Showing with 160 additions and 50 deletions.
  1. +3 −0 .gitignore
  2. +18 −1 .travis.yml
  3. +4 −0 CHANGELOG.md
  4. +4 −3 Gemfile
  5. +30 −9 README.md
  6. +1 −1 Rakefile
  7. +40 −17 manifests/init.pp
  8. +1 −1 metadata.json
  9. +48 −12 spec/classes/init_spec.rb
  10. +0 −2 spec/fixtures/sshd_config_solaris
  11. +3 −0 spec/spec_helper.rb
  12. +8 −4 templates/sshd_config.erb
3 changes: 3 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ doc/
# Vim
*.swp

# Eclipse
.project

# OS X
.DS_Store

Expand Down
19 changes: 18 additions & 1 deletion .travis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,14 @@ env:
- PUPPET_GEM_VERSION="~> 4.4.0"
- PUPPET_GEM_VERSION="~> 4.5.0"
- PUPPET_GEM_VERSION="~> 4.6.0"
- PUPPET_GEM_VERSION="~> 4.7.0"
- PUPPET_GEM_VERSION="~> 4.8.0"
- PUPPET_GEM_VERSION="~> 4.9.0"
- PUPPET_GEM_VERSION="~> 4"

sudo: false

script: 'bundle exec rake validate && bundle exec rake lint && SPEC_OPTS="--format documentation" bundle exec rake spec'
script: 'SPEC_OPTS="--format documentation" bundle exec rake validate lint spec'

matrix:
fast_finish: true
Expand Down Expand Up @@ -60,6 +63,20 @@ matrix:
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4.6.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4.7.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4.8.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4.9.0"
- rvm: 1.9.3
env: PUPPET_GEM_VERSION="~> 4.9.0"
- rvm: 2.0.0
env: PUPPET_GEM_VERSION="~> 4.9.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 4"
- rvm: 1.9.3
env: PUPPET_GEM_VERSION="~> 4"
- rvm: 2.0.0
env: PUPPET_GEM_VERSION="~> 4"
- rvm: 2.3.1
env: PUPPET_GEM_VERSION="~> 3.1.0"
Expand Down
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
### v3.49.1 - 2017-02-27
* Fix parameters not compatible with Solaris
* Add support for Puppet v4.9

### v3.49.0 - 2016-10-25
* Add support for PermitTunnel in sshd_config

Expand Down
7 changes: 4 additions & 3 deletions Gemfile
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,15 @@
source 'https://rubygems.org'
source ENV['GEM_SOURCE'] || 'https://rubygems.org'

if puppetversion = ENV['PUPPET_GEM_VERSION']
gem 'puppet', puppetversion, :require => false
else
gem 'puppet', :require => false
end

gem 'metadata-json-lint'
gem 'puppetlabs_spec_helper', '>= 1.2.0'
gem 'facter', '>= 1.7.0'
gem 'rspec-puppet'
gem 'puppet-lint', '>= 1.0', '< 3.0'
gem 'puppet-lint', '~> 2.0'
gem 'puppet-lint-absolute_classname-check'
gem 'puppet-lint-alias-check'
gem 'puppet-lint-empty_string-check'
Expand All @@ -27,3 +26,5 @@ gem 'rspec', '~> 2.0' if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
gem 'rake', '~> 10.0' if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
gem 'json', '<= 1.8' if RUBY_VERSION < '2.0.0'
gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
gem 'metadata-json-lint', '0.0.11' if RUBY_VERSION < '1.9'
gem 'metadata-json-lint' if RUBY_VERSION >= '1.9'
39 changes: 30 additions & 9 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,14 @@ only), 1.9.3, 2.0.0, 2.1.0 and 2.3.1 (Puppet v4 only).
* Solaris 10
* Solaris 11

If you use the Sun Solaris SSH, please keep in mind that not all parameters can be used.

Unsupported parameters for ssh_config:
AddressFamily, Tunnel, TunnelDevice, PermitLocalCommand, HashKnownHosts

Unsupported parameters for sshd_config:
KerberosOrLocalPasswd, KerberosTicketCleanup, KerberosGetAFSToken, TCPKeepAlive, ShowPatchLevel, MaxSessions, PermitTunnel

===

# Parameters
Expand All @@ -63,6 +71,8 @@ Note that existing names and addresses in known hosts files will not be converte
but may be manually hashed using ssh-keygen. Use of this option may break facilities such as
tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts.

