CHANGELOG.md

@@ -1,3 +1,8 @@
+### v3.60.0 - 2019-04-29
+  * Support Debian 9
+  * Add ability for IPv6 addresses to be exported as part of the sshkey
+      for the FQDN.
+
 ### v3.59.1 - 2019-02-28
   * Put Match block at end of sshd_config
 

README.md

@@ -27,6 +27,7 @@ latest Puppet v3, v3 with future parser, v4, v5 and v6.  See `.travis.yml`
 for the exact matrix of supported Puppet and ruby versions.
 
  * Debian 7
+ * Debian 9
  * EL 5
  * EL 6
  * EL 7

manifests/init.pp

@@ -193,41 +193,90 @@
       }
     }
     'Debian': {
-      # Ubuntu 16.04
-      if $::operatingsystemrelease == '16.04' {
-        $default_sshd_config_hostkey             = [
-          '/etc/ssh/ssh_host_rsa_key',
-          '/etc/ssh/ssh_host_dsa_key',
-          '/etc/ssh/ssh_host_ecdsa_key',
-          '/etc/ssh/ssh_host_ed25519_key',
-        ]
-        $default_ssh_config_hash_known_hosts     = 'yes'
-        $default_sshd_config_xauth_location      = undef
-      } else {
-        $default_sshd_config_hostkey             = [ '/etc/ssh/ssh_host_rsa_key' ]
-        $default_ssh_config_hash_known_hosts     = 'no'
-        $default_sshd_config_xauth_location      = '/usr/bin/xauth'
-      }
+      # common for debian and ubuntu
       $default_packages                        = ['openssh-server',
                                                   'openssh-client']
       $default_service_name                    = 'ssh'
-      $default_ssh_config_forward_x11_trusted  = 'yes'
-      $default_ssh_package_source              = undef
-      $default_ssh_package_adminfile           = undef
-      $default_ssh_sendenv                     = true
-      $default_sshd_config_subsystem_sftp      = '/usr/lib/openssh/sftp-server'
-      $default_sshd_config_mode                = '0600'
-      $default_sshd_config_use_dns             = 'yes'
-      $default_sshd_use_pam                    = 'yes'
-      $default_sshd_gssapikeyexchange          = undef
-      $default_sshd_pamauthenticationviakbdint = undef
-      $default_sshd_gssapicleanupcredentials   = 'yes'
-      $default_sshd_acceptenv                  = true
-      $default_service_hasstatus               = true
-      $default_sshd_config_serverkeybits       = '1024'
-      $default_sshd_addressfamily              = 'any'
-      $default_sshd_config_tcp_keepalive       = 'yes'
-      $default_sshd_config_permittunnel        = 'no'
+
+      case $::operatingsystemrelease {
+        '16.04': {
+          $default_sshd_config_hostkey = [
+            '/etc/ssh/ssh_host_rsa_key',
+            '/etc/ssh/ssh_host_dsa_key',
+            '/etc/ssh/ssh_host_ecdsa_key',
+            '/etc/ssh/ssh_host_ed25519_key',
+          ]
+          $default_ssh_config_hash_known_hosts        = 'yes'
+          $default_sshd_config_xauth_location         = undef
+          $default_ssh_config_forward_x11_trusted     = 'yes'
+          $default_ssh_package_source                 = undef
+          $default_ssh_package_adminfile              = undef
+          $default_ssh_sendenv                        = true
+          $default_sshd_config_subsystem_sftp         = '/usr/lib/openssh/sftp-server'
+          $default_sshd_config_mode                   = '0600'
+          $default_sshd_config_use_dns                = 'yes'
+          $default_sshd_use_pam                       = 'yes'
+          $default_sshd_gssapikeyexchange             = undef
+          $default_sshd_pamauthenticationviakbdint    = undef
+          $default_sshd_gssapicleanupcredentials      = 'yes'
+          $default_sshd_acceptenv                     = true
+          $default_service_hasstatus                  = true
+          $default_sshd_config_serverkeybits          = '1024'
+          $default_sshd_addressfamily                 = 'any'
+          $default_sshd_config_tcp_keepalive          = 'yes'
+          $default_sshd_config_permittunnel           = 'no'
+        }
+        /^9.*/: {
+          $default_sshd_config_hostkey = [
+            '/etc/ssh/ssh_host_rsa_key',
+            '/etc/ssh/ssh_host_ecdsa_key',
+            '/etc/ssh/ssh_host_ed25519_key',
+          ]
+          $default_sshd_config_mode                = '0600'
+          $default_sshd_use_pam                    = 'yes'
+          $default_ssh_config_forward_x11_trusted  = 'yes'
+          $default_sshd_acceptenv                  = true
+          $default_sshd_config_subsystem_sftp      = '/usr/lib/openssh/sftp-server'
+          $default_ssh_config_hash_known_hosts     = 'yes'
+          $default_ssh_sendenv                     = true
+          $default_sshd_addressfamily              = undef
+          $default_sshd_config_serverkeybits       = undef
+          $default_sshd_gssapicleanupcredentials   = undef
+          $default_sshd_config_use_dns             = undef
+          $default_sshd_config_xauth_location      = undef
+          $default_sshd_config_permittunnel        = undef
+          $default_sshd_config_tcp_keepalive       = undef
+          $default_ssh_package_source              = undef
+          $default_ssh_package_adminfile           = undef
+          $default_sshd_gssapikeyexchange          = undef
+          $default_sshd_pamauthenticationviakbdint = undef
+          $default_service_hasstatus               = true
+        }
+        /^[7-8].*/: {
+          # this is debian 7 conf file and suppose to work with debian 8
+          $default_sshd_config_hostkey             = [ '/etc/ssh/ssh_host_rsa_key' ]
+          $default_ssh_config_hash_known_hosts     = 'no'
+          $default_sshd_config_xauth_location      = '/usr/bin/xauth'
+          $default_ssh_config_forward_x11_trusted  = 'yes'
+          $default_ssh_package_source              = undef
+          $default_ssh_package_adminfile           = undef
+          $default_ssh_sendenv                     = true
+          $default_sshd_config_subsystem_sftp      = '/usr/lib/openssh/sftp-server'
+          $default_sshd_config_mode                = '0600'
+          $default_sshd_config_use_dns             = 'yes'
+          $default_sshd_use_pam                    = 'yes'
+          $default_sshd_gssapikeyexchange          = undef
+          $default_sshd_pamauthenticationviakbdint = undef
+          $default_sshd_gssapicleanupcredentials   = 'yes'
+          $default_sshd_acceptenv                  = true
+          $default_service_hasstatus               = true
+          $default_sshd_config_serverkeybits       = '1024'
+          $default_sshd_addressfamily              = 'any'
+          $default_sshd_config_tcp_keepalive       = 'yes'
+          $default_sshd_config_permittunnel        = 'no'
+        }
+        default: { fail ("Operating System : ${::operatingsystemrelease} not supported") }
+      }
     }
     'Solaris': {
       $default_ssh_config_hash_known_hosts     = undef
@@ -974,10 +1023,18 @@
     }
   }
 
