diff options
| -rw-r--r-- | README | 6 | ||||
| -rw-r--r-- | lib/puppet/parser/functions/ssh_keygen.rb | 23 | ||||
| -rw-r--r-- | manifests/client/base.pp | 3 | ||||
| -rw-r--r-- | manifests/debian.pp | 3 | ||||
| -rw-r--r-- | manifests/init.pp | 30 | ||||
| -rw-r--r-- | manifests/nagios.pp | 24 | ||||
| -rw-r--r-- | spec/spec.opts | 6 | ||||
| -rw-r--r-- | spec/spec_helper.rb | 16 | ||||
| -rw-r--r-- | spec/unit/parser/functions/ssh_keygen.rb | 104 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_etch.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_lenny.erb | 11 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 14 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo.erb | 8 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD.erb | 8 |
15 files changed, 230 insertions, 42 deletions
@@ -0,0 +1,6 @@ +# sshd module for Puppet + +## Dependencies + +- shared-common: git://labs.riseup.net/shared-common +- shared-lsb: git://labs.riseup.net/shared-lsb diff --git a/lib/puppet/parser/functions/ssh_keygen.rb b/lib/puppet/parser/functions/ssh_keygen.rb new file mode 100644 index 0000000..09b3d3b --- /dev/null +++ b/lib/puppet/parser/functions/ssh_keygen.rb @@ -0,0 +1,23 @@ +Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc => + "Returns an array containing the ssh private and public (in this order) key + for a certain private key path. + It will generate the keypair if both do not exist. It will also generate + the directory hierarchy if required. + It accepts only fully qualified paths, everything else will fail.") do |args| + raise Puppet::ParseError, "Wrong number of arguments" unless args.to_a.length == 1 + private_key_path = args.to_a[0] + raise Puppet::ParseError, "Only fully qualified paths are accepted (#{private_key_path})" unless private_key_path =~ /^\/.+/ + public_key_path = "#{private_key_path}.pub" + raise Puppet::ParseError, "Either only the private or only the public key exists" if File.exists?(private_key_path) ^ File.exists?(public_key_path) + [private_key_path,public_key_path].each do |path| + raise Puppet::ParseError, "#{path} is a directory" if File.directory?(path) + end + + dir = File.dirname(private_key_path) + Puppet::Util.recmkdir(dir,0700) unless File.directory?(dir) + unless [private_key_path,public_key_path].all?{|path| File.exists?(path) } + output = Puppet::Util.execute(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', private_key_path, '-P', '', '-q']) + raise Puppet::ParseError, "Something went wrong during key generation! Output: #{output}" unless output.empty? + end + [File.read(private_key_path),File.read(public_key_path)] +end diff --git a/manifests/client/base.pp b/manifests/client/base.pp index 33d9f9e..64d4f6f 100644 --- a/manifests/client/base.pp +++ b/manifests/client/base.pp @@ -1,7 +1,6 @@ class sshd::client::base { # this is needed because the gid might have changed - file { '/etc/ssh/ssh_known_hosts': - owner => root, group => 0, mode => 0644; + config_file { '/etc/ssh/ssh_known_hosts': } # Now collect all server keys diff --git a/manifests/debian.pp b/manifests/debian.pp index 0cc4ede..43dc26c 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -9,8 +9,7 @@ class sshd::debian inherits sshd::linux { $sshd_restartandstatus = $lsbdistcodename ? { etch => false, - lenny => true, - default => false + default => true } Service[sshd]{ diff --git a/manifests/init.pp b/manifests/init.pp index 90b7c64..76ee107 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -142,8 +142,11 @@ # Valid Values: yes or no # Default: no # -# sshd_port: If you want to specify a different port than the default 22 -# Default: 22 +# sshd_port: Deprecated, use sshd_ports instead. +# +# sshd_ports: If you want to specify a list of ports other than the default 22 +# Default: [22] +# # # sshd_authorized_keys_file: Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u) # Default: AuthorizedKeysFile %h/.ssh/authorized_keys @@ -232,8 +235,13 @@ class sshd { case $sshd_permit_empty_passwords { '': { $sshd_permit_empty_passwords = 'no' } } - case $sshd_port { - '': { $sshd_port = 22 } + if ( $sshd_port != '' ) and ( $sshd_ports != []) { + err("Cannot use sshd_port and sshd_ports at the same time.") + } + if $sshd_port != '' { + $sshd_ports = [ $sshd_port ] + } elsif ! $sshd_ports { + $sshd_ports = [ 22 ] } case $sshd_authorized_keys_file { '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } @@ -265,11 +273,21 @@ class sshd { if $use_nagios { case $nagios_check_ssh { false: { info("We don't do nagioschecks for ssh on ${fqdn}" ) } - default: { nagios::service{ "ssh_port_${sshd_port}": check_command => "check_ssh_port!$sshd_port" } } + default: { + sshd::nagios{$sshd_ports: + check_hostname => $nagios_check_ssh_hostname ? { + '' => 'absent', + undef => 'absent', + default => $nagios_check_ssh_hostname + } + } + } } } if $use_shorewall{ - include shorewall::rules::ssh + class{'shorewall::rules::ssh': + ports => $sshd_ports, + } } } diff --git a/manifests/nagios.pp b/manifests/nagios.pp new file mode 100644 index 0000000..7742cdb --- /dev/null +++ b/manifests/nagios.pp @@ -0,0 +1,24 @@ +define sshd::nagios( + $port = 'absent', + $ensure = 'present', + $check_hostname = 'absent' +) { + $real_port = $port ? { + 'absent' => $name, + default => $port, + } + case $check_hostname { + 'absent': { + nagios::service{"ssh_port_${name}": + ensure => $ensure, + check_command => "check_ssh_port!$real_port" + } + } + default: { + nagios::service{"ssh_port_host_${name}": + ensure => $ensure, + check_command => "check_ssh_port_host!${real_port}!${check_hostname}" + } + } + } +} diff --git a/spec/spec.opts b/spec/spec.opts new file mode 100644 index 0000000..91cd642 --- /dev/null +++ b/spec/spec.opts @@ -0,0 +1,6 @@ +--format +s +--colour +--loadby +mtime +--backtrace diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..6ba62e1 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,16 @@ +require 'pathname' +dir = Pathname.new(__FILE__).parent +$LOAD_PATH.unshift(dir, dir + 'lib', dir + '../lib') +require 'puppet' +gem 'rspec', '>= 1.2.9' +require 'spec/autorun' + +Dir[File.join(File.dirname(__FILE__), 'support', '*.rb')].each do |support_file| + require support_file +end + +# We need this because the RAL uses 'should' as a method. This +# allows us the same behaviour but with a different method name. +class Object + alias :must :should +end diff --git a/spec/unit/parser/functions/ssh_keygen.rb b/spec/unit/parser/functions/ssh_keygen.rb new file mode 100644 index 0000000..f830065 --- /dev/null +++ b/spec/unit/parser/functions/ssh_keygen.rb @@ -0,0 +1,104 @@ +#! /usr/bin/env ruby + + +require File.dirname(__FILE__) + '/../../../spec_helper' + +require 'mocha' +require 'fileutils' + +describe "the ssh_keygen function" do + + before :each do + @scope = Puppet::Parser::Scope.new + end + + it "should exist" do + Puppet::Parser::Functions.function("ssh_keygen").should == "function_ssh_keygen" + end + + it "should raise a ParseError if no argument is passed" do + lambda { @scope.function_ssh_keygen }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if there is more than 1 arguments" do + lambda { @scope.function_ssh_keygen("foo", "bar") }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if the argument is not fully qualified" do + lambda { @scope.function_ssh_keygen("foo") }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if the private key path is a directory" do + File.stubs(:directory?).with("/some_dir").returns(true) + lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError)) + end + + it "should raise a ParseError if the public key path is a directory" do + File.stubs(:directory?).with("/some_dir.pub").returns(true) + lambda { @scope.function_ssh_keygen("/some_dir") }.should( raise_error(Puppet::ParseError)) + end + + describe "when executing properly" do + before do + File.stubs(:directory?).with('/tmp/a/b/c').returns(false) + File.stubs(:directory?).with('/tmp/a/b/c.pub').returns(false) + File.stubs(:read).with('/tmp/a/b/c').returns('privatekey') + File.stubs(:read).with('/tmp/a/b/c.pub').returns('publickey') + end + + it "should fail if the public but not the private key exists" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(true) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + end + + it "should fail if the private but not the public key exists" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true) + lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + end + + + it "should return an array of size 2 with the right conent if the keyfiles exists" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(true) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(true) + File.stubs(:directory?).with('/tmp/a/b').returns(true) + Puppet::Util.expects(:execute).never + result = @scope.function_ssh_keygen('/tmp/a/b/c') + result.length.should == 2 + result[0].should == 'privatekey' + result[1].should == 'publickey' + end + + it "should create the directory path if it does not exist" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + File.stubs(:directory?).with("/tmp/a/b").returns(false) + Puppet::Util.expects(:recmkdir).with("/tmp/a/b",0700) + Puppet::Util.expects(:execute).returns("") + result = @scope.function_ssh_keygen('/tmp/a/b/c') + result.length.should == 2 + result[0].should == 'privatekey' + result[1].should == 'publickey' + end + + it "should generate the key if the keyfiles do not exist" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + File.stubs(:directory?).with("/tmp/a/b").returns(true) + Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("") + result = @scope.function_ssh_keygen('/tmp/a/b/c') + result.length.should == 2 + result[0].should == 'privatekey' + result[1].should == 'publickey' + end + + it "should fail if something goes wrong during generation" do + File.stubs(:exists?).with("/tmp/a/b/c").returns(false) + File.stubs(:exists?).with("/tmp/a/b/c.pub").returns(false) + File.stubs(:directory?).with("/tmp/a/b").returns(true) + Puppet::Util.expects(:execute).with(['/usr/bin/ssh-keygen','-t', 'rsa', '-b', '4096', '-f', '/tmp/a/b/c', '-P', '', '-q']).returns("something is wrong") + lambda { @scope.function_ssh_keygen("/tmp/a/b/c") }.should( raise_error(Puppet::ParseError)) + end + end +end diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index e1c8419..544effe 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -16,14 +16,12 @@ # only protocol 2 Protocol 2 -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index 746a447..c148d08 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -6,14 +6,12 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 3c3d562..4648a22 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -6,14 +6,12 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to @@ -138,6 +136,9 @@ KeepAlive yes #Banner /etc/issue.net #ReverseMappingCheck yes +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + <%- if sshd_sftp_subsystem.to_s.empty? then %> Subsystem sftp /usr/lib/openssh/sftp-server <%- else %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 56b1cab..79fef15 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -8,15 +8,14 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 -<%- end %> +<%- end -%> + # Use these options to restrict which interfaces/protocols sshd will bind to <% for address in sshd_listen_address -%> ListenAddress <%= address %> @@ -179,6 +178,8 @@ UsePAM yes UsePAM no <%- end -%> +HostbasedUsesNameFromPacketOnly yes + <%- if sshd_tcp_forwarding.to_s == 'yes' then -%> AllowTcpForwarding yes <%- else -%> @@ -201,4 +202,3 @@ AllowGroups <%= sshd_allowed_groups %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> - diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 2112f0d..768d3f5 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -14,14 +14,12 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 69e8afa..51662d3 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -12,14 +12,12 @@ <%= sshd_head_additional_options %> <%- end %> -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to |