aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.fixtures.yml3
-rw-r--r--.gitignore4
-rw-r--r--.rspec4
-rw-r--r--.travis.yml27
-rw-r--r--Gemfile14
-rw-r--r--Gemfile.lock116
-rw-r--r--Modulefile10
-rw-r--r--Puppetfile3
-rw-r--r--Puppetfile.lock8
-rw-r--r--README246
-rw-r--r--README.md235
-rw-r--r--Rakefile16
-rw-r--r--files/modules_dir/.ignore0
-rw-r--r--lib/puppet/parser/functions/ssh_keygen.rb4
-rw-r--r--manifests/base.pp6
-rw-r--r--manifests/client/base.pp7
-rw-r--r--manifests/debian.pp12
-rw-r--r--manifests/init.pp12
-rw-r--r--manifests/openbsd.pp8
-rw-r--r--spec/classes/client_spec.rb42
-rw-r--r--spec/classes/init_spec.rb122
-rw-r--r--spec/defines/ssh_authorized_key_spec.rb45
-rw-r--r--spec/functions/ssh_keygen_spec.rb (renamed from spec/unit/parser/functions/ssh_keygen.rb)74
-rw-r--r--spec/spec.opts6
-rw-r--r--spec/spec_helper.rb29
-rw-r--r--spec/spec_helper_system.rb25
-rw-r--r--templates/sshd_config/CentOS.erb44
l---------[-rw-r--r--]templates/sshd_config/CentOS_Final.erb155
28 files changed, 790 insertions, 487 deletions
diff --git a/.fixtures.yml b/.fixtures.yml
new file mode 100644
index 0000000..42598a6
--- /dev/null
+++ b/.fixtures.yml
@@ -0,0 +1,3 @@
+fixtures:
+ symlinks:
+ sshd: "#{source_dir}" \ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5ebb01f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+.librarian/*
+.tmp/*
+*.log
+spec/fixtures/*
diff --git a/.rspec b/.rspec
new file mode 100644
index 0000000..f07c903
--- /dev/null
+++ b/.rspec
@@ -0,0 +1,4 @@
+--format documentation
+--color
+--pattern "spec/*/*_spec.rb"
+#--backtrace
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..7bd2a2b
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,27 @@
+before_install:
+ - gem update --system 2.1.11
+ - gem --version
+rvm:
+ - 1.8.7
+ - 1.9.3
+ - 2.0.0
+script: 'bundle exec rake spec'
+env:
+ - PUPPET_VERSION="~> 2.7.0"
+ - PUPPET_VERSION="~> 3.0.0"
+ - PUPPET_VERSION="~> 3.1.0"
+ - PUPPET_VERSION="~> 3.2.0"
+ - PUPPET_VERSION="~> 3.3.0"
+ - PUPPET_VERSION="~> 3.4.0"
+matrix:
+ exclude:
+ # No support for Ruby 1.9 before Puppet 2.7
+ - rvm: 1.9.3
+ env: PUPPET_VERSION=2.6.0
+ # No support for Ruby 2.0 before Puppet 3.2
+ - rvm: 2.0.0
+ env: PUPPET_VERSION="~> 2.7.0"
+ - rvm: 2.0.0
+ env: PUPPET_VERSION="~> 3.0.0"
+ - rvm: 2.0.0
+ env: PUPPET_VERSION="~> 3.1.0"
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..ef74f90
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+group :development, :test do
+ gem 'puppet', '>= 2.7.0'
+ gem 'puppet-lint', '>=0.3.2'
+ gem 'puppetlabs_spec_helper', '>=0.2.0'
+ gem 'rake', '>=0.9.2.2'
+ gem 'librarian-puppet', '>=0.9.10'
+ gem 'rspec-system-puppet', :require => false
+ gem 'serverspec', :require => false
+ gem 'rspec-system-serverspec', :require => false
+ gem 'rspec-hiera-puppet'
+ gem 'rspec-puppet', :git => 'https://github.com/rodjek/rspec-puppet.git'
+end \ No newline at end of file
diff --git a/Gemfile.lock b/Gemfile.lock
new file mode 100644
index 0000000..0c2c58e
--- /dev/null
+++ b/Gemfile.lock
@@ -0,0 +1,116 @@
+GIT
+ remote: https://github.com/rodjek/rspec-puppet.git
+ revision: c44381a240ec420d4ffda7bffc55ee4d9c08d682
+ specs:
+ rspec-puppet (1.0.1)
+ rspec
+
+GEM
+ remote: https://rubygems.org/
+ specs:
+ builder (3.2.2)
+ diff-lcs (1.2.5)
+ excon (0.31.0)
+ facter (1.7.4)
+ fog (1.19.0)
+ builder
+ excon (~> 0.31.0)
+ formatador (~> 0.2.0)
+ mime-types
+ multi_json (~> 1.0)
+ net-scp (~> 1.1)
+ net-ssh (>= 2.1.3)
+ nokogiri (~> 1.5)
+ ruby-hmac
+ formatador (0.2.4)
+ hiera (1.3.1)
+ json_pure
+ hiera-puppet (1.0.0)
+ hiera (~> 1.0)
+ highline (1.6.20)
+ json (1.8.1)
+ json_pure (1.8.1)
+ kwalify (0.7.2)
+ librarian-puppet (0.9.10)
+ json
+ thor (~> 0.15)
+ metaclass (0.0.2)
+ mime-types (1.25.1)
+ mocha (1.0.0)
+ metaclass (~> 0.0.1)
+ multi_json (1.8.4)
+ net-scp (1.1.2)
+ net-ssh (>= 2.6.5)
+ net-ssh (2.7.0)
+ nokogiri (1.5.11)
+ puppet (3.4.2)
+ facter (~> 1.6)
+ hiera (~> 1.0)
+ rgen (~> 0.6.5)
+ puppet-lint (0.3.2)
+ puppetlabs_spec_helper (0.4.1)
+ mocha (>= 0.10.5)
+ rake
+ rspec (>= 2.9.0)
+ rspec-puppet (>= 0.1.1)
+ rake (10.1.1)
+ rbvmomi (1.8.1)
+ builder
+ nokogiri (>= 1.4.1)
+ trollop
+ rgen (0.6.6)
+ rspec (2.14.1)
+ rspec-core (~> 2.14.0)
+ rspec-expectations (~> 2.14.0)
+ rspec-mocks (~> 2.14.0)
+ rspec-core (2.14.7)
+ rspec-expectations (2.14.4)
+ diff-lcs (>= 1.1.3, < 2.0)
+ rspec-hiera-puppet (1.0.0)
+ hiera (>= 1.0)
+ hiera-puppet (>= 1.0)
+ puppet (>= 3.0)
+ rspec
+ rspec-puppet
+ rspec-mocks (2.14.4)
+ rspec-system (2.8.0)
+ fog (~> 1.18)
+ kwalify (~> 0.7.2)
+ mime-types (~> 1.16)
+ net-scp (~> 1.1)
+ net-ssh (~> 2.7)
+ nokogiri (~> 1.5.10)
+ rbvmomi (~> 1.6)
+ rspec (~> 2.14)
+ systemu (~> 2.5)
+ rspec-system-puppet (2.2.1)
+ rspec-system (~> 2.0)
+ rspec-system-serverspec (2.0.1)
+ rspec-system (~> 2.0)
+ serverspec (~> 0.0)
