CHANGELOG.md

@@ -1,3 +1,6 @@
+### v3.48.0 - 2016-10-20
+  * Add support for ProxyCommand
+
 ### v3.47.0 - 2016-10-19
   * Add support for KexAlgorithms
 

README.md

@@ -163,6 +163,11 @@ String for HostbasedAuthentication option in ssh_config. Valid values are 'yes'
 
 - *Default*: undef
 
+ssh_config_proxy_command
+-------------------------
+String for ProxyCommand option in ssh_config.
+
+- *Default*: undef
 
 ssh_strict_host_key_checking
 -----------------------------

manifests/init.pp

@@ -21,6 +21,7 @@
   $ssh_config_server_alive_interval    = undef,
   $ssh_config_sendenv_xmodifiers       = false,
   $ssh_hostbasedauthentication         = undef,
+  $ssh_config_proxy_command            = undef,
   $ssh_strict_host_key_checking        = undef,
   $ssh_config_ciphers                  = undef,
   $ssh_config_kexalgorithms            = undef,
@@ -557,6 +558,10 @@
     validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_strict_host_key_checking may be 'yes', 'no' or 'ask' and is set to <${ssh_strict_host_key_checking}>.")
   }
 
+  if $ssh_config_proxy_command != undef {
+    validate_string($ssh_config_proxy_command)
+  }
+
   if $ssh_enable_ssh_keysign != undef {
     validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
   }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.47.0",
+  "version": "3.48.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",

spec/classes/init_spec.rb

@@ -332,6 +332,7 @@
         :ssh_config_macs                    => [ 'hmac-md5-etm@openssh.com',
                                                  'hmac-sha1-etm@openssh.com',
         ],
+        :ssh_config_proxy_command           => 'ssh -W %h:%p firewall.example.org',
         :ssh_config_global_known_hosts_file => '/etc/ssh/ssh_known_hosts2',
         :ssh_config_global_known_hosts_list => [ '/etc/ssh/ssh_known_hosts3',
 					         '/etc/ssh/ssh_known_hosts4',
@@ -371,6 +372,7 @@
     it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
     it { should contain_file('ssh_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) }
     it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
+    it { should contain_file('ssh_config').with_content(/^\s*ProxyCommand ssh -W %h:%p firewall\.example\.org$/) }
     it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2 \/etc\/ssh\/ssh_known_hosts3 \/etc\/ssh\/ssh_known_hosts4$/) }
     it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) }
     it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication yes$/) }
@@ -790,6 +792,18 @@
     end
   end
 
+  [true, ['not','a','string']].each do |proxy_command|
+    context "with ssh_config_proxy_command set to invalid value #{proxy_command}" do
+      let(:params) { { :ssh_config_proxy_command => proxy_command } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
   context 'with ssh_config_hash_known_hosts set to invalid value on valid osfamily' do
     let(:params) { { :ssh_config_hash_known_hosts => 'invalid' } }
 

templates/ssh_config.erb

@@ -63,6 +63,9 @@
 <% if @ssh_config_global_known_hosts_list_real -%>
    GlobalKnownHostsFile <%= @ssh_config_global_known_hosts_list_real.join(' ') %>
 <% end -%>
+<% if @ssh_config_proxy_command -%>
+   ProxyCommand <%= @ssh_config_proxy_command %>
+<% end -%>
 Host *
 #  GSSAPIAuthentication yes
   GSSAPIAuthentication <%= @ssh_gssapiauthentication %>