+  # If either IPv4 or IPv6 stack is not configured on the agent, the
+  # corresponding $::ipaddress(6)? fact is not present. So, we cannot assume
+  # these variables are defined. Getvar (Stdlib 4.13+, ruby 1.8.7+) handles
+  # this correctly.
+  if getvar('::ipaddress') and getvar('::ipaddress6') { $host_aliases = [$::hostname, $::ipaddress, $::ipaddress6] }
+  elsif getvar('::ipaddress6') { $host_aliases = [$::hostname, $::ipaddress6] }
+  else { $host_aliases = [$::hostname, $::ipaddress] }
+
   # export each node's ssh key
   @@sshkey { $::fqdn :
     ensure       => $ssh_key_ensure,
-    host_aliases => [$::hostname, $::ipaddress],
+    host_aliases => $host_aliases,
     type         => $ssh_key_type,
     key          => $key,
   }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.59.1",
+  "version": "v3.60.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache-2.0",
@@ -10,14 +10,15 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 3.0.0 < 7.0.0"
+      "version_requirement": ">= 3.8.7 < 7.0.0"
     }
   ],
   "operatingsystem_support": [
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
-        "7"
+        "7",
+        "9"
       ]
     },
     {

spec/classes/init_spec.rb

@@ -45,6 +45,19 @@
       :sshd_config_fixture    => 'sshd_config_debian',
       :ssh_config_fixture     => 'ssh_config_debian',
     },
+    'Debian-9' => {
+      :architecture           => 'x86_64',
+      :osfamily               => 'Debian',
+      :operatingsystemrelease => '9',
+      :ssh_version            => 'OpenSSH_7.4p1',
+      :ssh_version_numeric    => '7.4',
+      :ssh_packages           => ['openssh-server', 'openssh-client'],
+      :sshd_config_mode       => '0600',
+      :sshd_service_name      => 'ssh',
+      :sshd_service_hasstatus => true,
+      :sshd_config_fixture    => 'sshd_config_debian9',
+      :ssh_config_fixture     => 'ssh_config_debian9',
+    },
     'RedHat-5' => {
       :architecture           => 'x86_64',
       :osfamily               => 'RedHat',
@@ -311,6 +324,32 @@
       }
 
       it { should have_ssh__config_entry_resource_count(0) }
+
+      context 'with exported sshkey resources' do
+        subject { exported_resources}
+        context 'With only IPv4 address' do
+          let(:facts) { default_facts.merge( facts )}
+          it { should contain_sshkey('monkey.example.com').with(
+            'ensure' => 'present',
+            'host_aliases' => ['monkey', '127.0.0.1']
+          )}
+        end
+        context 'With dual stack IP' do
+          let(:facts) { default_facts.merge({ :ipaddress6 => 'dead:beef::1/64' }) }
+          it { should contain_sshkey('monkey.example.com').with(
+            'ensure' => 'present',
+            'host_aliases' => ['monkey', '127.0.0.1', 'dead:beef::1/64']
+          )}
+        end
+        context 'With only IPv6 address' do
+          let(:facts) { default_facts.merge({ :ipaddress6 => 'dead:beef::1/64', :ipaddress => nil }) }
+          it { should contain_sshkey('monkey.example.com').with(
+            'ensure' => 'present',
+            'host_aliases' => ['monkey', 'dead:beef::1/64']
+          )}
+        end
+      end
+
     end
   end
 

spec/fixtures/ssh_config_debian9

@@ -0,0 +1,61 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+
+# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+   PasswordAuthentication yes
+   PubkeyAuthentication yes
+#   HostbasedAuthentication no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+   IdentityFile ~/.ssh/id_rsa
+   IdentityFile ~/.ssh/id_dsa
+#   Port 22
+   Protocol 2
+#   Cipher 3des
+#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   HashKnownHosts no
+   HashKnownHosts yes
+   GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
+Host *
+#  GSSAPIAuthentication yes
+  GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+  ForwardX11Trusted yes
+  UseRoaming no
+# Send locale-related environment variables
+  SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+  SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+  SendEnv LC_IDENTIFICATION LC_ALL