+ specinfra (~> 0.0)
+ ruby-hmac (0.4.0)
+ serverspec (0.14.4)
+ highline
+ net-ssh
+ rspec (>= 2.13.0)
+ specinfra (>= 0.1.0)
+ specinfra (0.4.1)
+ systemu (2.6.0)
+ thor (0.18.1)
+ trollop (2.0)
+
+PLATFORMS
+ ruby
+
+DEPENDENCIES
+ librarian-puppet (>= 0.9.10)
+ puppet (>= 2.7.0)
+ puppet-lint (>= 0.3.2)
+ puppetlabs_spec_helper (>= 0.2.0)
+ rake (>= 0.9.2.2)
+ rspec-hiera-puppet
+ rspec-puppet!
+ rspec-system-puppet
+ rspec-system-serverspec
+ serverspec
diff --git a/Modulefile b/Modulefile
new file mode 100644
index 0000000..5e4f92d
--- /dev/null
+++ b/Modulefile
@@ -0,0 +1,10 @@
+name 'puppet-sshd'
+version '0.1.0'
+source 'https://github.com/duritong/puppet-sshd'
+author 'duritong'
+license 'Apache License, Version 2.0'
+summary 'ssh daemon configuration'
+description 'Manages sshd_config'
+project_page 'https://github.com/duritong/puppet-sshd'
+
+dependency 'puppetlabs/stdlib', '>= 2.0.0' \ No newline at end of file
diff --git a/Puppetfile b/Puppetfile
new file mode 100644
index 0000000..166d3b4
--- /dev/null
+++ b/Puppetfile
@@ -0,0 +1,3 @@
+forge 'http://forge.puppetlabs.com'
+
+mod 'puppetlabs/stdlib', '>=2.0.0' \ No newline at end of file
diff --git a/Puppetfile.lock b/Puppetfile.lock
new file mode 100644
index 0000000..f938185
--- /dev/null
+++ b/Puppetfile.lock
@@ -0,0 +1,8 @@
+FORGE
+ remote: http://forge.puppetlabs.com
+ specs:
+ puppetlabs/stdlib (4.1.0)
+
+DEPENDENCIES
+ puppetlabs/stdlib (>= 2.0.0)
+
diff --git a/README b/README
deleted file mode 100644
index 44ca1f0..0000000
--- a/README
+++ /dev/null
@@ -1,246 +0,0 @@
-Introduction
-============
-
-This puppet module manages OpenSSH configuration and services.
-
-!! Upgrade Notice (01/2013) !!
-
-This module now uses parameterized classes, where it used global variables
-before. So please whatch out before pulling, you need to change the
-class declarations in your manifest !
-
-
-Dependencies
-------------
-
-This module requires puppet => 2.6, and the following modules are required
-pre-dependencies:
-
-- shared-common: git://labs.riseup.net/shared-common
-- shared-lsb: git://labs.riseup.net/shared-lsb
-
-OpenSSH Server
-==============
-
-On a node where you wish to have an openssh server installed, you should
-'include sshd' on that node. If you need to configure any aspects of
-sshd_config, set the variables before the include. See 'Configurable Variables'
-below for what you can set.
-
-Nagios
-------
-
-To have nagios checks setup automatically for sshd services, simply set
-manage_nagios to true for that class. If you want to disable ssh
-nagios checking for a particular node (such as when ssh is firewalled), then you
-can set the class parameter nagios_check_ssh to false and that node will not bei
-monitored.
-
-Nagios will automatically check the ports defined in $sshd::ports, and the
-hostname specified by $nagios_check_ssh_hostname.
-
-NOTE: this requires that you are using the shared-nagios puppet module which
-supports the nagios native types via nagios::service:
-git://labs.riseup.net/shared-nagios
-
-Firewall
---------
-
-If you wish to have firewall rules setup automatically for you, using shorewall,
-you will need to set: $use_shorewall = true. The $sshd_ports that you have
-specified will automatically be used.
-
-NOTE: This requires that you are using the shared-shorewall puppet module:
-git://labs.riseup.net/shared-shorewall
-
-
-Configurable variables
-----------------------
-
-Configuration of sshd is strict, and may not fit all needs, however there are a
-number of variables that you can consider configuring. The defaults are set to
-the distribution shipped sshd_config file defaults.
-
-To set any of these variables, simply set them as variables in your manifests,
-before the class is included, for example:
-
- $sshd_listen_address = ['10.0.0.1 192.168.0.1']
- $sshd_use_pam = yes
- include sshd
-
-If you need to install a version of the ssh daemon or client package other than
-the default one that would be installed by 'ensure => installed', then you can
-set the following variables:
-
- $sshd_ensure_version = "1:5.2p2-6"
- $ssh_ensure_version = "1:5.2p2-6"
-
-The following is a list of the currently available variables:
-
- $sshd_listen_address
- specify the addresses sshd should listen on set this to ['10.0.0.1
- 192.168.0.1'] to have it listen on both addresses, or leave it unset to
- listen on all Default: empty -> results in listening on 0.0.0.0
-
- $sshd_allowed_users
- list of usernames separated by spaces. set this for example to "foobar
- root" to ensure that only user foobar and root might login. Default: empty
- -> no restriction is set
-
- $sshd_allowed_groups
- list of groups separated by spaces. set this for example to "wheel sftponly"
- to ensure that only users in the groups wheel and sftponly might login.
