Updated ssh module
Updated ssh module to fix sftp subsystem bug in CenOS Upstream version: 2.4.0 Upstream SHA: e5cfeae06a16497382072d80c65c901aa0e696ea Change-Id: I7f72aab77d982a3e47618a82f7dda9312c8699b9 Closes-bug: #1415078
This commit is contained in:
parent
abcccb60c1
commit
4c5df22e5d
@ -1,5 +1,6 @@
|
||||
fixtures:
|
||||
repositories:
|
||||
stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib"
|
||||
stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib"
|
||||
concat: "https://github.com/puppetlabs/puppetlabs-concat"
|
||||
symlinks:
|
||||
ssh: "#{source_dir}"
|
||||
|
@ -1,5 +1,5 @@
|
||||
name 'saz-ssh'
|
||||
version '2.3.6'
|
||||
version '2.4.0'
|
||||
source 'git://github.com/saz/puppet-ssh.git'
|
||||
author 'saz'
|
||||
license 'Apache License, Version 2.0'
|
||||
|
@ -14,20 +14,20 @@ Manage SSH client and server via Puppet
|
||||
Since version 2.0.0 only non-default values are written to both,
|
||||
client and server, configuration files.
|
||||
|
||||
Multiple occurances of one config key (e.g. sshd should be listening on
|
||||
Multiple occurrences of one config key (e.g. sshd should be listening on
|
||||
port 22 and 2222) should be passed as an array.
|
||||
|
||||
```
|
||||
options => {
|
||||
Port => [22, 2222],
|
||||
'Port' => [22, 2222],
|
||||
}
|
||||
```
|
||||
|
||||
This is working for both, client and server
|
||||
This is working for both, client and server.
|
||||
|
||||
### Both client and server
|
||||
Host keys will be collected and distributed unless
|
||||
storeconfigs_enabled => false
|
||||
`storeconfigs_enabled` is `false`.
|
||||
|
||||
```
|
||||
include ssh
|
||||
@ -46,7 +46,7 @@ or
|
||||
'AllowTcpForwarding' => 'no',
|
||||
'X11Forwarding' => 'no',
|
||||
},
|
||||
Port => [22, 2222, 2288],
|
||||
'Port' => [22, 2222, 2288],
|
||||
},
|
||||
client_options => {
|
||||
'Host *.amazonaws.com' => {
|
||||
@ -56,9 +56,30 @@ or
|
||||
}
|
||||
```
|
||||
|
||||
### Hiera example
|
||||
```
|
||||
ssh::storeconfigs_enabled: true,
|
||||
|
||||
ssh::server_options:
|
||||
Protocol: '2'
|
||||
ListenAddress:
|
||||
- '127.0.0.0'
|
||||
- '%{::hostname}'
|
||||
PasswordAuthentication: 'yes'
|
||||
SyslogFacility: 'AUTHPRIV'
|
||||
UsePAM: 'yes'
|
||||
X11Forwarding: 'yes'
|
||||
|
||||
ssh::client_options:
|
||||
'Host *':
|
||||
SendEnv: 'LANG LC_*'
|
||||
ForwardX11Trusted: 'yes'
|
||||
ServerAliveInterval: '10'
|
||||
```
|
||||
|
||||
### Client only
|
||||
Collected host keys from servers will be written to known_hosts unless
|
||||
storeconfigs_enabled => false
|
||||
Collected host keys from servers will be written to `known_hosts` unless
|
||||
`storeconfigs_enabled` is `false`
|
||||
|
||||
```
|
||||
include ssh::client
|
||||
@ -84,7 +105,7 @@ or
|
||||
|
||||
### Server only
|
||||
Host keys will be collected for client distribution unless
|
||||
storeconfigs_enabled => false
|
||||
`storeconfigs_enabled` is `false`
|
||||
|
||||
```
|
||||
include ssh::server
|
||||
@ -109,7 +130,7 @@ or
|
||||
},
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## Default options
|
||||
|
||||
### Client
|
||||
@ -121,7 +142,7 @@ or
|
||||
'GSSAPIAuthentication' => 'yes',
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
### Server
|
||||
|
||||
```
|
||||
@ -132,7 +153,7 @@ or
|
||||
'Subsystem' => 'sftp /usr/lib/openssh/sftp-server',
|
||||
'UsePAM' => 'yes',
|
||||
```
|
||||
|
||||
|
||||
## Overwriting default options
|
||||
Default options will be merged with options passed in.
