diff options
-rw-r--r-- | .fixtures.yml | 3 | ||||
-rw-r--r-- | .gitignore | 4 | ||||
-rw-r--r-- | .rspec | 4 | ||||
-rw-r--r-- | .travis.yml | 27 | ||||
-rw-r--r-- | Gemfile | 14 | ||||
-rw-r--r-- | Gemfile.lock | 116 | ||||
-rw-r--r-- | Modulefile | 10 | ||||
-rw-r--r-- | Puppetfile | 3 | ||||
-rw-r--r-- | Puppetfile.lock | 8 | ||||
-rw-r--r-- | README | 246 | ||||
-rw-r--r-- | README.md | 235 | ||||
-rw-r--r-- | Rakefile | 16 | ||||
-rw-r--r-- | files/modules_dir/.ignore | 0 | ||||
-rw-r--r-- | lib/puppet/parser/functions/ssh_keygen.rb | 4 | ||||
-rw-r--r-- | manifests/base.pp | 6 | ||||
-rw-r--r-- | manifests/client/base.pp | 7 | ||||
-rw-r--r-- | manifests/debian.pp | 12 | ||||
-rw-r--r-- | manifests/init.pp | 12 | ||||
-rw-r--r-- | manifests/openbsd.pp | 8 | ||||
-rw-r--r-- | spec/classes/client_spec.rb | 42 | ||||
-rw-r--r-- | spec/classes/init_spec.rb | 122 | ||||
-rw-r--r-- | spec/defines/ssh_authorized_key_spec.rb | 45 | ||||
-rw-r--r-- | spec/functions/ssh_keygen_spec.rb (renamed from spec/unit/parser/functions/ssh_keygen.rb) | 74 | ||||
-rw-r--r-- | spec/spec.opts | 6 | ||||
-rw-r--r-- | spec/spec_helper.rb | 29 | ||||
-rw-r--r-- | spec/spec_helper_system.rb | 25 | ||||
-rw-r--r-- | templates/sshd_config/CentOS.erb | 44 | ||||
l---------[-rw-r--r--] | templates/sshd_config/CentOS_Final.erb | 155 |
28 files changed, 790 insertions, 487 deletions
diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 0000000..42598a6 --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,3 @@ +fixtures: + symlinks: + sshd: "#{source_dir}"
\ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5ebb01f --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.librarian/* +.tmp/* +*.log +spec/fixtures/* @@ -0,0 +1,4 @@ +--format documentation +--color +--pattern "spec/*/*_spec.rb" +#--backtrace diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..7bd2a2b --- /dev/null +++ b/.travis.yml @@ -0,0 +1,27 @@ +before_install: + - gem update --system 2.1.11 + - gem --version +rvm: + - 1.8.7 + - 1.9.3 + - 2.0.0 +script: 'bundle exec rake spec' +env: + - PUPPET_VERSION="~> 2.7.0" + - PUPPET_VERSION="~> 3.0.0" + - PUPPET_VERSION="~> 3.1.0" + - PUPPET_VERSION="~> 3.2.0" + - PUPPET_VERSION="~> 3.3.0" + - PUPPET_VERSION="~> 3.4.0" +matrix: + exclude: + # No support for Ruby 1.9 before Puppet 2.7 + - rvm: 1.9.3 + env: PUPPET_VERSION=2.6.0 + # No support for Ruby 2.0 before Puppet 3.2 + - rvm: 2.0.0 + env: PUPPET_VERSION="~> 2.7.0" + - rvm: 2.0.0 + env: PUPPET_VERSION="~> 3.0.0" + - rvm: 2.0.0 + env: PUPPET_VERSION="~> 3.1.0" @@ -0,0 +1,14 @@ +source 'https://rubygems.org' + +group :development, :test do + gem 'puppet', '>= 2.7.0' + gem 'puppet-lint', '>=0.3.2' + gem 'puppetlabs_spec_helper', '>=0.2.0' + gem 'rake', '>=0.9.2.2' + gem 'librarian-puppet', '>=0.9.10' + gem 'rspec-system-puppet', :require => false + gem 'serverspec', :require => false + gem 'rspec-system-serverspec', :require => false + gem 'rspec-hiera-puppet' + gem 'rspec-puppet', :git => 'https://github.com/rodjek/rspec-puppet.git' +end
\ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..0c2c58e --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,116 @@ +GIT + remote: https://github.com/rodjek/rspec-puppet.git + revision: c44381a240ec420d4ffda7bffc55ee4d9c08d682 + specs: + rspec-puppet (1.0.1) + rspec + +GEM + remote: https://rubygems.org/ + specs: + builder (3.2.2) + diff-lcs (1.2.5) + excon (0.31.0) + facter (1.7.4) + fog (1.19.0) + builder + excon (~> 0.31.0) + formatador (~> 0.2.0) + mime-types + multi_json (~> 1.0) + net-scp (~> 1.1) + net-ssh (>= 2.1.3) + nokogiri (~> 1.5) + ruby-hmac + formatador (0.2.4) + hiera (1.3.1) + json_pure + hiera-puppet (1.0.0) + hiera (~> 1.0) + highline (1.6.20) + json (1.8.1) + json_pure (1.8.1) + kwalify (0.7.2) + librarian-puppet (0.9.10) + json + thor (~> 0.15) + metaclass (0.0.2) + mime-types (1.25.1) + mocha (1.0.0) + metaclass (~> 0.0.1) + multi_json (1.8.4) + net-scp (1.1.2) + net-ssh (>= 2.6.5) + net-ssh (2.7.0) + nokogiri (1.5.11) + puppet (3.4.2) + facter (~> 1.6) + hiera (~> 1.0) + rgen (~> 0.6.5) + puppet-lint (0.3.2) + puppetlabs_spec_helper (0.4.1) + mocha (>= 0.10.5) + rake + rspec (>= 2.9.0) + rspec-puppet (>= 0.1.1) + rake (10.1.1) + rbvmomi (1.8.1) + builder + nokogiri (>= 1.4.1) + trollop + rgen (0.6.6) + rspec (2.14.1) + rspec-core (~> 2.14.0) + rspec-expectations (~> 2.14.0) + rspec-mocks (~> 2.14.0) + rspec-core (2.14.7) + rspec-expectations (2.14.4) + diff-lcs (>= 1.1.3, < 2.0) + rspec-hiera-puppet (1.0.0) + hiera (>= 1.0) + hiera-puppet (>= 1.0) + puppet (>= 3.0) + rspec + rspec-puppet + rspec-mocks (2.14.4) + rspec-system (2.8.0) + fog (~> 1.18) + kwalify (~> 0.7.2) + mime-types (~> 1.16) + net-scp (~> 1.1) + net-ssh (~> 2.7) + nokogiri (~> 1.5.10) + rbvmomi (~> 1.6) + rspec (~> 2.14) + systemu (~> 2.5) + rspec-system-puppet (2.2.1) + rspec-system (~> 2.0) + rspec-system-serverspec (2.0.1) + rspec-system (~> 2.0) + serverspec (~> 0.0) + specinfra (~> 0.0) + ruby-hmac (0.4.0) + serverspec (0.14.4) + highline + net-ssh + rspec (>= 2.13.0) + specinfra (>= 0.1.0) + specinfra (0.4.1) + systemu (2.6.0) + thor (0.18.1) + trollop (2.0) + +PLATFORMS + ruby + +DEPENDENCIES + librarian-puppet (>= 0.9.10) + puppet (>= 2.7.0) + puppet-lint (>= 0.3.2) + puppetlabs_spec_helper (>= 0.2.0) + rake (>= 0.9.2.2) + rspec-hiera-puppet + rspec-puppet! + rspec-system-puppet + rspec-system-serverspec + serverspec diff --git a/Modulefile b/Modulefile new file mode 100644 index 0000000..5e4f92d --- /dev/null +++ b/Modulefile @@ -0,0 +1,10 @@ +name 'puppet-sshd' +version '0.1.0' +source 'https://github.com/duritong/puppet-sshd' +author 'duritong' +license 'Apache License, Version 2.0' +summary 'ssh daemon configuration' +description 'Manages sshd_config' +project_page 'https://github.com/duritong/puppet-sshd' + +dependency 'puppetlabs/stdlib', '>= 2.0.0'