- Default: empty -> no restriction is set Note: This is set after
- sshd_allowed_users, take care of the behaviour if you use these 2 options
- together.
-
- $sshd_use_pam
- if you want to use pam or not for authenticaton. Values: no or yes; Default:
- no
-
- $sshd_permit_root_login
- If you want to allow root logins or not. Valid values: yes, no,
- without-password, forced-commands-only; Default: without-password
-
- $sshd_password_authentication
- If you want to enable password authentication or not. Valid values: yes or
- no; Default: no
-
- $sshd_kerberos_authentication
- If you want the password that is provided by the user to be validated
- through the Kerberos KDC. To use this option the server needs a Kerberos
- servtab which allows the verification of the KDC's identity. Valid values:
- yes or no; Default: no
-
- $sshd_kerberos_orlocalpasswd
- If password authentication through Kerberos fails, then the password will be
- validated via any additional local mechanism. Valid values: yes or no;
- Default: yes
-
- $sshd_kerberos_ticketcleanup
- Destroy the user's ticket cache file on logout? Valid values: yes or no;
- Default: yes
-
- $sshd_gssapi_authentication
- Authenticate users based on GSSAPI? Valid values: yes or no; Default: no
-
- $sshd_gssapi_cleanupcredentials
- Destroy user's credential cache on logout? Valid values: yes or no; Default:
- yes
-
- $sshd_challenge_response_authentication
- If you want to enable ChallengeResponseAuthentication or not When disabled,
- s/key passowords are disabled Valid values: yes or no; Default: no
-
- $sshd_tcp_forwarding
- If you want to enable TcpForwarding. Valid Values: yes or no; Default: no
-
- $sshd_x11_forwarding
- If you want to enable x11 forwarding. Valid Values: yes or no; Default: no
-
- $sshd_agent_forwarding
- If you want to allow ssh-agent forwarding. Valid Values: yes or no; Default:
- no
-
- $sshd_pubkey_authentication
- If you want to enable public key authentication. Valid Values: yes or no;
- Default: yes
-
- $sshd_rsa_authentication
- If you want to enable RSA Authentication. Valid Values: yes or no; Default:
- no
-
- $sshd_rhosts_rsa_authentication
- If you want to enable rhosts RSA Authentication. Valid Values: yes or no;
- Default: no
-
- $sshd_hostbased_authentication
- If you want to enable HostbasedAuthentication. Valid Values: yes or no;
- Default: no
-
- $sshd_strict_modes
- If you want to set StrictModes (check file modes/ownership before accepting
- login). Valid Values: yes or no; Default: yes
-
- $sshd_permit_empty_passwords
- If you want enable PermitEmptyPasswords to allow empty passwords. Valid
- Values: yes or no; Default: no
-
- $sshd_port
- Deprecated, use sshd_ports instead.
-
- $sshd_ports
- If you want to specify a list of ports other than the default 22; Default:
- [22]
-
- $sshd_authorized_keys_file
- Set this to the location of the AuthorizedKeysFile
- (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile
- %h/.ssh/authorized_keys
-
- $sshd_hardened_ssl
- Use only strong SSL ciphers and MAC.
- Values: no or yes; Default: no.
-
- $sshd_print_motd
- Show the Message of the day when a user logs in.
-
- $sshd_sftp_subsystem
- Set a different sftp-subystem than the default one. Might be interesting for
- sftponly usage. Default: empty -> no change of the default
-
- $sshd_head_additional_options
- Set this to any additional sshd_options which aren't listed above. Anything
- set here will be added to the beginning of the sshd_config file. This option
- might be useful to define complicated Match Blocks. This string is going to
- be included, like it is defined. So take care! Default: empty -> not added.
-
- $sshd_tail_additional_options
-
- Set this to any additional sshd_options which aren't listed above. Anything
- set here will be added to the end of the sshd_config file. This option might
- be useful to define complicated Match Blocks. This string is going to be
- included, like it is defined. So take care! Default: empty -> not added.
-
- $sshd_shared_ip
- Whether the server uses a shared network IP address. If it does, then we
- don't want it to export an rsa key for its IP address.
- Values: no or yes; Default: no
-
-
-Defines and functions
----------------------
-
-Deploy authorized_keys file with the define sshd::ssh_authorized_key.
-
-Generate a public/private keypair with the ssh_keygen function. For example, the
-following will generate ssh keys and put the different parts of the key into
-variables:
-
-$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}")
-$public_key = split($ssh_keys[1],' ')
-$sshkey_type => $public_key[0]
-$sshkey => $public_key[1]
-
-
-Client
-======
-
-On a node where you wish to have the ssh client managed, you can do 'include
-sshd::client' in the node definition. This will install the appropriate package.
-
-
-License
-=======
-
-# Copyright 2008-2011, Riseup Labs micah@riseup.net
-# Copyright 2008, admin(at)immerda.ch
-# Copyright 2008, Puzzle ITC GmbH
-# Marcel Härry haerry+puppet(at)puzzle.ch
-# Simon Josi josi+puppet(at)puzzle.ch
-#
-# This program is free software; you can redistribute
-# it and/or modify it under the terms of the GNU
-# General Public License version 3 as published by
-# the Free Software Foundation.
-#
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..0ae195e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,235 @@
+# Puppet SSH Module
+
+[![Build Status](https://travis-ci.org/duritong/puppet-sshd.png?branch=master)](https://travis-ci.org/duritong/puppet-sshd)
+
+This puppet module manages OpenSSH configuration and services.
+
+**!! Upgrade Notice (01/2013) !!**
+
+This module now uses parameterized classes, where it used global variables
+before. So please whatch out before pulling, you need to change the
+class declarations in your manifest !
