Update ssh to ec2dd7a44939f0e620edc27e44a8f2287385e807

ec2dd7a44939f0e620edc27e44a8f2287385e807 new release v2.5.0
775210485034b91afa7680ee74742367c47bbcca sort keys in match block, fixes #76
2cdda7edda525f4cb6935cac954908150f79f56a remove Modulefile in favour of metadata.json
bdd94b1b21dc5be94bb82f24be0793be597fbfea Merge pull request #96 from buzzdeee/fix_ed25519
1685f85ce5337c582c8eb0adbea1500d15415690 fix rspec version
1fd4316667b131674378de15eff39a58593db36b move .gemfile to Gemfile
e4fccdc8d38072ff1f93921d461436869b3899e3 fix ed25519 handling.
966da3195e9555ad6294c9279c09781396dae38e Merge pull request #95 from robertdebock/master
f1a0481f0a62bc6d6919948f474f8aa2ec01a48f Merge pull request #93 from voidus/multivalued_keys_docs
61736e013a4dfe7c23327ee23e3276b00840477e Merge pull request #92 from markasammut/master
34db056b2661e418e42c40bcb4507054853b7dad Merge pull request #89 from fraenki/freebsd_sftp
ca751a6a761c8638351da79aed51a6e9ad1e6e53 Merge pull request #85 from oxilion/fixreadme
1737b61795e2f00ac1cdb008625478333ff99b09 Merge pull request #84 from gertvdijk/improve_hostkeys
b1c2570d1e575e1bf289e5e816266b80e0240da8 Merge pull request #82 from soniah/master
fd1a82a5005f8a246e835003e282ca036d70eb90 Merge pull request #80 from wonko21/master
d65f75c264bc99d46b2a45fbab2dfc2ff01400bc Merge pull request #77 from buzzdeee/master
c6076a10ae8c304bce485d151fe7d30231a02a1b Merge pull request #75 from kcampos/add_amazon_os
e075e687ad7afdae1292742a42fec64919e886eb Merge pull request #72 from voidus/master
809b41b89c0bd310287cc614af384661fff210b0 Merge pull request #69 from kiddivouchers/version-facts
c5562d3cc853665afa86e11221afab554afc5670 Removed a comma from the documentation.
da8b7d113e1f1f54fe27342eb12bce6e07605589 Document array-valued options
c9ac750c33d2f885c44bbafc8705fb84cf2ebe84 Merge pull request #1 from markasammut/patch-1
be8fc1e745e83793fbdbe8eeea58ae33a5ee682f added option to specify package version
823a4a23f3bb5812a3d7734823b0e56012c0d364 fix $sftp_server_path on FreeBSD
be8d53c2ffac7c2db862157300d126362f5328df README.markdown: clarify match_block-config
da1ec526223da7f8b4a40b7dcf97f162573d6774 Oops in ssh key type for ed25519.
0c398ead55ebbf22620f17e6590b3e877dddf3ef Purge removed host keys from knownhosts file and add ed25519 support.
9121fa1dd41a8263d8c928c645943564929644e1 add source
5cc565fbf7fd55401a8e45980b79157f4d1b5088 corrected ssh service call
71bfba9fe67383c87d01c51bb6188414bd86046a the "operatingsystem" fact for OpenSuSE is "OpenSuSE" not "Suse"
4f642ca479840e9e4bb20b369b574b702536d0a9 Add support for OpenBSD
1a607022542a8ab4a1ef7afe44fe9e70a21c72d3 Add support for Amazon OS
57d40094f67182ebc07a56d8795ac794b1c99d5b Fix wrapping of Ruby code for Ruby<1.9
f63ae3b0b15927625b06e7db093ac661743a9ecf Add explicit allow_virtual parameters
db48e39678237629fec7efe8e8fb273aea32aec5 Add docs for version facts
eb2d9fb3ea6540f633d3134dc4cf8a678affcf24 Don't use structured facts as Facter 2.0 is pretty new
31464c2891caecfe72176e23692f383dd574663a Change to structured fact providing breakdown of OpenSSH version
03399cdbc714c427b3ded8651d9a4bcd6513d736 Add facts to get SSH server/client version

