Showing with 76 additions and 1 deletion.

+3 −0 CHANGELOG.md

+12 −0 README.md

+10 −0 manifests/init.pp

+1 −1 metadata.json

+44 −0 spec/classes/init_spec.rb

+3 −0 templates/ssh_config.erb

+3 −0 templates/sshd_config.erb
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+### v3.47.0 - 2016-10-19
+  * Add support for KexAlgorithms
+
 ### v3.46.0 - 2016-10-04
   * Add sshd_x11_use_localhost parameter
 

diff --git a/README.md b/README.md
@@ -125,6 +125,12 @@ Array of ciphers to be used with the Ciphers option in ssh_config.
 
 - *Default*: undef
 
+ssh_config_kexalgorithms
+------------------
+Array of key exchange algorithms to be used with the KexAlgorithms option in ssh_config.
+
+- *Default*: undef
+
 ssh_config_macs
 ---------------
 Array of ciphers to be used with the MACs option in ssh_config.
@@ -448,6 +454,12 @@ Array of ciphers for the Ciphers setting in sshd_config.
 
 - *Default*: undef
 
+sshd_config_kexalgorithms
+-------------------
+Array of key exchange algorithms for the KexAlgorithms setting in sshd_config.
+
+- *Default*: undef
+
 sshd_config_macs
 ----------------
 Array of macs for the MACs setting in sshd_config.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -23,6 +23,7 @@
   $ssh_hostbasedauthentication         = undef,
   $ssh_strict_host_key_checking        = undef,
   $ssh_config_ciphers                  = undef,
+  $ssh_config_kexalgorithms            = undef,
   $ssh_config_macs                     = undef,
   $ssh_config_use_roaming              = 'USE_DEFAULTS',
   $ssh_config_template                 = 'ssh/ssh_config.erb',
@@ -48,6 +49,7 @@
   $sshd_config_serverkeybits           = 'USE_DEFAULTS',
   $sshd_config_banner                  = 'none',
   $sshd_config_ciphers                 = undef,
+  $sshd_config_kexalgorithms           = undef,
   $sshd_config_macs                    = undef,
   $ssh_enable_ssh_keysign              = undef,
   $sshd_config_allowgroups             = [],
@@ -464,6 +466,14 @@
     validate_array($sshd_config_ciphers)
   }
 
+  if $ssh_config_kexalgorithms != undef {
+    validate_array($ssh_config_kexalgorithms)
+  }
+
+  if $sshd_config_kexalgorithms != undef {
+    validate_array($sshd_config_kexalgorithms)
+  }
+
   if $ssh_config_macs != undef {
     validate_array($ssh_config_macs)
   }

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.46.0",
+  "version": "3.47.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -320,6 +320,15 @@
                                                  'aes192-cbc',
                                                  'aes256-cbc',
         ],
+        :ssh_config_kexalgorithms          => [ 'curve25519-sha256@libssh.org',
+						'ecdh-sha2-nistp256',
+						'ecdh-sha2-nistp384',
+						'ecdh-sha2-nistp521',
+						'diffie-hellman-group-exchange-sha256',
+						'diffie-hellman-group-exchange-sha1',
+						'diffie-hellman-group14-sha1',
+						'diffie-hellman-group1-sha1',
+	],
         :ssh_config_macs                    => [ 'hmac-md5-etm@openssh.com',
                                                  'hmac-sha1-etm@openssh.com',
         ],
@@ -360,6 +369,7 @@
     it { should contain_file('ssh_config').with_content(/^  ServerAliveInterval 300$/) }
     it { should contain_file('ssh_config').with_content(/^  SendEnv XMODIFIERS$/) }
     it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) }
     it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
     it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2 \/etc\/ssh\/ssh_known_hosts3 \/etc\/ssh\/ssh_known_hosts4$/) }
     it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) }
@@ -412,6 +422,15 @@
                                                 'aes192-cbc',
                                                 'aes256-cbc',
         ],
+        :sshd_config_kexalgorithms         => [ 'curve25519-sha256@libssh.org',
+						'ecdh-sha2-nistp256',
+						'ecdh-sha2-nistp384',
+						'ecdh-sha2-nistp521',
+						'diffie-hellman-group-exchange-sha256',
+						'diffie-hellman-group-exchange-sha1',
+						'diffie-hellman-group14-sha1',
+						'diffie-hellman-group1-sha1',
+	],
         :sshd_config_macs                  => [ 'hmac-md5-etm@openssh.com',
                                                 'hmac-sha1-etm@openssh.com',
         ],
@@ -491,6 +510,7 @@
     it { should contain_file('sshd_config').with_content(/^ForceCommand \/force\/command --with-parameter 242$/) }
     it { should contain_file('sshd_config').with_content(/^Match User JohnDoe\n  AllowTcpForwarding yes\Z/) }
     it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
+    it { should contain_file('sshd_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) }
     it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
     it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) }
     it { should contain_file('sshd_config').with_content(/^\s*DenyGroups nossh wheel$/) }
@@ -746,6 +766,18 @@
     end
   end
 
+  [true,'invalid'].each do |kexalgorithms|
+    context "with ssh_config_kexalgorithms set to invalid value #{kexalgorithms}" do
+      let(:params) { { :ssh_config_kexalgorithms => kexalgorithms } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
   [true,'invalid'].each do |macs|
     context "with ssh_config_macs set to invalid value #{macs}" do
       let(:params) { { :ssh_config_macs => macs } }
@@ -780,6 +812,18 @@
     end
   end
 
+  [true,'invalid'].each do |kexalgorithms|
+    context "with sshd_config_kexalgorithms set to invalid value #{kexalgorithms}" do
+      let(:params) { { :sshd_config_kexalgorithms => kexalgorithms } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
   [true,'invalid'].each do |denyusers|
     context "with sshd_config_denyusers set to invalid value #{denyusers}" do
       let(:params) { { :sshd_config_denyusers => denyusers } }

diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
@@ -49,6 +49,9 @@
 <% if @ssh_config_ciphers -%>
     Ciphers <%= @ssh_config_ciphers.join(',') %>
 <% end -%>
+<% if @ssh_config_kexalgorithms -%>
+    KexAlgorithms <%= @ssh_config_kexalgorithms.join(',') %>
+<% end -%>
 #   EscapeChar ~
 #   Tunnel no
 #   TunnelDevice any:any

diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -219,6 +219,9 @@ Subsystem sftp <%= @sshd_config_subsystem_sftp_real %>
 <% if @sshd_config_ciphers -%>
 Ciphers <%= @sshd_config_ciphers.join(',') %>
 <% end -%>
+<% if @sshd_config_kexalgorithms -%>
+KexAlgorithms <%= @sshd_config_kexalgorithms.join(',') %>
+<% end -%>
 <% if @sshd_config_macs -%>
 MACs <%= @sshd_config_macs.join(',') %>
 <% end -%>