+
+
+### Dependencies
+
+This module requires puppet => 2.6, and the following modules are required
+pre-dependencies:
+
+- [puppetlabs/stdlib](https://github.com/puppetlabs/puppetlabs-stdlib) >= 2.x
+
+## OpenSSH Server
+
+On a node where you wish to have an openssh server installed, you should
+include
+
+```puppet
+class { 'sshd': }
+```
+
+on that node. If you need to configure any aspects of sshd_config, set the variables before the include. Or you can adjust many parameters:
+
+```puppet
+class { 'sshd':
+ ports => [ 20002 ],
+ permit_root_login => 'no',
+}
+```
+
+See Configurable Variables below for what you can set.
+
+### Nagios
+
+To have nagios checks setup automatically for sshd services, simply set
+`manage_nagios` to `true` for that class. If you want to disable ssh
+nagios checking for a particular node (such as when ssh is firewalled), then you
+can set the class parameter `nagios_check_ssh` to `false` and that node will not be
+monitored.
+
+Nagios will automatically check the ports defined in `ports`, and the
+hostname specified by `nagios_check_ssh_hostname`.
+
+NOTE: this requires that you are using the shared-nagios puppet module which
+supports the nagios native types via `nagios::service`:
+git://labs.riseup.net/shared-nagios
+
+### Firewall
+
+If you wish to have firewall rules setup automatically for you, using shorewall,
+you will need to set: `use_shorewall => true`. The `ports` that you have
+specified will automatically be used.
+
+NOTE: This requires that you are using the shared-shorewall puppet module:
+git://labs.riseup.net/shared-shorewall
+
+
+### Configurable variables
+
+Configuration of sshd is strict, and may not fit all needs, however there are a
+number of variables that you can consider configuring. The defaults are set to
+the distribution shipped sshd_config file defaults.
+
+To set any of these variables, simply set them as variables in your manifests,
+before the class is included, for example:
+
+```puppet
+class {'sshd':
+ listen_address => ['10.0.0.1', '192.168.0.1'],
+ use_pam => yes
+}
+```
+
+If you need to install a version of the ssh daemon or client package other than
+the default one that would be installed by `ensure => installed`, then you can
+set the following variables:
+
+```puppet
+class {'sshd':
+ ensure_version => "1:5.2p2-6"
+}
+```
+
+The following is a list of the currently available variables:
+
+ - `listen_address`
+ specify the addresses sshd should listen on set this to `['10.0.0.1', '192.168.0.1']` to have it listen on both addresses, or leave it unset to listen on all Default: empty -> results in listening on `0.0.0.0`
+ - `allowed_users`
+ list of usernames separated by spaces. set this for example to `"foobar
+ root"` to ensure that only user foobar and root might login. Default: empty
+ -> no restriction is set
+ - `allowed_groups`
+ list of groups separated by spaces. set this for example to `"wheel sftponly"`
+ to ensure that only users in the groups wheel and sftponly might login.
+ Default: empty -> no restriction is set Note: This is set after
+ `allowed_users`, take care of the behaviour if you use these 2 options
+ together.
+ - `use_pam` if you want to use pam or not for authenticaton. Values:
+ - `no` (default)
+ - `yes`
+ - `permit_root_login` If you want to allow root logins or not. Valid values:
+ - `yes`
+ - `no`
+ - `without-password` (default)
+ - `forced-commands-only`
+ - `password_authentication`
+ If you want to enable password authentication or not. Valid values:
+ - `yes`
+ - `no` (default)
+ - `kerberos_authentication`
+ If you want the password that is provided by the user to be validated
+ through the Kerberos KDC. To use this option the server needs a Kerberos
+ servtab which allows the verification of the KDC's identity. Valid values:
+ - `yes`
+ - `no` (default)
+ - `kerberos_orlocalpasswd` If password authentication through Kerberos fails, then the password will be validated via any additional local mechanism. Valid values:
+ - `yes` (default)
+ - `no`
+ - `kerberos_ticketcleanup` Destroy the user's ticket cache file on logout? Valid values:
+ - `yes` (default)
+ - `no`
+ - `gssapi_authentication` Authenticate users based on GSSAPI? Valid values:
+ - `yes`
+ - `no` (default)
+ - `gssapi_cleanupcredentials` Destroy user's credential cache on logout? Valid values:
+ - `yes` (default)
+ - `no`
+ - `challenge_response_authentication` If you want to enable ChallengeResponseAuthentication or not When disabled, s/key passwords are disabled. Valid values:
+ - `yes`
+ - `no` (default)
+ - `tcp_forwarding` If you want to enable TcpForwarding. Valid values:
+ - `yes`
+ - `no` (default)
+ - `x11_forwarding` If you want to enable x11 forwarding. Valid values:
+ - `yes`
+ - `no` (default)
+ - `agent_forwarding` If you want to allow ssh-agent forwarding. Valid values:
+ - `yes`
+ - `no` (default)
+ - `pubkey_authentication` If you want to enable public key authentication. Valid values:
+ - `yes` (default)
+ - `no`
+ - `rsa_authentication` If you want to enable RSA Authentication. Valid values:
+ - `yes`
+ - `no` (default)
+ - `rhosts_rsa_authentication`
+ If you want to enable rhosts RSA Authentication. Valid values:
+ - `yes`
+ - `no` (default)
+ - `hostbased_authentication` If you want to enable `HostbasedAuthentication`. Valid values:
+ - `yes`
+ - `no` (default)
+ - `strict_modes` If you want to set `StrictModes` (check file modes/ownership before accepting login). Valid values:
+ - `yes` (default)
+ - `no`
+ - `permit_empty_passwords`
+ If you want enable PermitEmptyPasswords to allow empty passwords. Valid
+ Values:
+ - `yes`
+ - `no` (default)
+ - `ports` If you want to specify a list of ports other than the default `22`; Default: `[22]`
+ - `authorized_keys_file`
+ Set this to the location of the AuthorizedKeysFile
+ (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile
+ %h/.ssh/authorized_keys`
+ - `hardened_ssl`
+ Use only strong SSL ciphers and MAC.
+ Values:
+ - `no` (default)
+ - `yes`
+ - `print_motd`
+ Show the Message of the day when a user logs in.
+ - `sftp_subsystem`
+ Set a different sftp-subystem than the default one. Might be interesting for
+ sftponly usage. Default: empty -> no change of the default
+ - `head_additional_options`
+ Set this to any additional sshd_options which aren't listed above. Anything
+ set here will be added to the beginning of the sshd_config file. This option
+ might be useful to define complicated Match Blocks. This string is going to
+ be included, like it is defined. So take care! Default: empty -> not added.