\ No newline at end of file diff --git a/Puppetfile b/Puppetfile new file mode 100644 index 0000000..166d3b4 --- /dev/null +++ b/Puppetfile @@ -0,0 +1,3 @@ +forge 'http://forge.puppetlabs.com' + +mod 'puppetlabs/stdlib', '>=2.0.0'
\ No newline at end of file diff --git a/Puppetfile.lock b/Puppetfile.lock new file mode 100644 index 0000000..f938185 --- /dev/null +++ b/Puppetfile.lock @@ -0,0 +1,8 @@ +FORGE + remote: http://forge.puppetlabs.com + specs: + puppetlabs/stdlib (4.1.0) + +DEPENDENCIES + puppetlabs/stdlib (>= 2.0.0) + @@ -1,246 +0,0 @@ -Introduction -============ - -This puppet module manages OpenSSH configuration and services. - -!! Upgrade Notice (01/2013) !! - -This module now uses parameterized classes, where it used global variables -before. So please whatch out before pulling, you need to change the -class declarations in your manifest ! - - -Dependencies ------------- - -This module requires puppet => 2.6, and the following modules are required -pre-dependencies: - -- shared-common: git://labs.riseup.net/shared-common -- shared-lsb: git://labs.riseup.net/shared-lsb - -OpenSSH Server -============== - -On a node where you wish to have an openssh server installed, you should -'include sshd' on that node. If you need to configure any aspects of -sshd_config, set the variables before the include. See 'Configurable Variables' -below for what you can set. - -Nagios ------- - -To have nagios checks setup automatically for sshd services, simply set -manage_nagios to true for that class. If you want to disable ssh -nagios checking for a particular node (such as when ssh is firewalled), then you -can set the class parameter nagios_check_ssh to false and that node will not bei -monitored. - -Nagios will automatically check the ports defined in $sshd::ports, and the -hostname specified by $nagios_check_ssh_hostname. - -NOTE: this requires that you are using the shared-nagios puppet module which -supports the nagios native types via nagios::service: -git://labs.riseup.net/shared-nagios - -Firewall --------- - -If you wish to have firewall rules setup automatically for you, using shorewall, -you will need to set: $use_shorewall = true. The $sshd_ports that you have -specified will automatically be used. - -NOTE: This requires that you are using the shared-shorewall puppet module: -git://labs.riseup.net/shared-shorewall - - -Configurable variables ----------------------- - -Configuration of sshd is strict, and may not fit all needs, however there are a -number of variables that you can consider configuring. The defaults are set to -the distribution shipped sshd_config file defaults. - -To set any of these variables, simply set them as variables in your manifests, -before the class is included, for example: - - $sshd_listen_address = ['10.0.0.1 192.168.0.1'] - $sshd_use_pam = yes - include sshd - -If you need to install a version of the ssh daemon or client package other than -the default one that would be installed by 'ensure => installed', then you can -set the following variables: - - $sshd_ensure_version = "1:5.2p2-6" - $ssh_ensure_version = "1:5.2p2-6" - -The following is a list of the currently available variables: - - $sshd_listen_address - specify the addresses sshd should listen on set this to ['10.0.0.1 - 192.168.0.1'] to have it listen on both addresses, or leave it unset to - listen on all Default: empty -> results in listening on 0.0.0.0 - - $sshd_allowed_users - list of usernames separated by spaces. set this for example to "foobar - root" to ensure that only user foobar and root might login. Default: empty - -> no restriction is set - - $sshd_allowed_groups - list of groups separated by spaces. set this for example to "wheel sftponly" - to ensure that only users in the groups wheel and sftponly might login. - Default: empty -> no restriction is set Note: This is set after - sshd_allowed_users, take care of the behaviour if you use these 2 options - together. - - $sshd_use_pam - if you want to use pam or not for authenticaton. Values: no or yes; Default: - no - - $sshd_permit_root_login - If you want to allow root logins or not. Valid values: yes, no, - without-password, forced-commands-only; Default: without-password - - $sshd_password_authentication - If you want to enable password authentication or not. Valid values: yes or - no; Default: no - - $sshd_kerberos_authentication - If you want the password that is provided by the user to be validated - through the Kerberos KDC. To use this option the server needs a Kerberos - servtab which allows the verification of the KDC's identity. Valid values: - yes or no; Default: no - - $sshd_kerberos_orlocalpasswd - If password authentication through Kerberos fails, then the password will be - validated via any additional local mechanism. Valid values: yes or no; - Default: yes - - $sshd_kerberos_ticketcleanup - Destroy the user's ticket cache file on logout? Valid values: yes or no; - Default: yes - - $sshd_gssapi_authentication - Authenticate users based on GSSAPI? Valid values: yes or no; Default: no - - $sshd_gssapi_cleanupcredentials - Destroy user's credential cache on logout? Valid values: yes or no; Default: - yes - - $sshd_challenge_response_authentication - If you want to enable ChallengeResponseAuthentication or not When disabled, - s/key passowords are disabled Valid values: yes or no; Default: no - - $sshd_tcp_forwarding - If you want to enable TcpForwarding. Valid Values: yes or no; Default: no - - $sshd_x11_forwarding - If you want to enable x11 forwarding. Valid Values: yes or no; Default: no - - $sshd_agent_forwarding - If you want to allow ssh-agent forwarding. Valid Values: yes or no; Default: - no - - $sshd_pubkey_authentication - If you want to enable public key authentication. Valid Values: yes or no; - Default: yes - - $sshd_rsa_authentication - If you want to enable RSA Authentication. Valid Values: yes or no; Default: - no - - $sshd_rhosts_rsa_authentication - If you want to enable rhosts RSA Authentication. Valid Values: yes or no; - Default: no - - $sshd_hostbased_authentication - If you want to enable HostbasedAuthentication. Valid Values: yes or no; - Default: no - - $sshd_strict_modes - If you want to set StrictModes (check file modes/ownership before accepting - login). Valid Values: yes or no; Default: yes - - $sshd_permit_empty_passwords - If you want enable PermitEmptyPasswords to allow empty passwords. Valid - Values: yes or no; Default: no - - $sshd_port - Deprecated, use sshd_ports instead. - - $sshd_ports - If you want to specify a list of ports other than the default 22; Default: - [22] - - $sshd_authorized_keys_file - Set this to the location of the AuthorizedKeysFile - (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile - %h/.ssh/authorized_keys - - $sshd_hardened_ssl - Use only strong SSL ciphers and MAC. - Values: no or yes; Default: no. - - $sshd_print_motd - Show the Message of the day when a user logs in. - - $sshd_sftp_subsystem - Set a different sftp-subystem than the default one. Might be interesting for - sftponly usage. Default: empty -> no change of the default - - $sshd_head_additional_options - Set this to any additional sshd_options which aren't listed above. Anything - set here will be added to the beginning of the sshd_config file. This option - might be useful to define complicated Match Blocks. This string is going to - be included, like it is defined. So take care! Default: empty -> not added. - - $sshd_tail_additional_options - - Set this to any additional sshd_options which aren't listed above. Anything - set here will be added to the end of the sshd_config file. This option might - be useful to define complicated Match Blocks. This string is going to be - included, like it is defined. So take care! Default: empty -> not added. - - $sshd_shared_ip - Whether the server uses a shared network IP address. If it does, then we - don't want it to export an rsa key for its IP address. - Values: no or yes; Default: no - - -Defines and functions ---------------------- - -Deploy authorized_keys file with the define sshd::ssh_authorized_key. - -Generate a public/private keypair with the ssh_keygen function. For example, the -following will generate ssh keys and put the different parts of the key into -variables: - -$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}") -$public_key = split($ssh_keys[1],' ') -$sshkey_type => $public_key[0] -$sshkey => $public_key[1] - - -Client -====== - -On a node where you wish to have the ssh client managed, you can do 'include -sshd::client' in the node definition. This will install the appropriate package. - - -License -======= - -# Copyright 2008-2011, Riseup Labs micah@riseup.net -# Copyright 2008, admin(at)immerda.ch -# Copyright 2008, Puzzle ITC GmbH -# Marcel Härry haerry+puppet(at)puzzle.ch -# Simon Josi josi+puppet(at)puzzle.ch -# -# This program is free software; you can redistribute -# it and/or modify it under the terms of the GNU -# General Public License version 3 as published by -# the Free Software Foundation. -# diff --git a/README.md b/README.md new file mode 100644 index 0000000..0ae195e --- /dev/null +++ b/README.md @@ -0,0 +1,235 @@ +# Puppet SSH Module + +[![Build Status](https://travis-ci.org/duritong/puppet-sshd.png?branch=master)](https://travis-ci.org/duritong/puppet-sshd) + +This puppet module manages OpenSSH configuration and services. + +**!! Upgrade Notice (01/2013) !!** + +This module now uses parameterized classes, where it used global variables +before. So please whatch out before pulling, you need to change the +class declarations in your manifest ! + + +### Dependencies + +This module requires puppet => 2.6, and the following modules are required +pre-dependencies: + +- [puppetlabs/stdlib](https://github.com/puppetlabs/puppetlabs-stdlib) >= 2.x + +## OpenSSH Server + +On a node where you wish to have an openssh server installed, you should +include + +```puppet +class { 'sshd': } +``` + +on that node. If you need to configure any aspects of sshd_config, set the variables before the include. Or you can adjust many parameters: + +```puppet +class { 'sshd': + ports => [ 20002 ], + permit_root_login => 'no', +} +``` + +See Configurable Variables below for what you can set. + +### Nagios + +To have nagios checks setup automatically for sshd services, simply set +`manage_nagios` to `true` for that class. If you want to disable ssh +nagios checking for a particular node (such as when ssh is firewalled), then you +can set the class parameter `nagios_check_ssh` to `false` and that node