Showing with 100 additions and 1 deletion.

+6 −0 .gitignore

+4 −0 CHANGELOG.md

+12 −0 README.md

+23 −0 manifests/init.pp

+1 −1 metadata.json

+48 −0 spec/classes/init_spec.rb

+6 −0 templates/sshd_config.erb
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,9 @@ coverage/
 spec/fixtures/manifests/*
 spec/fixtures/modules/*
 Gemfile.lock
+
+# JetBrains IDE
+.idea/
+
+# Rbenv
+.ruby-version
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### v3.51.0 - 2017-05-17
+  * Add params sshd_config_hostcertificate and
+    sshd_config_trustedusercakeys to set HostCertificate and TrustedUserCAKeys.
+
 ### v3.50.0 - 2017-05-08
   * Add param sshd_pubkeyacceptedkeytypes to set PubkeyAcceptedKeyTypes
 

diff --git a/README.md b/README.md
@@ -570,6 +570,18 @@ ssh::sshd_config_match:
     - 'PasswordAuthentication no'
 ```
 
+sshd_config_hostcertificate
+---------------------------
+Absolute path to the OpenSSH Host CA Certificate (HostCertificate) for use with SSH CA validation for Host Certificates.
+
+- *Default*: undefined
+
+sshd_config_trustedusercakeys
+-----------------------------
+Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use with SSH CA Validation for Users or the string 'none'.
+
+- *Default*: undefined
+
 keys
 ----
 Hash of keys for user's ~/.ssh/authorized_keys

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -112,6 +112,8 @@
   $root_ssh_config_content             = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n",
   $sshd_config_tcp_keepalive           = undef,
   $sshd_config_permittunnel            = undef,
+  $sshd_config_hostcertificate         = undef,
+  $sshd_config_trustedusercakeys       = undef,
 ) {
 
   case $::osfamily {
@@ -485,6 +487,16 @@
     default: { $sshd_config_permittunnel_real = $sshd_config_permittunnel }
   }
 
+  case $sshd_config_hostcertificate {
+    'unset', undef: { $sshd_config_hostcertificate_real = undef }
+    default: { $sshd_config_hostcertificate_real = $sshd_config_hostcertificate }
+  }
+
+  case $sshd_config_trustedusercakeys {
+    'unset', undef: { $sshd_config_trustedusercakeys_real = undef }
+    default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
+  }
+
   # validate params
   if $ssh_config_ciphers != undef {
     validate_array($ssh_config_ciphers)
@@ -813,6 +825,17 @@
     validate_re($sshd_config_permittunnel_real, '^(yes|no|point-to-point|ethernet|unset)$', "ssh::sshd_config_permittunnel may be either 'yes', 'point-to-point', 'ethernet', 'no' or 'unset' and is set to <${sshd_config_permittunnel_real}>.")
   }
 
+  if $sshd_config_hostcertificate_real != undef {
+    validate_absolute_path($sshd_config_hostcertificate_real)
+  }
+
+  if $sshd_config_trustedusercakeys_real != undef {
+    # TrustedUserCAKeys may be a path to the keys or 'none'
+    if $sshd_config_trustedusercakeys_real != 'none' {
+      validate_absolute_path($sshd_config_trustedusercakeys_real)
+    }
+  }
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.50.0",
+  "version": "3.51.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -1015,6 +1015,54 @@
     end
   end
 
+  describe 'sshd_config_hostcertificate param' do
+    ['unset', '/etc/ssh/ssh_host_key-cert.pub'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_hostcertificate => value } }
+
+        if value == 'unset'
+          it { should contain_file('sshd_config').without_content(/^\s*HostCertificate/) }
+        else
+          it { should contain_file('sshd_config').with_content(/^HostCertificate #{value}/) }
+        end
+      end
+    end
+  end
+
+  context 'with sshd_config_hostcertificate set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_config_hostcertificate => 'invalid' } }
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
+    end
+  end
+
+  describe 'sshd_config_trustedusercakeys param' do
+    ['unset', '/etc/ssh/authorized_users_ca.pub', 'none'].each do |value|
+      context "set to #{value}" do
+        let (:params) { { :sshd_config_trustedusercakeys => value } }
+
+        if value == 'unset'
+          it { should contain_file('sshd_config').without_content(/^\s*TrustedUserCAKeys/) }
+        else
+          it { should contain_file('sshd_config').with_content(/^TrustedUserCAKeys #{value}/) }
+        end
+      end
+    end
+  end
+
+  context 'with sshd_config_trustedusercakeys set to invalid value on valid osfamily' do
+    let(:params) { { :sshd_config_trustedusercakeys => 'invalid' } }
+
+    it 'should fail' do
+      expect {
+        should contain_class('ssh')
+      }.to raise_error(Puppet::Error,/"invalid" is not an absolute path/)
+    end
+  end
+
   context 'with manage_root_ssh_config set to invalid value on valid osfamily' do
     let(:params) { { :manage_root_ssh_config => 'invalid' } }
 

diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -254,3 +254,9 @@ Match <%= key %>
 <%     end -%>
 <%   end -%>
 <% end -%>
+<% if @sshd_config_hostcertificate_real -%>
+HostCertificate <%= @sshd_config_hostcertificate_real %>
+<% end -%>
+<% if @sshd_config_trustedusercakeys_real -%>
+TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
+<% end -%>