+ - `tail_additional_options` Set this to any additional sshd_options which aren't listed above. Anything set here will be added to the end of the sshd_config file. This option might be useful to define complicated Match Blocks. This string is going to be included, like it is defined. So take care! Default: empty -> not added.
+ - `shared_ip` Whether the server uses a shared network IP address. If it does, then we don't want it to export an rsa key for its IP address. Values:
+ - `no` (default)
+ - `yes`
+
+
+### Defines and functions
+
+Deploy authorized_keys file with the define `authorized_key`.
+
+Generate a public/private keypair with the ssh_keygen function. For example, the
+following will generate ssh keys and put the different parts of the key into
+variables:
+
+```puppet
+$ssh_keys = ssh_keygen("${$ssh_key_basepath}/backup/keys/${::fqdn}/${backup_host}")
+$public_key = split($ssh_keys[1],' ')
+$sshkey_type => $public_key[0]
+$sshkey => $public_key[1]
+```
+
+## Client
+
+
+On a node where you wish to have the ssh client managed, you can do:
+
+```puppet
+class{'sshd::client':
+
+}
+```
+
+in the node definition. This will install the appropriate package.
+
+## License
+
+ - Copyright 2008-2011, Riseup Labs micah@riseup.net
+ - Copyright 2008, admin(at)immerda.ch
+ - Copyright 2008, Puzzle ITC GmbH
+ - Marcel Härry haerry+puppet(at)puzzle.ch
+ - Simon Josi josi+puppet(at)puzzle.ch
+
+This program is free software; you can redistribute
+it and/or modify it under the terms of the GNU
+General Public License version 3 as published by
+the Free Software Foundation.
+
diff --git a/Rakefile b/Rakefile
new file mode 100644
index 0000000..e321351
--- /dev/null
+++ b/Rakefile
@@ -0,0 +1,16 @@
+require 'bundler'
+Bundler.require(:rake)
+
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+require 'rspec-system/rake_task'
+
+PuppetLint.configuration.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}'
+PuppetLint.configuration.send("disable_80chars")
+
+puppet_module='sshd'
+task :librarian_spec_prep do
+ sh 'librarian-puppet install --path=spec/fixtures/modules/'
+end
+task :spec_prep => :librarian_spec_prep
+task :default => [:spec, :lint]
diff --git a/files/modules_dir/.ignore b/files/modules_dir/.ignore
deleted file mode 100644
index e69de29..0000000
--- a/files/modules_dir/.ignore
+++ /dev/null
diff --git a/lib/puppet/parser/functions/ssh_keygen.rb b/lib/puppet/parser/functions/ssh_keygen.rb
index 597315e..b732b87 100644
--- a/lib/puppet/parser/functions/ssh_keygen.rb
+++ b/lib/puppet/parser/functions/ssh_keygen.rb
@@ -19,7 +19,9 @@ Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc =>
FileUtils.mkdir_p(dir, :mode => 0700)
end
unless [private_key_path,public_key_path].all?{|path| File.exists?(path) }
- output = Puppet::Util.execute(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', private_key_path, '-P', '', '-q'])
+ output = Puppet::Util::Execution.execute(
+ ['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096',
+ '-f', private_key_path, '-P', '', '-q'])
raise Puppet::ParseError, "Something went wrong during key generation! Output: #{output}" unless output.empty?
end
[File.read(private_key_path),File.read(public_key_path)]
diff --git a/manifests/base.pp b/manifests/base.pp
index ef066e0..813745c 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,3 +1,6 @@
+# The base class to setup the common things.
+# This is a private class and will always be used
+# throught the sshd class itself.
class sshd::base {
$sshd_config_content = $::lsbdistcodename ? {
@@ -6,6 +9,7 @@ class sshd::base {
}
file { 'sshd_config':
+ ensure => present,
path => '/etc/ssh/sshd_config',
content => $sshd_config_content,
notify => Service[sshd],
@@ -27,7 +31,7 @@ class sshd::base {
# In case the node has uses a shared network address,
# we don't define a sshkey resource using an IP address
if $sshd::shared_ip == 'no' {
- @@sshkey{$::ipaddress:
+ @@sshkey{$sshd::sshkey_ipaddress:
ensure => present,
tag => 'ipaddress',
type => ssh-rsa,
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
index 6687d65..4925c2d 100644
--- a/manifests/client/base.pp
+++ b/manifests/client/base.pp
@@ -1,9 +1,10 @@
class sshd::client::base {
# this is needed because the gid might have changed
file { '/etc/ssh/ssh_known_hosts':
- mode => '0644',
- owner => root,
- group => 0;
+ ensure => present,
+ mode => '0644',
+ owner => root,
+ group => 0;
}
# Now collect all server keys
diff --git a/manifests/debian.pp b/manifests/debian.pp
index ced5db7..d827078 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,21 +1,13 @@
class sshd::debian inherits sshd::linux {
- # the templates for Debian need lsbdistcodename
- require lsb
-
Package[openssh]{
name => 'openssh-server',
}
- $sshd_restartandstatus = $::lsbdistcodename ? {
- etch => false,
- default => true
- }
-
Service[sshd]{
name => 'ssh',
pattern => 'sshd',
- hasstatus => $sshd_restartandstatus,
- hasrestart => $sshd_restartandstatus,
+ hasstatus => true,
+ hasrestart => true,
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index c85d3d6..d005d60 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,5 +1,5 @@
class sshd(
- $manage_nagios = true,
+ $manage_nagios = false,
$nagios_check_ssh_hostname = 'absent',
$ports = [ 22 ],
$shared_ip = 'no',
@@ -34,13 +34,19 @@ class sshd(
$print_motd = 'yes',
$manage_shorewall = false,
$shorewall_source = 'net',
+ $sshkey_ipaddress = $::ipaddress,
$manage_client = true,
) {
+ validate_bool($manage_shorewall)
+ validate_bool($manage_client)
+ validate_array($listen_address)
+ validate_array($ports)
+
if $manage_client {
class{'sshd::client':
- shared_ip => $sshd::shared_ip,
- ensure_version => $sshd::ensure_version,
+ shared_ip => $shared_ip,
+ ensure_version => $ensure_version,
manage_shorewall => $manage_shorewall,
}
}
diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp
index 1ad37cc..cb6dbba 100644