will not be +monitored. + +Nagios will automatically check the ports defined in `ports`, and the +hostname specified by `nagios_check_ssh_hostname`. + +NOTE: this requires that you are using the shared-nagios puppet module which +supports the nagios native types via `nagios::service`: +git://labs.riseup.net/shared-nagios + +### Firewall + +If you wish to have firewall rules setup automatically for you, using shorewall, +you will need to set: `use_shorewall => true`. The `ports` that you have +specified will automatically be used. + +NOTE: This requires that you are using the shared-shorewall puppet module: +git://labs.riseup.net/shared-shorewall + + +### Configurable variables + +Configuration of sshd is strict, and may not fit all needs, however there are a +number of variables that you can consider configuring. The defaults are set to +the distribution shipped sshd_config file defaults. + +To set any of these variables, simply set them as variables in your manifests, +before the class is included, for example: + +```puppet +class {'sshd': + listen_address => ['10.0.0.1', '192.168.0.1'], + use_pam => yes +} +``` + +If you need to install a version of the ssh daemon or client package other than +the default one that would be installed by `ensure => installed`, then you can +set the following variables: + +```puppet +class {'sshd': + ensure_version => "1:5.2p2-6" +} +``` + +The following is a list of the currently available variables: + + - `listen_address` + specify the addresses sshd should listen on set this to `['10.0.0.1', '192.168.0.1']` to have it listen on both addresses, or leave it unset to listen on all Default: empty -> results in listening on `0.0.0.0` + - `allowed_users` + list of usernames separated by spaces. set this for example to `"foobar + root"` to ensure that only user foobar and root might login. Default: empty + -> no restriction is set + - `allowed_groups` + list of groups separated by spaces. set this for example to `"wheel sftponly"` + to ensure that only users in the groups wheel and sftponly might login. + Default: empty -> no restriction is set Note: This is set after + `allowed_users`, take care of the behaviour if you use these 2 options + together. + - `use_pam` if you want to use pam or not for authenticaton. Values: + - `no` (default) + - `yes` + - `permit_root_login` If you want to allow root logins or not. Valid values: + - `yes` + - `no` + - `without-password` (default) + - `forced-commands-only` + - `password_authentication` + If you want to enable password authentication or not. Valid values: + - `yes` + - `no` (default) + - `kerberos_authentication` + If you want the password that is provided by the user to be validated + through the Kerberos KDC. To use this option the server needs a Kerberos + servtab which allows the verification of the KDC's identity. Valid values: + - `yes` + - `no` (default) + - `kerberos_orlocalpasswd` If password authentication through Kerberos fails, then the password will be validated via any additional local mechanism. Valid values: + - `yes` (default) + - `no` + - `kerberos_ticketcleanup` Destroy the user's ticket cache file on logout? Valid values: + - `yes` (default) + - `no` + - `gssapi_authentication` Authenticate users based on GSSAPI? Valid values: + - `yes` + - `no` (default) + - `gssapi_cleanupcredentials` Destroy user's credential cache on logout? Valid values: + - `yes` (default) + - `no` + - `challenge_response_authentication` If you want to enable ChallengeResponseAuthentication or not When disabled, s/key passwords are disabled. Valid values: + - `yes` + - `no` (default) + - `tcp_forwarding` If you want to enable TcpForwarding. Valid values: + - `yes` + - `no` (default) + - `x11_forwarding` If you want to enable x11 forwarding. Valid values: + - `yes` + - `no` (default) + - `agent_forwarding` If you want to allow ssh-agent forwarding. Valid values: + - `yes` + - `no` (default) + - `pubkey_authentication` If you want to enable public key authentication. Valid values: + - `yes` (default) + - `no` + - `rsa_authentication` If you want to enable RSA Authentication. Valid values: + - `yes` + - `no` (default) + - `rhosts_rsa_authentication` + If you want to enable rhosts RSA Authentication. Valid values: + - `yes` + - `no` (default) + - `hostbased_authentication` If you want to enable `HostbasedAuthentication`. Valid values: + - `yes` + - `no` (default) + - `strict_modes` If you want to set `StrictModes` (check file modes/ownership before accepting login). Valid values: + - `yes` (default) + - `no` + - `permit_empty_passwords` + If you want enable PermitEmptyPasswords to allow empty passwords. Valid + Values: + - `yes` + - `no` (default) + - `ports` If you want to specify a list of ports other than the default `22`; Default: `[22]` + - `authorized_keys_file` + Set this to the location of the AuthorizedKeysFile + (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile + %h/.ssh/authorized_keys` + - `hardened_ssl` + Use only strong SSL ciphers and MAC. + Values: + - `no` (default) + - `yes` + - `print_motd` + Show the Message of the day when a user logs in. + - `sftp_subsystem` + Set a different sftp-subystem than the default one. Might be interesting for + sftponly usage. Default: empty -> no change of the default + - `head_additional_options` + Set this to any additional sshd_options which aren't listed above. Anything + set here will be added to the beginning of the sshd_config file. This