Puppetfile

@@ -163,7 +163,7 @@ mod 'sahara',
   :git => 'https://github.com/stackforge/puppet-sahara.git'
 
 mod 'ssh',
-  :commit => 'e5cfeae06a16497382072d80c65c901aa0e696ea',
+  :commit => 'ec2dd7a44939f0e620edc27e44a8f2287385e807',
   :git => 'https://github.com/saz/puppet-ssh.git'
 
 mod 'staging',

ssh/.travis.yml

@@ -35,4 +35,3 @@ matrix:
       env: PUPPET_GEM_VERSION="~> 2.6.0"
 notifications:
   email: false
-gemfile: .gemfile

ssh/.gemfile → ssh/Gemfile

@@ -3,6 +3,7 @@ source 'https://rubygems.org'
 puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3']
 gem 'puppet', puppetversion
 gem 'puppetlabs_spec_helper', '>= 0.1.0', :require => false
+gem 'rspec', '< 3.2.0', {"platforms"=>["ruby_18"]}
 gem 'puppet-lint', '>= 0.3.2'
 gem 'facter', '>= 1.7.0', "< 1.8.0"
 

ssh/README.markdown

@@ -1,10 +1,12 @@
 # puppet-ssh [![Build Status](https://secure.travis-ci.org/saz/puppet-ssh.png)](http://travis-ci.org/saz/puppet-ssh)
 
-Manage SSH client and server via Puppet
+Manage SSH client and server via Puppet.
 
 ### Gittip
 [![Support via Gittip](https://rawgithub.com/twolfson/gittip-badge/0.2.0/dist/gittip.png)](https://www.gittip.com/saz/)
 
+Source: https://github.com/saz/puppet-ssh
+
 ## Requirements
 * Exported resources for host keys management
 * puppetlabs/stdlib
@@ -58,7 +60,7 @@ or
 
 ### Hiera example
 ```
-ssh::storeconfigs_enabled: true,
+ssh::storeconfigs_enabled: true
 
 ssh::server_options:
     Protocol: '2'
@@ -183,6 +185,31 @@ UsePAM yes
 PasswordAuthentication no
 ```
 
+Values can also be arrays, which will result in the option being specified multiple times
+
+```
+    class { 'ssh::server':
+      options           => {
+        'HostKey' => ['/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key'],
+      },
+    }
+```
+
+Which will lead to the following `sshd_config` file:
+
+ ```
+# File is managed by Puppet
+
+ChallengeResponseAuthentication no
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+PasswordAuthentication no
+```
+
 ## Defining host keys for server
 You can define host keys your server will use
 
@@ -207,9 +234,13 @@ Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and
 ```/etc/ssh/ssh_host_rsa_key.pub``` and restart sshd daemon.
 
 
-## Adding cutom match blocks
+## Adding custom match blocks
 
 ```
+class YOURCUSTOMCLASS { 
+
+  include ssh
+
   ssh::server::match_block { 'sftp_only':
     type    => 'User',
     options => {
@@ -220,4 +251,27 @@ Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and
       'X11Forwarding'          => 'no',
     }
   }
+}
+```
+
+## Facts
+
+This module provides facts detailing the available SSH client and server
+versions.
+
+* `ssh_*_version_full` Provides the full version number including the portable
+  version number.
+* `ssh_*_version_major` Provides the first two numbers in the version number.
+* `ssh_*_version_release` Provides the first three number components of the
+  version, no portable version is present.
+
+Example facter output for OpenSSH `6.6.1p1`:
+
+```
+ssh_client_version_full => 6.6.1p1
+ssh_client_version_major => 6.6
+ssh_client_version_release => 6.6.1
+ssh_server_version_full => 6.6.1p1
+ssh_server_version_major => 6.6
+ssh_server_version_release => 6.6.1
 ```

ssh/lib/facter/ssh_client_version.rb

@@ -0,0 +1,28 @@
+Facter.add("ssh_client_version_full") do
+  setcode do
+    version = Facter::Util::Resolution.exec('sshd -V 2>&1').
+      lines.
+      to_a.
+      select { |line| line.match(/^OpenSSH_/) }.
+      first.
+      rstrip
+
+    version.gsub(/^OpenSSH_([^ ]+).*$/, '\1')
+  end
+end
+
+Facter.add("ssh_client_version_major") do
+  setcode do
+    version = Facter.value('ssh_client_version_full')
+
+    version.gsub(/^([0-9]+\.[0-9]+).*$/, '\1')
+  end
+end
+
+Facter.add("ssh_client_version_release") do
+  setcode do
+    version = Facter.value('ssh_client_version_full')
+
+    version.gsub(/^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$/, '\1')
+  end
+end