--- a/manifests/openbsd.pp
+++ b/manifests/openbsd.pp
@@ -1,8 +1,8 @@
class sshd::openbsd inherits sshd::base {
Service[sshd]{
- restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
- stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
- start => '/usr/sbin/sshd',
- hasstatus => false,
+ restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
+ stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
+ start => '/usr/sbin/sshd',
+ status => '/usr/bin/pgrep -f /usr/sbin/sshd',
}
}
diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb
new file mode 100644
index 0000000..bd3e35a
--- /dev/null
+++ b/spec/classes/client_spec.rb
@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe 'sshd::client' do
+
+ shared_examples "a Linux OS" do
+ it { should contain_file('/etc/ssh/ssh_known_hosts').with(
+ {
+ 'ensure' => 'present',
+ 'owner' => 'root',
+ 'group' => '0',
+ 'mode' => '0644',
+ }
+ )}
+ end
+
+ context "Debian OS" do
+ let :facts do
+ {
+ :operatingsystem => 'Debian',
+ :osfamily => 'Debian',
+ :lsbdistcodename => 'wheezy',
+ }
+ end
+ it_behaves_like "a Linux OS"
+ it { should contain_package('openssh-clients').with({
+ 'name' => 'openssh-client'
+ }) }
+ end
+
+ context "CentOS" do
+ it_behaves_like "a Linux OS" do
+ let :facts do
+ {
+ :operatingsystem => 'CentOS',
+ :osfamily => 'RedHat',
+ :lsbdistcodename => 'Final',
+ }
+ end
+ end
+ end
+
+end \ No newline at end of file
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
new file mode 100644
index 0000000..e3003d1
--- /dev/null
+++ b/spec/classes/init_spec.rb
@@ -0,0 +1,122 @@
+require 'spec_helper'
+
+describe 'sshd' do
+
+ shared_examples "a Linux OS" do
+ it { should compile.with_all_deps }
+ it { should contain_class('sshd') }
+ it { should contain_class('sshd::client') }
+
+ it { should contain_service('sshd').with({
+ :ensure => 'running',
+ :enable => true,
+ :hasstatus => true
+ })}
+
+ it { should contain_file('sshd_config').with(
+ {
+ 'ensure' => 'present',
+ 'owner' => 'root',
+ 'group' => '0',
+ 'mode' => '0600',
+ }
+ )}
+
+ context 'change ssh port' do
+ let(:params){{
+ :ports => [ 22222],
+ }}
+ it { should contain_file(
+ 'sshd_config'
+ ).with_content(/Port 22222/)}
+ end
+ end
+
+ context "Debian OS" do
+ let :facts do
+ {
+ :operatingsystem => 'Debian',
+ :osfamily => 'Debian',
+ :lsbdistcodename => 'wheezy',
+ }
+ end
+ it_behaves_like "a Linux OS"
+ it { should contain_package('openssh') }
+ it { should contain_class('sshd::debian') }
+ it { should contain_service('sshd').with(
+ :hasrestart => true
+ )}
+
+ context "Ubuntu" do
+ let :facts do
+ {
+ :operatingsystem => 'Ubuntu',
+ :lsbdistcodename => 'precise',
+ }
+ end
+ it_behaves_like "a Linux OS"
+ it { should contain_package('openssh') }
+ it { should contain_service('sshd').with({
+ :hasrestart => true
+ })}
+ end
+ end
+
+
+# context "RedHat OS" do
+# it_behaves_like "a Linux OS" do
+# let :facts do
+# {
+# :operatingsystem => 'RedHat',
+# :osfamily => 'RedHat',
+# }
+# end
+# end
+# end
+
+ context "CentOS" do
+ it_behaves_like "a Linux OS" do
+ let :facts do
+ {
+ :operatingsystem => 'CentOS',
+ :osfamily => 'RedHat',
+ :lsbdistcodename => 'Final',
+ }
+ end
+ end
+ end
+
+ context "Gentoo" do
+ let :facts do
+ {
+ :operatingsystem => 'Gentoo',
+ :osfamily => 'Gentoo',
+ }
+ end
+ it_behaves_like "a Linux OS"
+ it { should contain_class('sshd::gentoo') }
+ end
+
+ context "OpenBSD" do
+ let :facts do
+ {
+ :operatingsystem => 'OpenBSD',
+ :osfamily => 'OpenBSD',
+ }
+ end
+ it_behaves_like "a Linux OS"
+ it { should contain_class('sshd::openbsd') }
+ end
+
+# context "FreeBSD" do
+# it_behaves_like "a Linux OS" do
+# let :facts do
+# {
+# :operatingsystem => 'FreeBSD',
+# :osfamily => 'FreeBSD',
+# }
+# end
+# end
+# end
+
+end \ No newline at end of file
diff --git a/spec/defines/ssh_authorized_key_spec.rb b/spec/defines/ssh_authorized_key_spec.rb
new file mode 100644
index 0000000..c73a91c
--- /dev/null
+++ b/spec/defines/ssh_authorized_key_spec.rb
@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe 'sshd::ssh_authorized_key' do
+
+ context 'manage authorized key' do
+ let(:title) { 'foo' }
+ let(:ssh_key) { 'some_secret_ssh_key' }
+
+ let(:params) {{
+ :key => ssh_key,
+ }}
+
+ it { should contain_ssh_authorized_key('foo').with({
+ 'ensure' => 'present',
+ 'type' => 'ssh-dss',
+ 'user' => 'foo',
+ 'target' => '/home/foo/.ssh/authorized_keys',
+ 'key' => ssh_key,
+ })
+ }
+ end
+ context 'manage authoried key with options' do
+ let(:title) { 'foo2' }
+ let(:ssh_key) { 'some_secret_ssh_key' }
+
+ let(:params) {{
+ :key => ssh_key,
+ :options => ['command="/usr/bin/date"',
+ 'no-pty','no-X11-forwarding','no-agent-forwarding',
+ 'no-port-forwarding']
+ }}
+
+ it { should contain_ssh_authorized_key('foo2').with({
+ 'ensure' => 'present',
+ 'type' => 'ssh-dss',
+ 'user' => 'foo2',
+ 'target' => '/home/foo2/.ssh/authorized_keys',
+ 'key' => ssh_key,
+ 'options' => ['command="/usr/bin/date"',
+ 'no-pty','no-X11-forwarding','no-agent-forwarding',
+ 'no-port-forwarding']
+ })
+ }
+ end
+end
diff --git a/spec/unit/parser/functions/ssh_keygen.rb b/spec/functions/ssh_keygen_spec.rb
index da45779..a6b5117 100644
--- a/spec/unit/parser/functions/ssh_keygen.rb
+++ b/spec/functions/ssh_keygen_spec.rb
@@ -1,44 +1,50 @@
-#! /usr/bin/env ruby
-
-
-require File.dirname(__FILE__) + '/../../../spec_helper'
-
+#! /usr/bin/env ruby -S rspec
+require 'spec_helper'
+require 'rspec-puppet'
require 'mocha'
require 'fileutils'
-describe "the ssh_keygen function" do
+describe 'ssh_keygen' do
- before :each do
- @scope = Puppet::Parser::Scope.new
- end
+ let(:scope) { PuppetlabsSpec::PuppetInternals.scope }
- it "should exist" do
+ it 'should exist' do
Puppet::Parser::Functions.function("ssh_keygen").should == "function_ssh_keygen"
end
- it "should raise a ParseError if no argument is passed" do