|
||||
If an option is set both as default and via options parameter, the latter will
|
||||
@ -148,9 +169,9 @@ The following example will disable X11Forwarding, which is enabled by default:
|
||||
}
|
||||
```
|
||||
|
||||
Which will lead to the following sshd_config file:
|
||||
Which will lead to the following `sshd_config` file:
|
||||
|
||||
```
|
||||
```
|
||||
# File is managed by Puppet
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
@ -184,3 +205,19 @@ ssh::server::host_key {'ssh_host_rsa_key':
|
||||
|
||||
Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and
|
||||
```/etc/ssh/ssh_host_rsa_key.pub``` and restart sshd daemon.
|
||||
|
||||
|
||||
## Adding cutom match blocks
|
||||
|
||||
```
|
||||
ssh::server::match_block { 'sftp_only':
|
||||
type => 'User',
|
||||
options => {
|
||||
'ChrootDirectory' => "/sftp/%u",
|
||||
'ForceCommand' => 'internal-sftp',
|
||||
'PasswordAuthentication' => 'no',
|
||||
'AllowTcpForwarding' => 'no',
|
||||
'X11Forwarding' => 'no',
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -5,7 +5,10 @@ EOS
|
||||
) do |args|
|
||||
interfaces = lookupvar('interfaces')
|
||||
|
||||
return false if (interfaces == :undefined)
|
||||
# In Puppet v2.7, lookupvar returns :undefined if the variable does
|
||||
# not exist. In Puppet 3.x, it returns nil.
|
||||
# See http://docs.puppetlabs.com/guides/custom_functions.html
|
||||
return false if (interfaces.nil? || interfaces == :undefined)
|
||||
|
||||
result = []
|
||||
if interfaces.count(',') > 0
|
||||
@ -14,10 +17,10 @@ EOS
|
||||
if ! iface.include?('lo')
|
||||
ipaddr = lookupvar("ipaddress_#{iface}")
|
||||
ipaddr6 = lookupvar("ipaddress6_#{iface}")
|
||||
if ipaddr
|
||||
if ipaddr and (ipaddr!= :undefined)
|
||||
result << ipaddr
|
||||
end
|
||||
if ipaddr6
|
||||
if ipaddr6 and (ipaddr6!= :undefined)
|
||||
result << ipaddr6
|
||||
end
|
||||
end
|
||||
@ -26,10 +29,10 @@ EOS
|
||||
if ! interfaces.include?('lo')
|
||||
ipaddr = lookupvar("ipaddress_#{interfaces}")
|
||||
ipaddr6 = lookupvar("ipaddress6_#{interfaces}")
|
||||
if ipaddr
|
||||
if ipaddr and (ipaddr!= :undefined)
|
||||
result << ipaddr
|
||||
end
|
||||
if ipaddr6
|
||||
if ipaddr6 and (ipaddr6!= :undefined)
|
||||
result << ipaddr6
|
||||
end
|
||||
end
|
||||
|
@ -9,6 +9,7 @@ class ssh::client::config {
|
||||
|
||||
# Workaround for http://projects.reductivelabs.com/issues/2014
|
||||
file { $ssh::params::ssh_known_hosts:
|
||||
mode => '0644',
|
||||
ensure => present,
|
||||
mode => '0644',
|
||||
}
|
||||
}
|
||||
|
@ -2,15 +2,19 @@ class ssh::hostkeys {
|
||||
$ipaddresses = ipaddresses()
|
||||
$host_aliases = flatten([ $::fqdn, $::hostname, $ipaddresses ])
|
||||
|
||||
@@sshkey { "${::fqdn}_dsa":
|
||||
host_aliases => $host_aliases,
|
||||
type => dsa,
|
||||
key => $::sshdsakey,
|
||||
if $::sshdsakey {
|
||||
@@sshkey { "${::fqdn}_dsa":
|
||||
host_aliases => $host_aliases,
|
||||
type => dsa,
|
||||
key => $::sshdsakey,
|
||||
}
|
||||
}
|
||||
@@sshkey { "${::fqdn}_rsa":
|
||||
host_aliases => $host_aliases,
|
||||
type => rsa,
|
||||
key => $::sshrsakey,
|
||||
if $::sshrsakey {
|
||||
@@sshkey { "${::fqdn}_rsa":
|
||||
host_aliases => $host_aliases,
|
||||
type => rsa,
|
||||
key => $::sshrsakey,
|
||||
}
|
||||
}
|
||||
if $::sshecdsakey {
|
||||
@@sshkey { "${::fqdn}_ecdsa":
|
||||
|
@ -18,7 +18,7 @@ class ssh::params {
|
||||
$ssh_config = '/etc/ssh/ssh_config'
|
||||
$ssh_known_hosts = '/etc/ssh/ssh_known_hosts'
