
   $service_name                        = 'USE_DEFAULTS',
   $service_enable                      = true,
@@ -482,6 +483,8 @@
     validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
   }
 
+  validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
+
   case type($hiera_merge) {
     'string': {
       validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.")

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.27.2",
+  "version": "3.28.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -101,6 +101,7 @@
         it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
         it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
         it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
+        it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
         it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
         it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
         it { should contain_file('sshd_config').without_content(/^Match/) }
@@ -237,6 +238,7 @@
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
+    it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
     it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
     it { should contain_file('sshd_config').without_content(/^Match/) }
@@ -356,6 +358,7 @@
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
+    it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
     it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
     it { should contain_file('sshd_config').without_content(/^Match/) }
@@ -473,6 +476,7 @@
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
+    it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
     it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
     it { should contain_file('sshd_config').without_content(/^Match/) }
@@ -599,6 +603,7 @@
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
+    it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
     it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
     it { should contain_file('sshd_config').without_content(/^Match/) }
@@ -724,6 +729,7 @@
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
+    it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
     it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
     it { should contain_file('sshd_config').without_content(/^Match/) }
@@ -849,6 +855,7 @@
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
     it { should_not contain_file('sshd_config').with_content(/^\s*AuthorizedKeysCommand/) }
+    it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^#ChrootDirectory none/) }
     it { should contain_file('sshd_config').without_content(/^ForceCommand/) }
     it { should contain_file('sshd_config').without_content(/^Match/) }
@@ -1066,6 +1073,7 @@
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
     it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommand \/path\/to\/command$/) }
     it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
+    it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^ChrootDirectory \/chrootdir$/) }
     it { should contain_file('sshd_config').with_content(/^ForceCommand \/force\/command --with-parameter 242$/) }
     it { should contain_file('sshd_config').with_content(/^Match User JohnDoe\n  AllowTcpForwarding yes\Z/) }
@@ -2977,4 +2985,36 @@
       end
     end
   end
+
+  describe 'with parameter sshd_hostbasedauthentication' do
+    let(:facts) do
+      { :fqdn      => 'monkey.example.com',
+        :osfamily  => 'RedHat',
+        :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+      }
+    end
+
+    ['yes','no'].each do |value|
+      context "specified as valid #{value} (as #{value.class})" do
+        let(:params) { { :sshd_hostbasedauthentication => value } }
+
+        it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication #{value}$/) }
+      end
+    end
+
+    ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
+      context "specified as invalid value #{value} (as #{value.class})" do
+        let(:params) { { :sshd_hostbasedauthentication => value } }
+        if value.is_a?(Array)
+          value = value.join
+        end
+
+        it do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{value}>\./)
+        end
+      end
+    end
+  end
 end
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -77,6 +77,7 @@ AuthorizedKeysCommandUser <%= @sshd_authorized_keys_command_user %>
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 #HostbasedAuthentication no
+HostbasedAuthentication <%= @sshd_hostbasedauthentication %>
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no