- lambda { @scope.function_ssh_keygen }.should( raise_error(Puppet::ParseError))
+ it 'should raise a ParseError if no argument is passed' do
+ lambda {
+ scope.function_ssh_keygen([])
+ }.should(raise_error(Puppet::ParseError))
end
- it "should raise a ParseError if there is more than 1 arguments" do
- lambda { @scope.function_ssh_keygen("foo", "bar") }.should( raise_error(Puppet::ParseError))
+ it 'should raise a ParseError if there is more than 1 arguments' do
+ lambda {
+ scope.function_ssh_keygen(["foo", "bar"])
+ }.should( raise_error(Puppet::ParseError))
end
- it "should raise a ParseError if the argument is not fully qualified" do
- lambda { @scope.function_ssh_keygen("foo") }.should( raise_error(Puppet::ParseError))
+ it 'should raise a ParseError if the argument is not fully qualified' do
+ lambda {
+ scope.function_ssh_keygen(["foo"])
+ }.should( raise_error(Puppet::ParseError))
end
it "should raise a ParseError if the private key path is a directory" do
File.stubs(:directory?).with("/some_dir").returns(true)
- lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError))
+ lambda {
+ scope.function_ssh_keygen(["/some_dir"])
+ }.should( raise_error(Puppet::ParseError))
end
it "should raise a ParseError if the public key path is a directory" do
File.stubs(:directory?).with("/some_dir.pub").returns(true)
- lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError))
+ lambda {
+ scope.function_ssh_keygen(["/some_dir.pub"])
+ }.should( raise_error(Puppet::ParseError))
end
- describe "when executing properly" do
+ describe 'when executing properly' do
before do
File.stubs(:directory?).with('/tmp/a/b/c').returns(false)
File.stubs(:directory?).with('/tmp/a/b/c.pub').returns(false)
@@ -46,16 +52,20 @@ describe "the ssh_keygen function" do
File.stubs(:read).with('/tmp/a/b/c.pub').returns('publickey')
end
- it "should fail if the public but not the private key exists" do
- File.stubs(:exists?).with("/tmp/a/b/c").returns(true)
- File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false)
- lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError))
+ it 'should fail if the public but not the private key exists' do
+ File.stubs(:exists?).with('/tmp/a/b/c').returns(true)
+ File.stubs(:exists?).with('/tmp/a/b/c.pub').returns(false)
+ lambda {
+ scope.function_ssh_keygen(['/tmp/a/b/c'])
+ }.should( raise_error(Puppet::ParseError))
end
it "should fail if the private but not the public key exists" do
File.stubs(:exists?).with("/tmp/a/b/c").returns(false)
File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true)
- lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError))
+ lambda {
+ scope.function_ssh_keygen(["/tmp/a/b/c"])
+ }.should( raise_error(Puppet::ParseError))
end
@@ -64,7 +74,7 @@ describe "the ssh_keygen function" do
File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true)
File.stubs(:directory?).with('/tmp/a/b').returns(true)
Puppet::Util.expects(:execute).never
- result = @scope.function_ssh_keygen('/tmp/a/b/c')
+ result = scope.function_ssh_keygen(['/tmp/a/b/c'])
result.length.should == 2
result[0].should == 'privatekey'
result[1].should == 'publickey'
@@ -75,8 +85,8 @@ describe "the ssh_keygen function" do
File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false)
File.stubs(:directory?).with("/tmp/a/b").returns(false)
FileUtils.expects(:mkdir_p).with("/tmp/a/b", :mode => 0700)
- Puppet::Util.expects(:execute).returns("")
- result = @scope.function_ssh_keygen('/tmp/a/b/c')
+ Puppet::Util::Execution.expects(:execute).returns("")
+ result = scope.function_ssh_keygen(['/tmp/a/b/c'])
result.length.should == 2
result[0].should == 'privatekey'
result[1].should == 'publickey'
@@ -86,8 +96,8 @@ describe "the ssh_keygen function" do
File.stubs(:exists?).with("/tmp/a/b/c").returns(false)
File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false)
File.stubs(:directory?).with("/tmp/a/b").returns(true)
- Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("")
- result = @scope.function_ssh_keygen('/tmp/a/b/c')
+ Puppet::Util::Execution.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("")
+ result = scope.function_ssh_keygen(['/tmp/a/b/c'])
result.length.should == 2
result[0].should == 'privatekey'
result[1].should == 'publickey'
@@ -97,8 +107,10 @@ describe "the ssh_keygen function" do
File.stubs(:exists?).with("/tmp/a/b/c").returns(false)
File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false)
File.stubs(:directory?).with("/tmp/a/b").returns(true)
- Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("something is wrong")
- lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError))
+ Puppet::Util::Execution.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("something is wrong")
+ lambda {
+ scope.function_ssh_keygen(["/tmp/a/b/c"])
+ }.should( raise_error(Puppet::ParseError))
end
end
end
diff --git a/spec/spec.opts b/spec/spec.opts
deleted file mode 100644
index 91cd642..0000000
--- a/spec/spec.opts
+++ /dev/null
@@ -1,6 +0,0 @@
---format
-s
---colour
---loadby
-mtime
---backtrace
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 6ba62e1..b4123fd 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,16 +1,21 @@
-require 'pathname'
-dir = Pathname.new(__FILE__).parent
-$LOAD_PATH.unshift(dir, dir + 'lib', dir + '../lib')
+dir = File.expand_path(File.dirname(__FILE__))
+$LOAD_PATH.unshift File.join(dir, 'lib')
require 'puppet'
-gem 'rspec', '>= 1.2.9'
-require 'spec/autorun'
+require 'rspec'
+require 'puppetlabs_spec_helper/module_spec_helper'
+#require 'rspec-hiera-puppet'
+require 'rspec-puppet/coverage'
+require 'rspec/autorun'
-Dir[File.join(File.dirname(__FILE__), 'support', '*.rb')].each do |support_file|
- require support_file
-end
+fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures'))
-# We need this because the RAL uses 'should' as a method. This
-# allows us the same behaviour but with a different method name.