|
||||
$service_name = 'sshd'
|
||||
$sftp_server_path = '/usr/lib/openssh/sftp-server'
|
||||
$sftp_server_path = '/usr/libexec/openssh/sftp-server'
|
||||
}
|
||||
freebsd: {
|
||||
$server_package_name = undef
|
||||
@ -40,6 +40,27 @@ class ssh::params {
|
||||
$service_name = 'sshd.service'
|
||||
$sftp_server_path = '/usr/lib/ssh/sftp-server'
|
||||
}
|
||||
Suse: {
|
||||
$server_package_name = 'openssh'
|
||||
$client_package_name = 'openssh'
|
||||
$sshd_dir = '/etc/ssh'
|
||||
$sshd_config = '/etc/ssh/sshd_config'
|
||||
$ssh_config = '/etc/ssh/ssh_config'
|
||||
$ssh_known_hosts = '/etc/ssh/ssh_known_hosts'
|
||||
case $::operatingsystem {
|
||||
Sles: {
|
||||
$service_name = 'sshd'
|
||||
$sftp_server_path = '/usr/lib64/ssh/sftp-server'
|
||||
}
|
||||
Suse: {
|
||||
$service_name = 'sshd.service'
|
||||
$sftp_server_path = '/usr/lib/ssh/sftp-server'
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported platform: ${::osfamily}/${::operatingsystem}")
|
||||
}
|
||||
}
|
||||
}
|
||||
default: {
|
||||
case $::operatingsystem {
|
||||
gentoo: {
|
||||
|
@ -9,6 +9,8 @@ class ssh::server(
|
||||
include ssh::server::config
|
||||
include ssh::server::service
|
||||
|
||||
File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]
|
||||
|
||||
anchor { 'ssh::server::start': }
|
||||
anchor { 'ssh::server::end': }
|
||||
|
||||
|
@ -1,11 +1,16 @@
|
||||
class ssh::server::config {
|
||||
file { $ssh::params::sshd_config:
|
||||
ensure => present,
|
||||
owner => 0,
|
||||
group => 0,
|
||||
mode => '0600',
|
||||
File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]
|
||||
|
||||
concat { $ssh::params::sshd_config:
|
||||
ensure => present,
|
||||
owner => 0,
|
||||
group => 0,
|
||||
mode => '0600',
|
||||
}
|
||||
|
||||
concat::fragment { 'global config':
|
||||
target => $ssh::params::sshd_config,
|
||||
content => template("${module_name}/sshd_config.erb"),
|
||||
require => Class['ssh::server::install'],
|
||||
notify => Class['ssh::server::service'],
|
||||
order => '00'
|
||||
}
|
||||
}
|
||||
|
7
deployment/puppet/ssh/manifests/server/match_block.pp
Normal file
7
deployment/puppet/ssh/manifests/server/match_block.pp
Normal file
@ -0,0 +1,7 @@
|
||||
define ssh::server::match_block ($type = 'user', $order = 50, $options,) {
|
||||
concat::fragment { "match_block ${name}":
|
||||
target => $ssh::params::sshd_config,
|
||||
content => template("${module_name}/sshd_match_block.erb"),
|
||||
order => $order,
|
||||
}
|
||||
}
|
59
deployment/puppet/ssh/metadata.json
Normal file
59
deployment/puppet/ssh/metadata.json
Normal file
@ -0,0 +1,59 @@
|
||||
{
|
||||
"operatingsystem_support": [
|
||||
{
|
||||
"operatingsystem": "RedHat"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "CentOS"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "OracleLinux"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "Scientific"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "Debian"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "Ubuntu"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "FreeBSD"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "Gentoo"
|
||||
},
|
||||
{
|
||||
"operatingsystem": "ArchLinux"
|
||||
}
|
||||
],
|
||||
"requirements": [
|
||||
{
|
||||
"name": "pe",
|
||||
"version_requirement": "3.2.x"
|
||||
},
|
||||
{
|
||||
"name": "puppet",
|
||||
"version_requirement": "3.x"
|
||||
}
|
||||
],
|
||||
"name": "saz-ssh",
|
||||