ssh/lib/facter/ssh_server_version.rb

@@ -0,0 +1,31 @@
+Facter.add("ssh_server_version_full") do
+  setcode do
+    # sshd doesn't actually have a -V option (hopefully one will be added),
+    # by happy coincidence the usage information that is printed includes the
+    # version number.
+    version = Facter::Util::Resolution.exec('sshd -V 2>&1').
+      lines.
+      to_a.
+      select { |line| line.match(/^OpenSSH_/) }.
+      first.
+      rstrip
+
+    version.gsub(/^OpenSSH_([^ ]+).*$/, '\1')
+  end
+end
+
+Facter.add("ssh_server_version_major") do
+  setcode do
+    version = Facter.value('ssh_server_version_full')
+
+    version.gsub(/^([0-9]+\.[0-9]+).*$/, '\1')
+  end
+end
+
+Facter.add("ssh_server_version_release") do
+  setcode do
+    version = Facter.value('ssh_server_version_full')
+
+    version.gsub(/^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$/, '\1')
+  end
+end

ssh/manifests/client/config.pp

@@ -1,8 +1,8 @@
 class ssh::client::config {
   file { $ssh::params::ssh_config:
     ensure  => present,
-    owner   => 0,
-    group   => 0,
+    owner   => '0',
+    group   => '0',
     content => template("${module_name}/ssh_config.erb"),
     require => Class['ssh::client::install'],
   }

ssh/manifests/client/install.pp

@@ -2,7 +2,8 @@
   if $ssh::params::client_package_name {
     if !defined(Package[$ssh::params::client_package_name]) {
       package { $ssh::params::client_package_name:
-        ensure => $ssh::client::ensure,
+        ensure        => $ssh::client::ensure,
+        allow_virtual => false,
       }
     }
   }

ssh/manifests/hostkeys.pp

@@ -4,23 +4,50 @@
 
   if $::sshdsakey {
     @@sshkey { "${::fqdn}_dsa":
+      ensure       => present,
       host_aliases => $host_aliases,
       type         => dsa,
       key          => $::sshdsakey,
     }
+  } else {
+    @@sshkey { "${::fqdn}_dsa":
+      ensure       => absent,
+    }
   }
   if $::sshrsakey {
     @@sshkey { "${::fqdn}_rsa":
+      ensure       => present,
       host_aliases => $host_aliases,
       type         => rsa,
       key          => $::sshrsakey,
     }
+  } else {
+    @@sshkey { "${::fqdn}_rsa":
+      ensure       => absent,
+    }
   }
   if $::sshecdsakey {
     @@sshkey { "${::fqdn}_ecdsa":
+      ensure       => present,
       host_aliases => $host_aliases,
       type         => 'ecdsa-sha2-nistp256',
       key          => $::sshecdsakey,
     }
+  } else {
+    @@sshkey { "${::fqdn}_ecdsa":
+      ensure       => absent,
+    }
+  }
+  if $::sshed25519key {
+    @@sshkey { "${::fqdn}_ed25519":
+      ensure       => present,
+      host_aliases => $host_aliases,
+      type         => 'ed25519',
+      key          => $::sshed25519key,
+    }
+  } else {
+    @@sshkey { "${::fqdn}_ed25519":
+      ensure       => absent,
+    }
   }
 }

ssh/manifests/init.pp

@@ -1,15 +1,18 @@
 class ssh (
   $server_options       = {},
   $client_options       = {},
+  $version              = 'present',
   $storeconfigs_enabled = true
 ) inherits ssh::params {
   class { 'ssh::server':
     storeconfigs_enabled => $storeconfigs_enabled,
     options              => $server_options,
+    ensure               => $version,
   }
 
   class { 'ssh::client':
     storeconfigs_enabled => $storeconfigs_enabled,
     options              => $client_options,
+    ensure               => $version,
   }
 }