option + might be useful to define complicated Match Blocks. This string is going to + be included, like it is defined. So take care! Default: empty -> not added. + - `tail_additional_options` Set this to any additional sshd_options which aren't listed above. Anything set here will be added to the end of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added. + - `shared_ip` Whether the server uses a shared network IP address. If it does, then we don't want it to export an rsa key for its IP address. Values: + - `no` (default) + - `yes` + + +### Defines and functions + +Deploy authorized_keys file with the define `authorized_key`. + +Generate a public/private keypair with the ssh_keygen function. For example, the +following will generate ssh keys and put the different parts of the key into +variables: + +```puppet +$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}") +$public_key = split($ssh_keys[1],' ') +$sshkey_type => $public_key[0] +$sshkey => $public_key[1] +``` + +## Client + + +On a node where you wish to have the ssh client managed, you can do: + +```puppet +class{'sshd::client': + +} +``` + +in the node definition. This will install the appropriate package. + +## License + + - Copyright 2008-2011, Riseup Labs micah@riseup.net + - Copyright 2008, admin(at)immerda.ch + - Copyright 2008, Puzzle ITC GmbH + - Marcel Härry haerry+puppet(at)puzzle.ch + - Simon Josi josi+puppet(at)puzzle.ch + +This program is free software; you can redistribute +it and/or modify it under the terms of the GNU +General Public License version 3 as published by +the Free Software Foundation. + diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..e321351 --- /dev/null +++ b/Rakefile @@ -0,0 +1,16 @@ +require 'bundler' +Bundler.require(:rake) + +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' +require 'rspec-system/rake_task' + +PuppetLint.configuration.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}' +PuppetLint.configuration.send("disable_80chars") + +puppet_module='sshd' +task :librarian_spec_prep do + sh 'librarian-puppet install --path=spec/fixtures/modules/' +end +task :spec_prep => :librarian_spec_prep +task :default => [:spec, :lint] diff --git a/files/modules_dir/.ignore b/files/modules_dir/.ignore deleted file mode 100644 index e69de29..0000000 --- a/files/modules_dir/.ignore +++ /dev/null diff --git a/lib/puppet/parser/functions/ssh_keygen.rb b/lib/puppet/parser/functions/ssh_keygen.rb index 597315e..b732b87 100644 --- a/lib/puppet/parser/functions/ssh_keygen.rb +++ b/lib/puppet/parser/functions/ssh_keygen.rb @@ -19,7 +19,9 @@ Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc => FileUtils.mkdir_p(dir, :mode => 0700) end unless [private_key_path,public_key_path].all?{|path| File.exists?(path) } - output = Puppet::Util.execute(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', private_key_path, '-P', '', '-q']) + output = Puppet::Util::Execution.execute( + ['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', + '-f', private_key_path, '-P', '', '-q']) raise Puppet::ParseError, "Something went wrong during key generation! Output: #{output}" unless output.empty? end [File.read(private_key_path),File.read(public_key_path)] diff --git a/manifests/base.pp b/manifests/base.pp index ef066e0..813745c 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,3 +1,6 @@ +# The base class to setup the common things. +# This is a private class and will always be used +# throught the sshd class itself. class sshd::base { $sshd_config_content = $::lsbdistcodename ? { @@ -6,6 +9,7 @@ class sshd::base { } file { 'sshd_config': + ensure => present, path => '/etc/ssh/sshd_config', content => $sshd_config_content, notify => Service[sshd], @@ -27,7 +31,7 @@ class sshd::base { # In case the node has uses a shared network address, # we don't define a sshkey resource using an IP address if $sshd::shared_ip == 'no' { - @@sshkey{$::ipaddress: + @@sshkey{$sshd::sshkey_ipaddress: ensure => present, tag => 'ipaddress', type => ssh-rsa, diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 6687d65..4925c2d 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,9 +1,10 @@ class sshd::client::base { # this is needed because the gid might have changed file { '/etc/ssh/ssh_known_hosts': - mode => '0644', - owner => root, - group => 0; + ensure => present, + mode => '0644', + owner => root, + group => 0; } # Now collect all server keys diff --git a/manifests/debian.pp b/manifests/debian.pp index ced5db7..d827078 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,21 +1,13 @@ class sshd::debian inherits sshd::linux { - # the templates for Debian need lsbdistcodename - require lsb - Package[openssh]{ name => 'openssh-server', } - $sshd_restartandstatus = $::lsbdistcodename ? { - etch => false, - default => true - } - Service[sshd]{ name => 'ssh', pattern => 'sshd', - hasstatus => $sshd_restartandstatus, - hasrestart => $sshd_restartandstatus, + hasstatus => true, + hasrestart => true, } } diff --git a/manifests/init.pp b/manifests/init.pp index c85d3d6..d005d60 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,5 @@ class sshd( - $manage_nagios = true, + $manage_nagios = false, $nagios_check_ssh_hostname = 'absent', $ports = [ 22 ], $shared_ip = 'no', @@ -34,13 +34,19 @@ class sshd( $print_motd = 'yes', $manage_shorewall = false, $shorewall_source = 'net', + $sshkey_ipaddress = $::ipaddress, $manage_client = true, ) { + validate_bool($manage_shorewall) + validate_bool($manage_client) + validate_array($listen_address) + validate_array($ports) + if $manage_client { class{'sshd::client': - shared_ip => $sshd::shared_ip, - ensure_version => $sshd::ensure_version, + shared_ip => $shared_ip, + ensure_version => $ensure_version, manage_shorewall => $manage_shorewall, } } diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp index 1ad37cc..cb6dbba 100644 --- a/manifests/openbsd.pp +++ b/manifests/openbsd.pp @@ -1,8 +1,8 @@ class sshd::openbsd inherits sshd::base { Service[sshd]{ - restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', - stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', - start => '/usr/sbin/sshd', - hasstatus => false, + restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`', + stop => '/bin/kill `/bin/cat /var/run/sshd.pid`', + start => '/usr/sbin/sshd', + status => '/usr/bin/pgrep -f /usr/sbin/sshd', } } diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb new file mode 100644 index 0000000..bd3e35a --- /dev/null +++ b/spec/classes/client_spec.rb @@ -0,0 +1,42 @@ +require 'spec_helper' + +describe 'sshd::client' do + + shared_examples "a Linux OS" do + it { should contain_file('/etc/ssh/ssh_known_hosts').with( + { + 'ensure' => 'present', + 'owner' => 'root', + 'group' => '0', + 'mode' => '0644', + } + )} + end + + context "Debian OS" do + let :facts do + { + :operatingsystem => 'Debian', + :osfamily => 'Debian', + :lsbdistcodename => 'wheezy', + } + end + it_behaves_like "a Linux OS" + it { should contain_package('openssh-clients').with({ + 'name' => 'openssh-client' + }) } + end + + context "CentOS" do + it_behaves_like "a Linux OS" do + let :facts do + { + :operatingsystem => 'CentOS', + :osfamily => 'RedHat', + :lsbdistcodename => 'Final', + } + end + end + end + +end
\ No newline at end of file diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb new file mode 100644 index 0000000..e3003d1 --- /dev/null +++ b/spec/classes/init_spec.rb @@ -0,0 +1,122 @@ +require 'spec_helper' + +describe 'sshd' do + + shared_examples "a Linux OS" do + it { should compile.with_all_deps } + it { should contain_class('sshd') } + it { should contain_class('sshd::client') } + + it { should contain_service('sshd').with({ + :ensure => 'running', + :enable => true, + :hasstatus => true + })} + + it { should contain_file('sshd_config').with( + { + 'ensure' => 'present', + 'owner' => 'root', + 'group' => '0', + 'mode' => '0600', + } + )} + + context 'change ssh port' do + let(:params){{ + :ports => [ 22222], + }} + it { should contain_file( + 'sshd_config' + ).with_content(/Port 22222/)} + end + end + + context "Debian OS" do + let :facts do + { + :operatingsystem => 'Debian', + :osfamily => 'Debian', + :lsbdistcodename => 'wheezy', + } + end + it_behaves_like "a Linux OS" + it { should contain_package('openssh') } + it { should contain_class('sshd::debian') } + it { should contain_service('sshd').with( + :hasrestart => true + )} + + context "Ubuntu" do + let :facts do + { + :operatingsystem => 'Ubuntu', + :lsbdistcodename => 'precise', + } + end + it_behaves_like "a Linux OS" + it { should contain_package('openssh') } + it { should contain_service('sshd').with({ + :hasrestart => true + })} + end + end + + +# context "RedHat OS" do +# it_behaves_like "a Linux OS" do +# let :facts do +# { +# :operatingsystem => 'RedHat', +# :osfamily => 'RedHat', +# } +# end +# end +# end + + context "CentOS" do + it_behaves_like "a Linux OS" do + let :facts do + { + :operatingsystem => 'CentOS', + :osfamily => 'RedHat', + :lsbdistcodename => 'Final', + } + end + end + end + + context "Gentoo" do + let :facts do + { + :operatingsystem => 'Gentoo', + :osfamily => 'Gentoo', + } + end + it_behaves_like "a Linux OS" + it { should contain_class('sshd::gentoo') } + end + + context "OpenBSD" do + let :facts do + { + :operatingsystem => 'OpenBSD', + :osfamily => 'OpenBSD', + } + end + it_behaves_like "a Linux OS" + it { should contain_class('sshd::openbsd') } + end + +# context "FreeBSD" do +# it_behaves_like "a Linux OS" do +# let :facts do +# { +# :operatingsystem => 'FreeBSD', +# :osfamily => 'FreeBSD', +# } +# end +# end +# end + +end
\ No newline at end of file diff --git a/spec/defines/ssh_authorized_key_spec.rb b/spec/defines/ssh_authorized_key_spec.rb new file mode 100644 index 0000000..c73a91c --- /dev/null +++ b/spec/defines/ssh_authorized_key_spec.rb @@ -0,0 +1,45 @@ +require 'spec_helper' + +describe 'sshd::ssh_authorized_key' do + + context 'manage authorized key' do + let(:title) { 'foo' } + let(:ssh_key) { 'some_secret_ssh_key' } + + let(:params) {{ + :key => ssh_key, + }} + + it { should contain_ssh_authorized_key('foo').with({ + 'ensure' => 'present', + 'type' => 'ssh-dss', + 'user' => 'foo', + 'target' => '/home/foo/.ssh/authorized_keys', + 'key' => ssh_key, + }) + } + end + context 'manage authoried key with options' do + let(:title) { 'foo2' } + let(:ssh_key) { 'some_secret_ssh_key' } + + let(:params) {{ + :key => ssh_key, + :options => ['command="/usr/bin/date"', + 'no-pty','no-X11-forwarding','no-agent-forwarding', + 'no-port-forwarding'] + }} + + it { should contain_ssh_authorized_key('foo2').with({ + 'ensure' => 'present', + 'type' => 'ssh-dss', + 'user' => 'foo2', + 'target' => '/home/foo2/.ssh/authorized_keys', + 'key' => ssh_key, + 'options' => ['command="/usr/bin/date"', + 'no-pty','no-X11-forwarding','no-agent-forwarding', + 'no-port-forwarding'] + }) + } + end +end diff --git a/spec/unit/parser/functions/ssh_keygen.rb