"version": "2.4.0",
|
||||
"source": "git://github.com/saz/puppet-ssh.git",
|
||||
"author": "saz",
|
||||
"license": "Apache License, Version 2.0",
|
||||
"summary": "UNKNOWN",
|
||||
"description": "Manage SSH client and server via puppet",
|
||||
"project_page": "https://github.com/saz/puppet-ssh",
|
||||
"dependencies": [
|
||||
{
|
||||
"name": "puppetlabs/stdlib",
|
||||
"version_requirement": ">= 2.2.1"
|
||||
},
|
||||
{
|
||||
"name": "puppetlabs/concat",
|
||||
"version_requirement": ">= 1.0.0"
|
||||
}
|
||||
]
|
||||
}
|
@ -6,7 +6,8 @@ describe 'ssh::client', :type => 'class' do
|
||||
{
|
||||
:osfamily => 'Debian',
|
||||
:interfaces => 'eth0',
|
||||
:ipaddress_eth0 => '192.168.1.1'
|
||||
:ipaddress_eth0 => '192.168.1.1',
|
||||
:concat_basedir => '/tmp'
|
||||
}
|
||||
end
|
||||
it {
|
||||
@ -18,7 +19,8 @@ describe 'ssh::client', :type => 'class' do
|
||||
{
|
||||
:osfamily => 'Debian',
|
||||
:interfaces => 'eth0',
|
||||
:ipaddress_eth0 => '192.168.1.1'
|
||||
:ipaddress_eth0 => '192.168.1.1',
|
||||
:concat_basedir => '/tmp'
|
||||
}
|
||||
end
|
||||
let :params do
|
||||
|
@ -2,22 +2,22 @@ require 'spec_helper'
|
||||
describe 'ssh::server' do
|
||||
let :default_params do
|
||||
{
|
||||
:ensure => 'present',
|
||||
:ensure => 'present',
|
||||
:storeconfigs_enabled => true,
|
||||
:options => {}
|
||||
:options => {}
|
||||
}
|
||||
end
|
||||
|
||||
[ {},
|
||||
{
|
||||
:ensure => 'latest',
|
||||
:ensure => 'latest',
|
||||
:storeconfigs_enabled => true,
|
||||
:options => {}
|
||||
:options => {}
|
||||
},
|
||||
{
|
||||
:ensure => 'present',
|
||||
:ensure => 'present',
|
||||
:storeconfigs_enabled => false,
|
||||
:options => {}
|
||||
:options => {}
|
||||
}
|
||||
].each do |param_set|
|
||||
describe "when #{param_set == {} ? "using default" : "specifying"} class parameters" do
|
||||
@ -32,9 +32,10 @@ describe 'ssh::server' do
|
||||
['Debian'].each do |osfamily|
|
||||
let :facts do
|
||||
{
|
||||
:osfamily => osfamily,
|
||||
:interfaces => 'eth0',
|
||||
:ipaddress_eth0 => '192.168.1.1'
|
||||
:osfamily => osfamily,
|
||||
:interfaces => 'eth0',
|
||||
:ipaddress_eth0 => '192.168.1.1',
|
||||
:concat_basedir => '/tmp'
|
||||
}
|
||||
end
|
||||
|
||||
@ -48,29 +49,74 @@ describe 'ssh::server' do
|
||||
)}
|
||||
|
||||
it { should contain_service('ssh').with(
|
||||
'ensure' => 'running',
|
||||
'enable' => true,
|
||||
'ensure' => 'running',
|
||||
'enable' => true,
|
||||
'hasrestart' => true,
|
||||
'hasstatus' => true
|
||||
'hasstatus' => true
|
||||
)}
|
||||
|
||||
it 'should compile the template based on the class parameters' do
|
||||
content = param_value(
|
||||
subject,
|
||||
'file',
|
||||
'/etc/ssh/sshd_config',
|
||||
'content'
|
||||
)
|
||||
expected_lines = [
|
||||
'ChallengeResponseAuthentication no',
|
||||
'X11Forwarding yes',
|
||||
'PrintMotd no',
|
||||
'AcceptEnv LANG LC_*',
|
||||
'Subsystem sftp /usr/lib/openssh/sftp-server',
|
||||
'UsePAM yes'
|
||||
]
|
||||
(content.split("\n") & expected_lines).should =~ expected_lines
|
||||
it { should contain_class('concat::setup') }
|
||||
it { should contain_concat('/etc/ssh/sshd_config') }
|
||||
it { should contain_concat__fragment('global config').with(
|
||||
:target => '/etc/ssh/sshd_config',
|
||||
:content => '# File is managed by Puppet
|
||||
|
||||
AcceptEnv LANG LC_*
|
||||
ChallengeResponseAuthentication no
|
||||
PrintMotd no
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