ssh/manifests/knownhosts.pp

@@ -1,5 +1,3 @@
 class ssh::knownhosts {
-  Sshkey <<| |>> {
-    ensure => present,
-  }
+  Sshkey <<| |>>
 }

ssh/manifests/params.pp

@@ -28,7 +28,17 @@
       $ssh_config = '/etc/ssh/ssh_config'
       $ssh_known_hosts = '/etc/ssh/ssh_known_hosts'
       $service_name = 'sshd'
-      $sftp_server_path = '/usr/lib/openssh/sftp-server'
+      $sftp_server_path = '/usr/libexec/sftp-server'
+    }
+    openbsd: {
+      $server_package_name = undef
+      $client_package_name = undef
+      $sshd_dir = '/etc/ssh'
+      $sshd_config = '/etc/ssh/sshd_config'
+      $ssh_config = '/etc/ssh/ssh_config'
+      $ssh_known_hosts = '/etc/ssh/ssh_known_hosts'
+      $service_name = 'sshd'
+      $sftp_server_path = '/usr/libexec/sftp-server'
     }
     Archlinux: {
       $server_package_name = 'openssh'
@@ -52,8 +62,8 @@
           $service_name = 'sshd'
           $sftp_server_path = '/usr/lib64/ssh/sftp-server'
         }
-        Suse: {
-          $service_name = 'sshd.service'
+        OpenSuSE: {
+          $service_name = 'sshd'
           $sftp_server_path = '/usr/lib/ssh/sftp-server'
         }
         default: {
@@ -73,20 +83,46 @@
           $service_name = 'sshd'
           $sftp_server_path = '/usr/lib/misc/sftp-server'
         }
+        Amazon: {
+          $server_package_name = 'openssh-server'
+          $client_package_name = 'openssh-clients'
+          $sshd_dir = '/etc/ssh'
+          $sshd_config = '/etc/ssh/sshd_config'
+          $ssh_config = '/etc/ssh/ssh_config'
+          $ssh_known_hosts = '/etc/ssh/ssh_known_hosts'
+          $service_name = 'sshd'
+          $sftp_server_path = '/usr/libexec/openssh/sftp-server'
+        }
         default: {
           fail("Unsupported platform: ${::osfamily}/${::operatingsystem}")
         }
       }
     }
   }
 
-  $sshd_default_options = {
-    'ChallengeResponseAuthentication' => 'no',
-    'X11Forwarding'                   => 'yes',
-    'PrintMotd'                       => 'no',
-    'AcceptEnv'                       => 'LANG LC_*',
-    'Subsystem'                       => "sftp ${sftp_server_path}",
-    'UsePAM'                          => 'yes',
+  # OpenBSDs openssh doesn't link against PAM, therefore
+  # it doesn't know about the UsePAM option
+  case $::osfamily {
+    openbsd: {
+      $sshd_default_options = {
+        'ChallengeResponseAuthentication' => 'no',
+        'X11Forwarding'                   => 'yes',
+        'PrintMotd'                       => 'no',
+        'AcceptEnv'                       => 'LANG LC_*',
+        'Subsystem'                       => "sftp ${sftp_server_path}",
+      }
+    }
+    default: {
+      $sshd_default_options = {
+        'ChallengeResponseAuthentication' => 'no',
+        'X11Forwarding'                   => 'yes',
+        'PrintMotd'                       => 'no',
+        'AcceptEnv'                       => 'LANG LC_*',
+        'Subsystem'                       => "sftp ${sftp_server_path}",
+        'UsePAM'                          => 'yes',
+      }
+
+    }
   }
 
   $ssh_default_options = {

ssh/manifests/server/config.pp

@@ -3,8 +3,8 @@
 
   concat { $ssh::params::sshd_config:
     ensure => present,
-    owner  => 0,
-    group  => 0,
+    owner  => '0',
+    group  => '0',
     mode   => '0600',
   }
 

ssh/manifests/server/install.pp

@@ -3,7 +3,8 @@
   if $ssh::params::server_package_name {
     if !defined(Package[$ssh::params::server_package_name]) {
       package { $ssh::params::server_package_name:
-        ensure   => $ssh::server::ensure,
+        ensure        => $ssh::server::ensure,
+        allow_virtual => false,
       }
     }
   }