Showing with 99 additions and 3 deletions.

+2 −2 Gemfile

+10 −0 README.md

+14 −0 manifests/init.pp

+1 −1 metadata.json

+69 −0 spec/classes/init_spec.rb

+3 −0 templates/ssh_config.erb
diff --git a/Gemfile b/Gemfile
@@ -8,9 +8,9 @@ end
 
 gem 'metadata-json-lint'
 gem 'puppetlabs_spec_helper', '>= 0.1.0'
-gem 'puppet-lint', '>= 1.0.0'
 gem 'facter', '>= 1.7.0'
-gem 'rspec-puppet', '~> 2.0'
+gem 'rspec-puppet'
+gem 'puppet-lint', :git => 'https://github.com/rodjek/puppet-lint.git'
 gem 'puppet-lint-absolute_classname-check'
 gem 'puppet-lint-alias-check'
 gem 'puppet-lint-empty_string-check'

diff --git a/README.md b/README.md
@@ -340,6 +340,16 @@ This module sets this option to 'yes' on Linux and undef on Solaris.
 
 - *Default*: 'USE_DEFAULTS'
 
+ssh_config_use_roaming
+----------------------
+String to enable or disable UseRoaming in client configuration ssh_config.
+Valid values are 'yes', 'no' and 'unset'. Using 'unset' will not use (print)
+this configuration parameter at all. Default is set to 'no' on Linux and
+'unset' on Solaris. If you have OpenSSH >= version 5.4, this should be set to
+'no' to mitigate CVE-2016-0777 and CVE-2016-0778.
+
+- *Default*: 'USE_DEFAULTS'
+
 sshd_client_alive_interval
 --------------------------
 ClientAliveInterval in sshd_config.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -22,6 +22,7 @@
   $ssh_config_sendenv_xmodifiers       = false,
   $ssh_config_ciphers                  = undef,
   $ssh_config_macs                     = undef,
+  $ssh_config_use_roaming              = 'USE_DEFAULTS',
   $ssh_config_template                 = 'ssh/ssh_config.erb',
   $ssh_sendenv                         = 'USE_DEFAULTS',
   $ssh_gssapiauthentication            = 'yes',
@@ -107,6 +108,7 @@
       $default_ssh_package_source              = undef
       $default_ssh_package_adminfile           = undef
       $default_ssh_sendenv                     = true
+      $default_ssh_config_use_roaming          = 'no'
       $default_sshd_config_subsystem_sftp      = '/usr/libexec/openssh/sftp-server'
       $default_sshd_config_mode                = '0600'
       $default_sshd_config_use_dns             = 'yes'
@@ -127,6 +129,7 @@
       $default_ssh_package_source              = undef
       $default_ssh_package_adminfile           = undef
       $default_ssh_sendenv                     = true
+      $default_ssh_config_use_roaming          = 'no'
       $default_ssh_config_forward_x11_trusted  = 'yes'
       $default_sshd_config_mode                = '0600'
       $default_sshd_config_use_dns             = 'yes'
@@ -164,6 +167,7 @@
       $default_ssh_package_source              = undef
       $default_ssh_package_adminfile           = undef
       $default_ssh_sendenv                     = true
+      $default_ssh_config_use_roaming          = 'no'
       $default_sshd_config_subsystem_sftp      = '/usr/lib/openssh/sftp-server'
       $default_sshd_config_mode                = '0600'
       $default_sshd_config_use_dns             = 'yes'
@@ -181,6 +185,7 @@
       $default_ssh_config_hash_known_hosts     = undef
       $default_ssh_sendenv                     = false
       $default_ssh_config_forward_x11_trusted  = undef
+      $default_ssh_config_use_roaming          = 'unset'
       $default_sshd_config_subsystem_sftp      = '/usr/lib/ssh/sftp-server'
       $default_sshd_config_mode                = '0644'
       $default_sshd_config_use_dns             = undef
@@ -337,6 +342,12 @@
     $sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials
   }
 
+  if $ssh_config_use_roaming == 'USE_DEFAULTS' {
+    $ssh_config_use_roaming_real = $default_ssh_config_use_roaming
+  } else {
+    $ssh_config_use_roaming_real = $ssh_config_use_roaming
+  }
+
   if $ssh_sendenv == 'USE_DEFAULTS' {
     $ssh_sendenv_real = $default_ssh_sendenv
   } else {
@@ -433,6 +444,9 @@
   if $sshd_config_serverkeybits_real != undef {
     if is_integer($sshd_config_serverkeybits_real) == false { fail("ssh::sshd_config_serverkeybits must be an integer and is set to <${sshd_config_serverkeybits}>.") }
   }
+  if $ssh_config_use_roaming_real != undef {
+    validate_re($ssh_config_use_roaming_real, '^(yes|no|unset)$', "ssh::ssh_config_use_roaming may be either 'yes', 'no' or 'unset' and is set to <${$ssh_config_use_roaming}>.")
+  }
   if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") }
   if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") }
 