-class Object
- alias :must :should
+RSpec.configure do |c|
+ c.module_path = File.join(fixture_path, 'modules')
+ c.manifest_dir = File.join(fixture_path, 'manifests')
+ c.pattern = "spec/*/*_spec.rb"
end
+
+Puppet::Util::Log.level = :warning
+Puppet::Util::Log.newdestination(:console)
+
+at_exit { RSpec::Puppet::Coverage.report! } \ No newline at end of file
diff --git a/spec/spec_helper_system.rb b/spec/spec_helper_system.rb
new file mode 100644
index 0000000..2c6812f
--- /dev/null
+++ b/spec/spec_helper_system.rb
@@ -0,0 +1,25 @@
+require 'rspec-system/spec_helper'
+require 'rspec-system-puppet/helpers'
+require 'rspec-system-serverspec/helpers'
+include Serverspec::Helper::RSpecSystem
+include Serverspec::Helper::DetectOS
+include RSpecSystemPuppet::Helpers
+
+RSpec.configure do |c|
+ # Project root
+ proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+ # Enable colour
+ c.tty = true
+
+ c.include RSpecSystemPuppet::Helpers
+
+ # This is where we 'setup' the nodes before running our tests
+ c.before :suite do
+ # Install puppet
+ puppet_install
+ # Install modules and dependencies
+ puppet_module_install(:source => proj_root, :module_name => 'sshd')
+ shell('puppet module install puppetlabs-stdlib')
+ end
+end
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 0f4bb1f..47cb077 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -14,8 +14,6 @@
<%= s %>
<% end -%>
-# only protocol 2
-Protocol 2
<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
<% if port == 'off' -%>
#Port -- disabled by puppet
@@ -29,6 +27,11 @@ Port <%= port %>
ListenAddress <%= address %>
<% end -%>
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
@@ -37,7 +40,7 @@ ListenAddress <%= address %>
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
-#ServerKeyBits 768
+#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
@@ -55,10 +58,10 @@ StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
#MaxAuthTries 6
RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-
PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-
AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
@@ -87,6 +90,7 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
@@ -94,22 +98,24 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication mechanism.
-# Depending on your PAM configuration, this may bypass the setting of
-# PasswordAuthentication, PermitEmptyPasswords, and
-# "PermitRootLogin without-password". If you just want the PAM account and
-# session checks to run without PAM authentication, then enable this but set
-# ChallengeResponseAuthentication=no
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM <%= scope.lookupvar('sshd::use_pam') %>
# Accept locale-related environment variables
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+#AllowAgentForwarding yes
AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
-
#GatewayPorts no
#X11Forwarding no
X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
@@ -127,7 +133,7 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
@@ -149,6 +155,12 @@ Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# ForceCommand cvs server
+#
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
<% end -%>
diff --git a/templates/sshd_config/CentOS_Final.erb b/templates/sshd_config/CentOS_Final.erb
index 0f4bb1f..03246aa 100644..120000
--- a/templates/sshd_config/CentOS_Final.erb
+++ b/templates/sshd_config/CentOS_Final.erb
@@ -1,154 +1 @@
-# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
-# default value.
-
-<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%>
-<%= s %>
-<% end -%>
-
-# only protocol 2
-Protocol 2
-<% scope.lookupvar('sshd::ports').to_a.each do |port| -%>
-<% if port == 'off' -%>
-#Port -- disabled by puppet
-<% else -%>
-Port <%= port %>
-<% end -%>
-<% end -%>
-
-# Use these options to restrict which interfaces/protocols sshd will bind to
-<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%>
-ListenAddress <%= address %>
-<% end -%>
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
-
-# Logging
-# obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-SyslogFacility AUTHPRIV
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %>
-
-StrictModes <%= scope.lookupvar('sshd::strict_modes') %>
-
-#MaxAuthTries 6
-
-RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %>
-
-PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %>
-
-AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %>
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %>
-
-# similar for protocol version 2
-HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %>
-
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %>
-
-# To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %>
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %>
-
-# Change to no to disable s/key passwords
-ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %>
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication mechanism.
-# Depending on your PAM configuration, this may bypass the setting of
-# PasswordAuthentication, PermitEmptyPasswords, and
-# "PermitRootLogin without-password". If you just want the PAM account and
-# session checks to run without PAM authentication, then enable this but set
-# ChallengeResponseAuthentication=no
-#UsePAM no
-UsePAM <%= scope.lookupvar('sshd::use_pam') %>
-
-# Accept locale-related environment variables
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL
-
-AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %>
-
-#GatewayPorts no
-#X11Forwarding no
-X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %>
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#ShowPatchLevel no
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-#PermitTunnel no
-#ChrootDirectory none
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
-Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %>
-
-<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%>
-AllowUsers <%= s %>
-<% end -%>
-<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%>
-AllowGroups <%= s %>
-<%- end -%>
-
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
-Ciphers aes256-ctr
-MACs hmac-sha1
-<% end -%>
-
-<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
-<%= s %>
-<% end -%>
+CentOS.erb \ No newline at end of file