Showing with 43 additions and 1 deletion.
  1. +1 −1 Modulefile
  2. +13 −0 README.md
  3. +2 −0 manifests/init.pp
  4. +25 −0 spec/classes/init_spec.rb
  5. +2 −0 templates/ssh_config.erb
2 changes: 1 addition & 1 deletion Modulefile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name 'ghoneycutt-ssh'
version '3.3.0'
version '3.4.0'
source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
author 'ghoneycutt'
license 'Apache License, Version 2.0'
Expand Down
13 changes: 13 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,19 @@ This module has been tested to work on the following systems with Puppet v3.

# Parameters #

ssh_config_hash_known_hosts
---------------------------
HashKnownHosts in ssh_config.
Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts.
These hashed names may be used normally by ssh and sshd, but they do not reveal identifying
information should the file's contents be disclosed. The default is 'no'.

Note that existing names and addresses in known hosts files will not be converted automatically,
but may be manually hashed using ssh-keygen. Use of this option may break facilities such as
tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts.

- *Default*: 'no'

ssh_config_path
---------------
Path to ssh_config.
Expand Down
2 changes: 2 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
$permit_root_login = 'yes',
$purge_keys = 'true',
$manage_firewall = false,
$ssh_config_hash_known_hosts = 'no',
$ssh_config_path = '/etc/ssh/ssh_config',
$ssh_config_owner = 'root',
$ssh_config_group = 'root',
Expand Down Expand Up @@ -46,6 +47,7 @@
) {

# validate params
validate_re($ssh_config_hash_known_hosts, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts}>.")
validate_re($sshd_config_port, '^\d+$', "sshd_config_port must be a valid number and is set to <${sshd_config_port}>")
validate_re($sshd_password_authentication, '^(yes|no)$', "sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
Expand Down
25 changes: 25 additions & 0 deletions spec/classes/init_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@

it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) }

it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
Expand Down Expand Up @@ -115,6 +116,7 @@

it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) }

it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
Expand Down Expand Up @@ -198,6 +200,7 @@

it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) }

it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
Expand Down Expand Up @@ -281,6 +284,7 @@

it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) }

it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
Expand Down Expand Up @@ -361,6 +365,7 @@
end
let :params do
{
:ssh_config_hash_known_hosts => 'yes',
:ssh_config_forward_agent => 'yes',
:ssh_config_forward_x11 => 'yes',
:ssh_config_server_alive_interval => '300',
Expand All @@ -381,6 +386,7 @@

it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) }
it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) }
it { should contain_file('ssh_config').with_content(/^ HashKnownHosts yes$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) }
it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) }
it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) }
Expand Down Expand Up @@ -482,6 +488,25 @@
}
end

context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do
let :facts do
{
:fqdn => 'monkey.example.com',
:osfamily => 'RedHat',
:sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
}
end
let :params do
{ :ssh_config_hash_known_hosts => 'invalid' }
end

it 'should fail' do
expect {
should include_class('ssh')
}.to raise_error(Puppet::Error,/ssh_config_hash_known_hosts may be either \'yes\' or \'no\' and is set to <invalid>./)
end
end

context 'with sshd_config_port not being a valid number' do
let :facts do
{
Expand Down
2 changes: 2 additions & 0 deletions templates/ssh_config.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# HashKnownHosts no
HashKnownHosts <%= @ssh_config_hash_known_hosts %>
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
Expand Down