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.33.1",
+  "version": "3.34.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -59,6 +59,7 @@
 
         it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
         it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
+        it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
         it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
 
         it {
@@ -204,6 +205,7 @@
 
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
@@ -326,6 +328,7 @@
 
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
@@ -446,6 +449,7 @@
 
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
+    it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) }
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
@@ -567,6 +571,7 @@
 
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@@ -695,6 +700,7 @@
 
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@@ -825,6 +831,7 @@
 
     it { should contain_file('ssh_config').without_content(/^\s*ForwardAgent$/) }
     it { should contain_file('ssh_config').without_content(/^\s*ForwardX11$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
     it { should contain_file('ssh_config').without_content(/^\s*ServerAliveInterval$/) }
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@@ -953,6 +960,7 @@
 
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*UseRoaming no$/) }
     it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) }
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
@@ -1062,6 +1070,7 @@
         :ssh_config_hash_known_hosts        => 'yes',
         :ssh_config_forward_agent           => 'yes',
         :ssh_config_forward_x11             => 'yes',
+        :ssh_config_use_roaming             => 'yes',
         :ssh_config_server_alive_interval   => '300',
         :ssh_config_sendenv_xmodifiers      => true,
         :ssh_config_ciphers                 => [ 'aes128-cbc',
@@ -1099,6 +1108,7 @@
     it { should contain_file('ssh_config').with_content(/^  ForwardAgent yes$/) }
     it { should contain_file('ssh_config').with_content(/^  ForwardX11 yes$/) }
     it { should contain_file('ssh_config').with_content(/^\s*GSSAPIAuthentication yes$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*UseRoaming yes$/) }
     it { should contain_file('ssh_config').with_content(/^  ServerAliveInterval 300$/) }
     it { should contain_file('ssh_config').with_content(/^  SendEnv XMODIFIERS$/) }
     it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
@@ -3440,4 +3450,63 @@
       end
     end
   end
+
+  describe 'with parameter ssh_config_use_roaming' do
+    let(:facts) { { :osfamily  => 'RedHat' } }
+
+    ['yes','no','unset'].each do |value|
+      context "set to valid value #{value}" do
+        let(:params) { { :ssh_config_use_roaming => value } }
+        if value == 'unset'
+          it { should contain_file('ssh_config').without_content(/^\s*UseRoaming/) }
+        else
+          it { should contain_file('ssh_config').with_content(/^\s*UseRoaming #{value}$/) }
+        end
+      end
+    end
+  end
+
+  describe 'variable type and content validations' do
+    # set needed custom facts and variables
+    let(:facts) do
+      {
+        :osfamily => 'RedHat',
+      }
+    end
+    let(:mandatory_params) do
+      {
+        #:param => 'value',
+      }
+    end
+
+    validations = {
+      'regex (yes|no|unset)' => {
+        :name    => %w(ssh_config_use_roaming),
+        :valid   => ['yes', 'no', 'unset'],
+        :invalid => ['string', %w(array), { 'ha' => 'sh' }, 3, 2.42, true, false, nil],
+        :message => 'may be either \'yes\', \'no\' or \'unset\'',
+      },
+    }
+
+    validations.sort.each do |type, var|
+      var[:name].each do |var_name|
+        var[:params] = {} if var[:params].nil?
+        var[:valid].each do |valid|
+          context "when #{var_name} (#{type}) is set to valid #{valid} (as #{valid.class})" do
+            let(:params) { [mandatory_params, var[:params], { :"#{var_name}" => valid, }].reduce(:merge) }
+            it { should compile }
+          end
+        end
+
+        var[:invalid].each do |invalid|
+          context "when #{var_name} (#{type}) is set to invalid #{invalid} (as #{invalid.class})" do
+            let(:params) { [mandatory_params, var[:params], { :"#{var_name}" => invalid, }].reduce(:merge) }
+            it 'should fail' do
+              expect { should contain_class(subject) }.to raise_error(Puppet::Error, /#{var[:message]}/)
+            end
+          end
+        end
+      end # var[:name].each
+    end # validations.sort.each
+  end # describe 'variable type and content validations'
 end
diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
@@ -72,6 +72,9 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
 <% if @ssh_config_forward_x11 != nil -%>
   ForwardX11 <%= @ssh_config_forward_x11 %>
 <% end -%>
+<% if (@ssh_config_use_roaming_real == 'yes') or (@ssh_config_use_roaming_real == 'no') -%>
+  UseRoaming <%= @ssh_config_use_roaming_real %>
+<% end -%>
 <% if @ssh_config_server_alive_interval != nil -%>
   ServerAliveInterval <%= @ssh_config_server_alive_interval %>
 <% end -%>