b/spec/functions/ssh_keygen_spec.rb index da45779..a6b5117 100644 --- a/spec/unit/parser/functions/ssh_keygen.rb +++ b/spec/functions/ssh_keygen_spec.rb @@ -1,44 +1,50 @@ -#! /usr/bin/env ruby - - -require File.dirname(__FILE__) + '/../../../spec_helper' - +#! /usr/bin/env ruby -S rspec +require 'spec_helper' +require 'rspec-puppet' require 'mocha' require 'fileutils' -describe "the ssh_keygen function" do +describe 'ssh_keygen' do - before :each do - @scope = Puppet::Parser::Scope.new - end + let(:scope) { PuppetlabsSpec::PuppetInternals.scope } - it "should exist" do + it 'should exist' do Puppet::Parser::Functions.function("ssh_keygen").should == "function_ssh_keygen" end - it "should raise a ParseError if no argument is passed" do - lambda { @scope.function_ssh_keygen }.should( raise_error(Puppet::ParseError)) + it 'should raise a ParseError if no argument is passed' do + lambda { + scope.function_ssh_keygen([]) + }.should(raise_error(Puppet::ParseError)) end - it "should raise a ParseError if there is more than 1 arguments" do - lambda { @scope.function_ssh_keygen("foo", "bar") }.should( raise_error(Puppet::ParseError)) + it 'should raise a ParseError if there is more than 1 arguments' do + lambda { + scope.function_ssh_keygen(["foo", "bar"]) + }.should( raise_error(Puppet::ParseError)) end - it "should raise a ParseError if the argument is not fully qualified" do - lambda { @scope.function_ssh_keygen("foo") }.should( raise_error(Puppet::ParseError)) + it 'should raise a ParseError if the argument is not fully qualified' do + lambda { + scope.function_ssh_keygen(["foo"]) + }.should( raise_error(Puppet::ParseError)) end it "should raise a ParseError if the private key path is a directory" do File.stubs(:directory?).with("/some_dir").returns(true) - lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError)) + lambda { + scope.function_ssh_keygen(["/some_dir"]) + }.should( raise_error(Puppet::ParseError)) end it "should raise a ParseError if the public key path is a directory" do File.stubs(:directory?).with("/some_dir.pub").returns(true) - lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError)) + lambda { + scope.function_ssh_keygen(["/some_dir.pub"]) + }.should( raise_error(Puppet::ParseError)) end - describe "when executing properly" do + describe 'when executing properly' do before do File.stubs(:directory?).with('/tmp/a/b/c').returns(false) File.stubs(:directory?).with('/tmp/a/b/c.pub').returns(false) @@ -46,16 +52,20 @@ describe "the ssh_keygen function" do File.stubs(:read).with('/tmp/a/b/c.pub').returns('publickey') end - it "should fail if the public but not the private key exists" do - File.stubs(:exists?).with("/tmp/a/b/c").returns(true) - File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) - lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + it 'should fail if the public but not the private key exists' do + File.stubs(:exists?).with('/tmp/a/b/c').returns(true) + File.stubs(:exists?).with('/tmp/a/b/c.pub').returns(false) + lambda { + scope.function_ssh_keygen(['/tmp/a/b/c']) + }.should( raise_error(Puppet::ParseError)) end it "should fail if the private but not the public key exists" do File.stubs(:exists?).with("/tmp/a/b/c").returns(false) File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true) - lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + lambda { + scope.function_ssh_keygen(["/tmp/a/b/c"]) + }.should( raise_error(Puppet::ParseError)) end @@ -64,7 +74,7 @@ describe "the ssh_keygen function" do File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true) File.stubs(:directory?).with('/tmp/a/b').returns(true) Puppet::Util.expects(:execute).never - result = @scope.function_ssh_keygen('/tmp/a/b/c') + result = scope.function_ssh_keygen(['/tmp/a/b/c']) result.length.should == 2 result[0].should == 'privatekey' result[1].should == 'publickey' @@ -75,8 +85,8 @@ describe "the ssh_keygen function" do File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) File.stubs(:directory?).with("/tmp/a/b").returns(false) FileUtils.expects(:mkdir_p).with("/tmp/a/b", :mode => 0700) - Puppet::Util.expects(:execute).returns("") - result = @scope.function_ssh_keygen('/tmp/a/b/c') + Puppet::Util::Execution.expects(:execute).returns("") + result = scope.function_ssh_keygen(['/tmp/a/b/c']) result.length.should == 2 result[0].should == 'privatekey' result[1].should == 'publickey' @@ -86,8 +96,8 @@ describe "the ssh_keygen function" do File.stubs(:exists?).with("/tmp/a/b/c").returns(false) File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) File.stubs(:directory?).with("/tmp/a/b").returns(true) - Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("") - result = @scope.function_ssh_keygen('/tmp/a/b/c') + Puppet::Util::Execution.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("") + result = scope.function_ssh_keygen(['/tmp/a/b/c']) result.length.should == 2 result[0].should == 'privatekey' result[1].should == 'publickey' @@ -97,8 +107,10 @@ describe "the ssh_keygen function" do File.stubs(:exists?).with("/tmp/a/b/c").returns(false) File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) File.stubs(:directory?).with("/tmp/a/b").returns(true) - Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("something is wrong") - lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + Puppet::Util::Execution.