Showing with 73 additions and 2 deletions.

+4 −0 CHANGELOG.md

+13 −0 README.md

+10 −0 manifests/init.pp

+1 −1 metadata.json

+37 −0 spec/classes/init_spec.rb

+8 −1 templates/sshd_config.erb
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### v3.57.0 - 2017-12-10
+  * Add support for AuthenticationMethods and AllowAgentForwarding
+    options in sshd_config
+
 ### v3.56.1 - 2017-11-20
   * Fix regex bug with `sshd_config_maxstartups`
 

diff --git a/README.md b/README.md
@@ -621,6 +621,13 @@ See `sshd_config(5)` for more details
 
 - *Default*: undefined
 
+sshd_config_allowagentforwarding
+--------------------------------
+AllowAgentForwarding option in sshd_config. Specifies if ssh-agent(1)
+forwarding is permitted. Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
 config_entries
 --------------
 Hash of config entries for a specific user's ~/.ssh/config. Please check the docs for ssd::config_entry for a list and details of the parameters usable here.
@@ -729,6 +736,12 @@ String for IgnoreUserKnownHosts option in sshd_config. Valid values are 'yes' an
 
 - *Default*: 'no'
 
+sshd_config_authenticationmethods
+-------------------------
+Array of AuthenticationMethods in sshd_config.
+
+- *Default*: undef
+
 sshd_ignorerhosts
 -------------------------
 String for IgnoreRhosts option in sshd_config. Valid values are 'yes' and 'no'. Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication though /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -93,6 +93,7 @@
   $sshd_pubkeyauthentication              = 'yes',
   $sshd_ignoreuserknownhosts              = 'no',
   $sshd_ignorerhosts                      = 'yes',
+  $sshd_config_authenticationmethods      = undef,
   $manage_service                         = true,
   $sshd_addressfamily                     = 'USE_DEFAULTS',
   $service_ensure                         = 'running',
@@ -119,6 +120,7 @@
   $sshd_config_hostcertificate            = undef,
   $sshd_config_trustedusercakeys          = undef,
   $sshd_config_authorized_principals_file = undef,
+  $sshd_config_allowagentforwarding       = undef,
 ) {
 
   case $::osfamily {
@@ -669,6 +671,10 @@
     validate_array($sshd_pubkeyacceptedkeytypes)
   }
 
+  if $sshd_config_authenticationmethods != undef {
+    validate_array($sshd_config_authenticationmethods)
+  }
+
   validate_re($sshd_pubkeyauthentication, '^(yes|no)$', "ssh::sshd_pubkeyauthentication may be either 'yes' or 'no' and is set to <${sshd_pubkeyauthentication}>.")
 
   validate_re($sshd_ignoreuserknownhosts, '^(yes|no)$', "ssh::sshd_ignoreuserknownhosts may be either 'yes' or 'no' and is set to <${sshd_ignoreuserknownhosts}>.")
@@ -866,6 +872,10 @@
     validate_string($sshd_config_authorized_principals_file_real)
   }
 
+  if $sshd_config_allowagentforwarding != undef {
+    validate_re($sshd_config_allowagentforwarding, '^(yes|no)$', "ssh::sshd_config_allowagentforwarding may be either 'yes' or 'no' and is set to <${sshd_config_allowagentforwarding}>.")
+  }
+
   package { $packages_real:
     ensure    => installed,
     source    => $ssh_package_source_real,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.56.1",
+  "version": "3.57.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -419,6 +419,9 @@
                                                    'ssh-ed25519',
                                                    'ssh-rsa',
         ],
+        :sshd_config_authenticationmethods    => [ 'publickey',
+                                                   'keyboard-interactive',
+        ],
         :sshd_pubkeyauthentication            => 'no',
         :sshd_allow_tcp_forwarding            => 'no',
         :sshd_x11_forwarding                  => 'no',
@@ -470,6 +473,7 @@
         :sshd_config_tcp_keepalive            => 'yes',
   :sshd_config_use_privilege_separation => 'no',
         :sshd_config_permittunnel             => 'no',
+        :sshd_config_allowagentforwarding     => 'no',
       }
     end
 
@@ -526,6 +530,7 @@
     it { should contain_file('sshd_config').with_content(/^AuthorizedKeysCommandUser asdf$/) }
     it { should contain_file('sshd_config').with_content(/^HostbasedAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa$/) }
+    it { should contain_file('sshd_config').with_content(/^AuthenticationMethods publickey,keyboard-interactive$/) }
     it { should contain_file('sshd_config').with_content(/^PubkeyAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^IgnoreUserKnownHosts no$/) }
     it { should contain_file('sshd_config').with_content(/^IgnoreRhosts yes$/) }
@@ -1269,6 +1274,26 @@
     end
   end
 
+  describe 'with sshd_config_allowagentforwarding' do
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        let(:params) { { 'sshd_config_allowagentforwarding' => value } }
+
+        it { should contain_file('sshd_config').with_content(/^AllowAgentForwarding #{value}$/) }
+      end
+    end
+
+    context 'set to invalid value on valid osfamily' do
+      let(:params) { { :sshd_config_allowagentforwarding => 'invalid' } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/ssh::sshd_config_allowagentforwarding may be either \'yes\' or \'no\' and is set to <invalid>\./)
+      end
+    end
+  end
+
 
   context 'with sshd_config_strictmodes set to invalid value on valid osfamily' do
     let(:params) { { :sshd_config_strictmodes => 'invalid' } }
@@ -2401,6 +2426,18 @@
     end
   end
 
+  [true,'invalid'].each do |authenticationmethods|
+    context "with sshd_config_authenticationmethods set to invalid value #{authenticationmethods}" do
+      let(:params) { { :sshd_config_authenticationmethods => authenticationmethods } }
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error,/is not/)
+      end
+    end
+  end
+
   describe 'with parameter sshd_pubkeyauthentication' do
     ['yes','no'].each do |value|
       context "specified as valid #{value} (as #{value.class})" do

diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -98,6 +98,9 @@ IgnoreUserKnownHosts <%= @sshd_ignoreuserknownhosts %>
 #IgnoreRhosts yes
 IgnoreRhosts <%= @sshd_ignorerhosts %>
 
+<%- if @sshd_config_authenticationmethods -%>
+AuthenticationMethods <%= @sshd_config_authenticationmethods.join(',') %>
+<%- end -%>
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 PasswordAuthentication <%= @sshd_password_authentication %>
@@ -220,6 +223,10 @@ ChrootDirectory <%= @sshd_config_chrootdirectory %>
 <% if @sshd_config_forcecommand -%>
 ForceCommand <%= @sshd_config_forcecommand %>
 <% end -%>
+<% if @sshd_config_allowagentforwarding != nil -%>
+#AllowAgentForwarding yes
+AllowAgentForwarding <%= @sshd_config_allowagentforwarding %>
+<% end -%>
 
 # no default banner path
 #Banner none
@@ -275,4 +282,4 @@ TrustedUserCAKeys <%= @sshd_config_trustedusercakeys_real %>
 <% end -%>
 <% if @sshd_config_authorized_principals_file_real -%>
 AuthorizedPrincipalsFile <%= @sshd_config_authorized_principals_file_real %>
-<% end -%>
+<% end -%>