Showing with 99 additions and 1 deletion.

+7 −0 CHANGELOG.md

+15 −0 README.md

+8 −0 manifests/init.pp

+1 −1 metadata.json

+62 −0 spec/classes/init_spec.rb

+6 −0 templates/sshd_config.erb
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+### v3.42.0 - 2016-06-24
+  * Add support for managing sshd_config options PermitUserEnvironment and
+    PermitEmptyPasswords
+
+### v3.41.1 - 2016-06-20
+  * Update years in LICENSE
+
 ### v3.41.0 - 2016-06-20
   * Add ability to specify an array for GlobalKnownHostsFile in ssh_config.
   * Add support for UserKnownHostsFile in ssh_config.

diff --git a/README.md b/README.md
@@ -220,6 +220,21 @@ sshd_listen_address
 -------------------
 String or Array to specify address(es) for which sshd will bind. Corresponds to ListenAddress in sshd_config.
 
+- *Default*: undef
+
+sshd_config_permitemptypasswords
+--------------------------------
+PermitEmptyPasswords option in sshd_config.  When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
+Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
+sshd_config_permituserenvironment
+---------------------------------
+PermitUserEnvironment option in sshd_config.  Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8).  The default is “no”.  Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.
+Valid values are 'yes' and 'no'.
+
+
 - *Default*: undef
 
 sshd_config_port

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -34,6 +34,8 @@
   $sshd_config_group                   = 'root',
   $sshd_config_loglevel                = 'INFO',
   $sshd_config_mode                    = 'USE_DEFAULTS',
+  $sshd_config_permitemptypasswords    = undef,
+  $sshd_config_permituserenvironment   = undef,
   $sshd_config_port                    = '22',
   $sshd_config_syslog_facility         = 'AUTH',
   $sshd_config_template                = 'ssh/sshd_config.erb',
@@ -459,6 +461,12 @@
   if $ssh_config_hash_known_hosts_real != undef {
     validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
   }
+  if $sshd_config_permitemptypasswords != undef {
+    validate_re($sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.")
+  }
+  if $sshd_config_permituserenvironment != undef {
+    validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.")
+  }
   case type3x($sshd_config_port) {
     'string': {
       validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.41.0",
+  "version": "3.42.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -398,6 +398,8 @@
         :sshd_config_subsystem_sftp        => '/opt/ssh/bin/sftp',
         :sshd_kerberos_authentication      => 'no',
         :sshd_password_authentication      => 'no',
+        :sshd_config_permitemptypasswords  => 'no',
+        :sshd_config_permituserenvironment => 'no',
         :sshd_pubkeyauthentication         => 'no',
         :sshd_allow_tcp_forwarding         => 'no',
         :sshd_x11_forwarding               => 'no',
@@ -480,6 +482,8 @@
     it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
     it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
     it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
+    it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) }
+    it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
     it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
@@ -977,6 +981,64 @@
     end
   end
 
+  describe 'with sshd_config_permitemptypasswords' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        let (:params) {{ 'sshd_config_permitemptypasswords' => value }}
+
+        it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords #{value}$/) }
+      end
+    end
+
+    context 'set to invalid value on valid osfamily' do
+      let :params do
+        { :sshd_config_permitemptypasswords => 'invalid' }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_permitemptypasswords may be either \'yes\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+
+  describe 'with sshd_config_permituserenvironment' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        let (:params) {{ 'sshd_config_permituserenvironment' => value }}
+
+        it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment #{value}$/) }
+      end
+    end
+
+    context 'set to invalid value on valid osfamily' do
+      let :params do
+        { :sshd_config_permituserenvironment => 'invalid' }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_permituserenvironment may be either \'yes\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+
   describe 'sshd_config_port param' do
     let :facts do
       default_facts.merge(

diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -107,6 +107,9 @@ PasswordAuthentication <%= @sshd_password_authentication %>
 PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %>
 <% end -%>
 #PermitEmptyPasswords no
+<% if @sshd_config_permitemptypasswords != nil -%>
+PermitEmptyPasswords <%= @sshd_config_permitemptypasswords %>
+<% end -%>
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
@@ -165,6 +168,9 @@ PrintMotd <%= @sshd_config_print_motd %>
 #UseLogin no
 #UsePrivilegeSeparation yes
 #PermitUserEnvironment no
+<% if @sshd_config_permituserenvironment != nil -%>
+PermitUserEnvironment <%= @sshd_config_permituserenvironment %>
+<% end -%>
 #Compression delayed
 #ClientAliveInterval 0
 ClientAliveInterval <%= @sshd_client_alive_interval %>