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("something is wrong") + lambda { + scope.function_ssh_keygen(["/tmp/a/b/c"]) + }.should( raise_error(Puppet::ParseError)) end end end diff --git a/spec/spec.opts b/spec/spec.opts deleted file mode 100644 index 91cd642..0000000 --- a/spec/spec.opts +++ /dev/null @@ -1,6 +0,0 @@ ---format -s ---colour ---loadby -mtime ---backtrace diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 6ba62e1..b4123fd 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,16 +1,21 @@ -require 'pathname' -dir = Pathname.new(__FILE__).parent -$LOAD_PATH.unshift(dir, dir + 'lib', dir + '../lib') +dir = File.expand_path(File.dirname(__FILE__)) +$LOAD_PATH.unshift File.join(dir, 'lib') require 'puppet' -gem 'rspec', '>= 1.2.9' -require 'spec/autorun' +require 'rspec' +require 'puppetlabs_spec_helper/module_spec_helper' +#require 'rspec-hiera-puppet' +require 'rspec-puppet/coverage' +require 'rspec/autorun' -Dir[File.join(File.dirname(__FILE__), 'support', '*.rb')].each do |support_file| - require support_file -end +fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures')) -# We need this because the RAL uses 'should' as a method. This -# allows us the same behaviour but with a different method name. -class Object - alias :must :should +RSpec.configure do |c| + c.module_path = File.join(fixture_path, 'modules') + c.manifest_dir = File.join(fixture_path, 'manifests') + c.pattern = "spec/*/*_spec.rb" end + +Puppet::Util::Log.level = :warning +Puppet::Util::Log.newdestination(:console) + +at_exit { RSpec::Puppet::Coverage.report! }
\ No newline at end of file diff --git a/spec/spec_helper_system.rb b/spec/spec_helper_system.rb new file mode 100644 index 0000000..2c6812f --- /dev/null +++ b/spec/spec_helper_system.rb @@ -0,0 +1,25 @@ +require 'rspec-system/spec_helper' +require 'rspec-system-puppet/helpers' +require 'rspec-system-serverspec/helpers' +include Serverspec::Helper::RSpecSystem +include Serverspec::Helper::DetectOS +include RSpecSystemPuppet::Helpers + +RSpec.configure do |c| + # Project root + proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) + + # Enable colour + c.tty = true + + c.include RSpecSystemPuppet::Helpers + + # This is where we 'setup' the nodes before running our tests + c.before :suite do + # Install puppet + puppet_install + # Install modules and dependencies + puppet_module_install(:source => proj_root, :module_name => 'sshd') + shell('puppet module install puppetlabs-stdlib') + end +end diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 0f4bb1f..47cb077 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -14,8 +14,6 @@ <%= s %> <% end -%> -# only protocol 2 -Protocol 2 <% scope.lookupvar('sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet @@ -29,6 +27,11 @@ Port <%= port %> ListenAddress <%= address %> <% end -%> +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 @@ -37,7 +40,7 @@ ListenAddress <%= address %> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -#ServerKeyBits 768 +#ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging @@ -55,10 +58,10 @@ StrictModes <%= scope.lookupvar('sshd::strict_modes') %> #MaxAuthTries 6 RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +#AuthorizedKeysCommand none +#AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> @@ -87,6 +90,7 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no +#KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no @@ -94,22 +98,24 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM <%= scope.lookupvar('sshd::use_pam') %> # Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS +#AllowAgentForwarding yes AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - #GatewayPorts no #X11Forwarding no X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> @@ -127,7 +133,7 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none @@ -149,6 +155,12 @@ Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server +# <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> diff --git a/templates/sshd_config/CentOS_Final.erb b/templates/sshd_config/CentOS_Final.erb index 0f4bb1f..03246aa 100644..120000 --- a/templates/sshd_config/CentOS_Final.erb +++ b/templates/sshd_config/CentOS_Final.erb @@ -1,154 +1 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> -<%= s %> -<% end -%> - -# only protocol 2 -Protocol 2 -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> -<% if port == 'off' -%> -#Port -- disabled by puppet -<% else -%> -Port <%= port %> -<% end -%> -<% end -%> - -# Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> -ListenAddress <%= address %> -<% end -%> - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> - -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> - -#MaxAuthTries 6 - -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> - -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> - -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> - -# similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> - -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no -#UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL - -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> - -#GatewayPorts no -#X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> - -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> -AllowUsers <%= s %> -<% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> -AllowGroups <%= s %> -<%- end -%> - -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha1 -<% end -%> - -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> -<%= s %> -<% end -%> +CentOS.erb
\ No newline at end of file |