Showing with 51 additions and 1 deletion.
  1. +3 −0 CHANGELOG.md
  2. +6 −0 README.md
  3. +12 −0 manifests/init.pp
  4. +1 −1 metadata.json
  5. +26 −0 spec/classes/init_spec.rb
  6. +3 −0 templates/sshd_config.erb
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
### v3.58.0 - 2018-10-08
* Add RevokedKeys option to `sshd_config`

### v3.57.1 - 2018-07-27
* Disable ServerkeyBits on RHEL 7.4 and later

Expand Down
6 changes: 6 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -613,6 +613,12 @@ Absolute path to the OpenSSH User CA Certificate (TrustedUserCAKeys) for use wit
- *Default*: undefined
sshd_config_key_revocation_list
-----------------------------
Absolute path to a key revocation list (RevokedKeys) for use with SSH CA Validation for Users or the string 'none'.
- *Default*: undefined
sshd_config_authorized_principals_file
--------------------------------------
String path (relative or absolute) to the `authorized_principals` file. Sets the `AuthorizedPrincipalsFile` setting in `sshd_config`
Expand Down
12 changes: 12 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@
$sshd_config_permittunnel = undef,
$sshd_config_hostcertificate = undef,
$sshd_config_trustedusercakeys = undef,
$sshd_config_key_revocation_list = undef,
$sshd_config_authorized_principals_file = undef,
$sshd_config_allowagentforwarding = undef,
) {
Expand Down Expand Up @@ -508,6 +509,11 @@
default: { $sshd_config_trustedusercakeys_real = $sshd_config_trustedusercakeys }
}

case $sshd_config_key_revocation_list {
'unset', undef: { $sshd_config_key_revocation_list_real = undef }
default: { $sshd_config_key_revocation_list_real = $sshd_config_key_revocation_list }
}

case $sshd_config_authorized_principals_file {
'unset', undef: { $sshd_config_authorized_principals_file_real = undef }
default: { $sshd_config_authorized_principals_file_real = $sshd_config_authorized_principals_file }
Expand Down Expand Up @@ -871,6 +877,12 @@
validate_absolute_path($sshd_config_trustedusercakeys_real)
}
}
if $sshd_config_key_revocation_list_real != undef {
# RevokedKeys may be a path to the key revocation list or 'none'
if $sshd_config_key_revocation_list_real != 'none' {
validate_absolute_path($sshd_config_key_revocation_list)
}
}

if $sshd_config_authorized_principals_file_real != undef {
validate_string($sshd_config_authorized_principals_file_real)
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ghoneycutt-ssh",
"version": "3.57.1",
"version": "3.58.0",
"author": "ghoneycutt",
"summary": "Manages SSH",
"license": "Apache-2.0",
Expand Down
26 changes: 26 additions & 0 deletions spec/classes/init_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,7 @@
:sshd_config_use_privilege_separation => 'no',
:sshd_config_permittunnel => 'no',
:sshd_config_allowagentforwarding => 'no',
:sshd_config_key_revocation_list => '/path/to/revocation_list',
}
end

Expand Down Expand Up @@ -562,6 +563,7 @@
it { should contain_file('sshd_config').with_content(/^TCPKeepAlive yes$/) }
it { should contain_file('sshd_config').with_content(/^UsePrivilegeSeparation no$/) }
it { should contain_file('sshd_config').with_content(/^PermitTunnel no$/) }
it { should contain_file('sshd_config').with_content(/^RevokedKeys \/path\/to\/revocation_list$/) }

it {
should contain_file('sshd_banner').with({
Expand Down Expand Up @@ -1088,6 +1090,30 @@
end
end

describe 'sshd_config_key_revocation_list param' do
['/path/to','unset'].each do |value|
context "set to #{value}" do
let (:params) { { :sshd_config_key_revocation_list => value } }

if value == 'unset'
it { should contain_file('sshd_config').without_content(/^\s*RevokedKeys/) }
else
it { should contain_file('sshd_config').with_content(/^RevokedKeys #{value}$/) }
end
end
end

context 'when set to an invalid value' do
let (:params) { { :sshd_config_key_revocation_list => 'invalid' } }

it 'should fail' do
expect {
should contain_class('ssh')
}.to raise_error(Puppet::Error,/while evaluating a Function Call|is not an absolute path/)
end
end
end

describe 'sshd_config_hostcertificate param' do
context 'unset value' do
let(:params) { { :sshd_config_hostcertificate => 'unset' } }
Expand Down
3 changes: 3 additions & 0 deletions templates/sshd_config.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,9 @@ AllowUsers <%= @sshd_config_allowusers_real.join(' ') %>
<% if @sshd_config_allowgroups_real != [] -%>
AllowGroups <%= @sshd_config_allowgroups_real.join(' ') %>
<% end -%>
<% if @sshd_config_key_revocation_list_real -%>
RevokedKeys <%= @sshd_config_key_revocation_list_real %>
<% end -%>
<% if @sshd_config_match -%>
<% @sshd_config_match.sort.each do |key, hash| -%>
Expand Down