A value of 'unset' will not add this parameter to the configuration file.

- *Default*: 'USE_DEFAULTS'

ssh_config_path
Expand Down Expand Up @@ -275,7 +285,10 @@ LoginGraceTime option in sshd_config.

sshd_config_challenge_resp_auth
-------------------------------
ChallengeResponseAuthentication option in sshd_config.
ChallengeResponseAuthentication option in sshd_config. RedHat defaults
to setting this to no for EL 5, 6 and 7, though the module will set it
to 'yes'. Suggest setting to 'no' with Hiera on EL systems. This will
default to 'no' for those platforms in the next major release.

- *Default*: 'yes'

Expand Down Expand Up @@ -448,22 +461,29 @@ are sent, death of the connection or crash of one of the machines will be proper
However, this means that connections will die if the route is down temporarily, and some
people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may
hang indefinitely on the server, leaving ``ghost'' users and consuming server resources.
The default is ``yes'' (to send TCP keepalive messages), and the server will notice if the
network goes down or the client host crashes. This avoids infinitely hanging sessions.
A value of 'unset' will not add this parameter to the configuration file.

- *Default*: 'yes'
On Linux the default is set to ``yes'' (to send TCP keepalive messages), and the server will
notice if the network goes down or the client host crashes. This avoids infinitely hanging
sessions.
On Solaris the default is to not add this parameter to the configuration file.

- *Default*: undef

sshd_config_permittunnel
-----------------------
PermitTunnel in sshd_config.
Specifies whether tun(4) device forwarding is allowed. The argument must be
'yes', 'point-to-point' (layer 3), 'ethernet' (layer 2), or 'no'.
Specifying 'yes' permits both 'point-to-point' and 'ethernet'. The
default is 'no'.
Specifies whether tun(4) device forwarding is allowed. The argument must be 'yes',
'point-to-point' (layer 3), 'ethernet' (layer 2), 'no', or 'unset' (parameter not used).
Specifying 'yes' permits both 'point-to-point' and 'ethernet'.
Independent of this setting, the permissions of the selected tun(4) device must
allow access to the user.
A value of 'unset' will not add this parameter to the configuration file.

- *Default*: 'no'
On Linux the default is set to ``no''.
On Solaris the default is to not add this parameter to the configuration file.

- *Default*: undef

sshd_config_ciphers
-------------------
Expand Down Expand Up @@ -516,6 +536,7 @@ Specifies the maximum number of concurrent unauthenticated connections to the SS
sshd_config_maxsessions
-----------------------
Specifies the maximum number of open sessions permitted per network connection.
A value of 'unset' or undef will not add this parameter to the configuration file.

- *Default*: undef

Expand Down
2 changes: 1 addition & 1 deletion Rakefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ PuppetLint.configuration.send('disable_140chars')
PuppetLint.configuration.relative = true
PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]

desc 'Run puppet in noop mode and check for syntax errors.'
desc 'Validate manifests, templates, and ruby files'
task :validate do
Dir['manifests/**/*.pp'].each do |manifest|
sh "puppet parser validate --noop #{manifest}"
Expand Down
57 changes: 40 additions & 17 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,8 +109,8 @@
$keys = undef,
$manage_root_ssh_config = false,
$root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
$sshd_config_tcp_keepalive = 'yes',
$sshd_config_permittunnel = 'no',
$sshd_config_tcp_keepalive = undef,
$sshd_config_permittunnel = undef,
) {

case $::osfamily {
Expand All @@ -136,6 +136,8 @@
$default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
}
'Suse': {
$default_packages = 'openssh'
Expand All @@ -157,6 +159,8 @@
$default_sshd_config_serverkeybits = '1024'
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
case $::architecture {
'x86_64': {
if ($::operatingsystem == 'SLES') and ($::operatingsystemrelease =~ /^12\./) {
Expand Down Expand Up @@ -207,6 +211,8 @@
$default_service_hasstatus = true
$default_sshd_config_serverkeybits = '1024'
$default_sshd_addressfamily = 'any'
$default_sshd_config_tcp_keepalive = 'yes'
$default_sshd_config_permittunnel = 'no'
}
'Solaris': {
$default_ssh_config_hash_known_hosts = undef
Expand All @@ -225,6 +231,8 @@
$default_ssh_package_adminfile = undef
$default_sshd_config_hostkey = [ '/etc/ssh/ssh_host_rsa_key' ]
$default_sshd_addressfamily = undef
$default_sshd_config_tcp_keepalive = undef
$default_sshd_config_permittunnel = undef
case $::kernelrelease {
'5.11': {
$default_packages = ['network/ssh',
Expand Down Expand Up @@ -285,10 +293,10 @@
$packages_real = $packages
}