UsePAM yes
|
||||
X11Forwarding yes
|
||||
'
|
||||
)}
|
||||
|
||||
end
|
||||
describe "on Arch" do
|
||||
let :facts do
|
||||
{
|
||||
:osfamily => 'Archlinux',
|
||||
:lsbdistdescription => 'Arch Linux',
|
||||
:lsbdistid => 'Arch',
|
||||
:operatingsystem => 'Archlinux',
|
||||
:interfaces => 'enp4s0',
|
||||
:ipaddress_eth0 => '192.168.1.1',
|
||||
:concat_basedir => '/tmp'
|
||||
}
|
||||
end
|
||||
|
||||
it { should contain_class('ssh::params') }
|
||||
it { should contain_package('openssh').with(
|
||||
:ensure => param_hash[:ensure],
|
||||
:name => 'openssh'
|
||||
)}
|
||||
|
||||
it { should contain_file('/etc/ssh/sshd_config').with(
|
||||
'owner' => 0,
|
||||
'group' => 0
|
||||
)}
|
||||
|
||||
it { should contain_service('sshd.service').with(
|
||||
'ensure' => 'running',
|
||||
'enable' => true,
|
||||
'hasrestart' => true,
|
||||
'hasstatus' => true
|
||||
)}
|
||||
|
||||
it { should contain_class('concat::setup') }
|
||||
it { should contain_concat('/etc/ssh/sshd_config') }
|
||||
it { should contain_concat__fragment('global config').with(
|
||||
:target => '/etc/ssh/sshd_config',
|
||||
:content => '# File is managed by Puppet
|
||||
|
||||
AcceptEnv LANG LC_*
|
||||
ChallengeResponseAuthentication no
|
||||
PrintMotd no
|
||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||
UsePAM yes
|
||||
X11Forwarding yes
|
||||
'
|
||||
)}
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
5
deployment/puppet/ssh/spec/fixtures/.gitignore
vendored
Normal file
5
deployment/puppet/ssh/spec/fixtures/.gitignore
vendored
Normal file
@ -0,0 +1,5 @@
|
||||
# Ignore everything in this directory
|
||||
*
|
||||
# Except this file
|
||||
!.gitignore
|
||||
!site.pp
|
@ -6,18 +6,22 @@
|
||||
<%- v.sort.each do |key, value| -%>
|
||||
<%- if value.is_a?(Array) -%>
|
||||
<%- value.each do |a| -%>
|
||||
<%- if a != '' -%>
|
||||
<%= key %> <%= a %>
|
||||
<%- end -%>
|
||||
<%- else -%>
|
||||
<%- end -%>
|
||||
<%- elsif value != '' -%>
|
||||
<%= key %> <%= value %>
|
||||
<%- end -%>
|
||||
<%- end -%>
|
||||
<%- else -%>
|
||||
<%- if v.is_a?(Array) -%>
|
||||
<%- v.each do |a| -%>
|
||||
<%- if a != '' -%>
|
||||
<%= k %> <%= a %>
|
||||
<%- end -%>
|
||||
<%- else -%>
|
||||
<%- end -%>
|
||||
<%- elsif v != :undef and v != '' -%>
|
||||
<%= k %> <%= v %>
|
||||
<%- end -%>
|
||||
<%- end -%>
|
||||
|
@ -30,18 +30,22 @@ ListenAddress <%= listen %>
|
||||
<%- value = v[key] -%>
|
||||
<%- if value.is_a?(Array) -%>
|
||||
<%- value.each do |a| -%>
|
||||
<%- if a != '' -%>
|
||||
<%= key %> <%= a %>
|
||||
<%- end -%>
|
||||
<%- else -%>
|
||||
<%- end -%>
|
||||
<%- elsif value != '' -%>
|
||||
<%= key %> <%= value %>
|
||||
<%- end -%>
|
||||
<%- end -%>
|
||||
<%- else -%>
|
||||
<%- if v.is_a?(Array) -%>
|
||||
<%- v.each do |a| -%>
|
||||
<%- if a != '' -%>
|
||||
<%= k %> <%= a %>
|
||||
<%- end -%>
|
||||
<%- elsif v != :undef -%>
|
||||
<%- end -%>
|
||||
<%- elsif v != :undef and v != '' -%>
|
||||
<%= k %> <%= v %>
|
||||
<%- end -%>
|
||||
<%- end -%>
|
||||
|
8
deployment/puppet/ssh/templates/sshd_match_block.erb
Normal file
8
deployment/puppet/ssh/templates/sshd_match_block.erb
Normal file
@ -0,0 +1,8 @@
|
||||
|
||||
Match <%= @type %> <%= @name %>
|
||||
<%- @options.keys.each do |k| -%>
|
||||
<%- v = @options[k] -%>
|
||||
<%- if v != :undef -%>
|
||||
<%= k %> <%= v %>
|
||||
<%- end -%>
|
||||
<%- end -%>
|
Loading…
Reference in New Issue
Block a user