if $ssh_config_hash_known_hosts == 'USE_DEFAULTS' {
$ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts
} else {
$ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts
case $ssh_config_hash_known_hosts {
'unset': { $ssh_config_hash_known_hosts_real = undef }
'USE_DEFAULTS': { $ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts }
default: { $ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts }
}

if $service_name == 'USE_DEFAULTS' {
Expand Down Expand Up @@ -428,7 +436,7 @@
$sshd_config_hostkey_real = $default_sshd_config_hostkey
} else {
validate_array($sshd_config_hostkey)
validate_absolute_path(join($sshd_config_hostkey))
validate_absolute_path($sshd_config_hostkey)
$sshd_config_hostkey_real = $sshd_config_hostkey
}

Expand Down Expand Up @@ -459,6 +467,23 @@
$sshd_addressfamily_real = $sshd_addressfamily
}

case $sshd_config_maxsessions {
'unset', undef: { $sshd_config_maxsessions_integer = undef }
default: { $sshd_config_maxsessions_integer = floor($sshd_config_maxsessions) }
}

case $sshd_config_tcp_keepalive {
'unset': { $sshd_config_tcp_keepalive_real = undef }
undef: { $sshd_config_tcp_keepalive_real = $default_sshd_config_tcp_keepalive }
default: { $sshd_config_tcp_keepalive_real = $sshd_config_tcp_keepalive }
}

case $sshd_config_permittunnel {
'unset': { $sshd_config_permittunnel_real = undef }
undef: { $sshd_config_permittunnel_real = $default_sshd_config_permittunnel }
default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel }
}

# validate params
if $ssh_config_ciphers != undef {
validate_array($ssh_config_ciphers)
Expand All @@ -485,7 +510,7 @@
}

if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes', 'no' or 'unset' and is set to <${ssh_config_hash_known_hosts_real}>.")
}
if $sshd_config_permitemptypasswords != undef {
validate_re($sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.")
Expand Down Expand Up @@ -582,13 +607,6 @@
"ssh::sshd_config_maxstartups may be either an integer or three integers separated with colons, such as 10:30:100. Detected value is <${sshd_config_maxstartups}>.")
}

if $sshd_config_maxsessions != undef {
$is_int_sshd_config_maxsessions = is_integer($sshd_config_maxsessions)
if $is_int_sshd_config_maxsessions == false {
fail("sshd_config_maxsessions must be an integer. Detected value is ${sshd_config_maxsessions}.")
}
}

if $sshd_config_chrootdirectory != undef {
validate_absolute_path($sshd_config_chrootdirectory)
}
Expand Down Expand Up @@ -781,9 +799,14 @@
validate_array($sshd_config_allowgroups_real)
}

validate_re($sshd_config_tcp_keepalive, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes' or 'no' and is set to <${sshd_config_tcp_keepalive}>.")

validate_re($sshd_config_permittunnel, '^(yes|no|point-to-point|ethernet)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet' or 'no' and is set to <${sshd_config_permittunnel}>.")
if $sshd_config_tcp_keepalive_real != undef {
validate_re($sshd_config_tcp_keepalive_real, '^(yes|no)$', "ssh::sshd_config_tcp_keepalive may be either 'yes', 'no' or 'unset' and is set to <${sshd_config_tcp_keepalive_real}>.")
}

if $sshd_config_permittunnel_real != undef {
validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
}

package { $packages_real:
ensure => installed,
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ghoneycutt-ssh",
"version": "3.49.0",
"version": "3.49.1",
"author": "ghoneycutt",
"summary": "Manages SSH",
"license": "Apache-2.0",
Expand Down
Loading