From 51f7498a9e0ab467260bf52bdca71fe97000c11e Mon Sep 17 00:00:00 2001 From: Lukas Bezdicka Date: Thu, 2 Apr 2015 17:36:29 +0200 Subject: [PATCH] Update ssh to ec2dd7a44939f0e620edc27e44a8f2287385e807 ec2dd7a44939f0e620edc27e44a8f2287385e807 new release v2.5.0 775210485034b91afa7680ee74742367c47bbcca sort keys in match block, fixes #76 2cdda7edda525f4cb6935cac954908150f79f56a remove Modulefile in favour of metadata.json bdd94b1b21dc5be94bb82f24be0793be597fbfea Merge pull request #96 from buzzdeee/fix_ed25519 1685f85ce5337c582c8eb0adbea1500d15415690 fix rspec version 1fd4316667b131674378de15eff39a58593db36b move .gemfile to Gemfile e4fccdc8d38072ff1f93921d461436869b3899e3 fix ed25519 handling. 966da3195e9555ad6294c9279c09781396dae38e Merge pull request #95 from robertdebock/master f1a0481f0a62bc6d6919948f474f8aa2ec01a48f Merge pull request #93 from voidus/multivalued_keys_docs 61736e013a4dfe7c23327ee23e3276b00840477e Merge pull request #92 from markasammut/master 34db056b2661e418e42c40bcb4507054853b7dad Merge pull request #89 from fraenki/freebsd_sftp ca751a6a761c8638351da79aed51a6e9ad1e6e53 Merge pull request #85 from oxilion/fixreadme 1737b61795e2f00ac1cdb008625478333ff99b09 Merge pull request #84 from gertvdijk/improve_hostkeys b1c2570d1e575e1bf289e5e816266b80e0240da8 Merge pull request #82 from soniah/master fd1a82a5005f8a246e835003e282ca036d70eb90 Merge pull request #80 from wonko21/master d65f75c264bc99d46b2a45fbab2dfc2ff01400bc Merge pull request #77 from buzzdeee/master c6076a10ae8c304bce485d151fe7d30231a02a1b Merge pull request #75 from kcampos/add_amazon_os e075e687ad7afdae1292742a42fec64919e886eb Merge pull request #72 from voidus/master 809b41b89c0bd310287cc614af384661fff210b0 Merge pull request #69 from kiddivouchers/version-facts c5562d3cc853665afa86e11221afab554afc5670 Removed a comma from the documentation. da8b7d113e1f1f54fe27342eb12bce6e07605589 Document array-valued options c9ac750c33d2f885c44bbafc8705fb84cf2ebe84 Merge pull request #1 from markasammut/patch-1 be8fc1e745e83793fbdbe8eeea58ae33a5ee682f added option to specify package version 823a4a23f3bb5812a3d7734823b0e56012c0d364 fix $sftp_server_path on FreeBSD be8d53c2ffac7c2db862157300d126362f5328df README.markdown: clarify match_block-config da1ec526223da7f8b4a40b7dcf97f162573d6774 Oops in ssh key type for ed25519. 0c398ead55ebbf22620f17e6590b3e877dddf3ef Purge removed host keys from knownhosts file and add ed25519 support. 9121fa1dd41a8263d8c928c645943564929644e1 add source 5cc565fbf7fd55401a8e45980b79157f4d1b5088 corrected ssh service call 71bfba9fe67383c87d01c51bb6188414bd86046a the "operatingsystem" fact for OpenSuSE is "OpenSuSE" not "Suse" 4f642ca479840e9e4bb20b369b574b702536d0a9 Add support for OpenBSD 1a607022542a8ab4a1ef7afe44fe9e70a21c72d3 Add support for Amazon OS 57d40094f67182ebc07a56d8795ac794b1c99d5b Fix wrapping of Ruby code for Ruby<1.9 f63ae3b0b15927625b06e7db093ac661743a9ecf Add explicit allow_virtual parameters db48e39678237629fec7efe8e8fb273aea32aec5 Add docs for version facts eb2d9fb3ea6540f633d3134dc4cf8a678affcf24 Don't use structured facts as Facter 2.0 is pretty new 31464c2891caecfe72176e23692f383dd574663a Change to structured fact providing breakdown of OpenSSH version 03399cdbc714c427b3ded8651d9a4bcd6513d736 Add facts to get SSH server/client version --- Puppetfile | 2 +- ssh/.travis.yml | 1 - ssh/{.gemfile => Gemfile} | 1 + ssh/Modulefile | 11 ----- ssh/README.markdown | 60 ++++++++++++++++++++++++++-- ssh/lib/facter/ssh_client_version.rb | 28 +++++++++++++ ssh/lib/facter/ssh_server_version.rb | 31 ++++++++++++++ ssh/manifests/client/config.pp | 4 +- ssh/manifests/client/install.pp | 3 +- ssh/manifests/hostkeys.pp | 27 +++++++++++++ ssh/manifests/init.pp | 3 ++ ssh/manifests/knownhosts.pp | 4 +- ssh/manifests/params.pp | 56 +++++++++++++++++++++----- ssh/manifests/server/config.pp | 4 +- ssh/manifests/server/install.pp | 3 +- ssh/metadata.json | 5 ++- ssh/templates/sshd_match_block.erb | 2 +- 17 files changed, 208 insertions(+), 37 deletions(-) rename ssh/{.gemfile => Gemfile} (84%) delete mode 100644 ssh/Modulefile create mode 100644 ssh/lib/facter/ssh_client_version.rb create mode 100644 ssh/lib/facter/ssh_server_version.rb diff --git a/Puppetfile b/Puppetfile index 724baaae4..e6e640975 100644 --- a/Puppetfile +++ b/Puppetfile @@ -163,7 +163,7 @@ mod 'sahara', :git => 'https://github.com/stackforge/puppet-sahara.git' mod 'ssh', - :commit => 'e5cfeae06a16497382072d80c65c901aa0e696ea', + :commit => 'ec2dd7a44939f0e620edc27e44a8f2287385e807', :git => 'https://github.com/saz/puppet-ssh.git' mod 'staging', diff --git a/ssh/.travis.yml b/ssh/.travis.yml index 873111c16..27d164d35 100644 --- a/ssh/.travis.yml +++ b/ssh/.travis.yml @@ -35,4 +35,3 @@ matrix: env: PUPPET_GEM_VERSION="~> 2.6.0" notifications: email: false -gemfile: .gemfile diff --git a/ssh/.gemfile b/ssh/Gemfile similarity index 84% rename from ssh/.gemfile rename to ssh/Gemfile index 306014445..779997548 100644 --- a/ssh/.gemfile +++ b/ssh/Gemfile @@ -3,6 +3,7 @@ source 'https://rubygems.org' puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3'] gem 'puppet', puppetversion gem 'puppetlabs_spec_helper', '>= 0.1.0', :require => false +gem 'rspec', '< 3.2.0', {"platforms"=>["ruby_18"]} gem 'puppet-lint', '>= 0.3.2' gem 'facter', '>= 1.7.0', "< 1.8.0" diff --git a/ssh/Modulefile b/ssh/Modulefile deleted file mode 100644 index c74c4147a..000000000 --- a/ssh/Modulefile +++ /dev/null @@ -1,11 +0,0 @@ -name 'saz-ssh' -version '2.4.0' -source 'git://github.com/saz/puppet-ssh.git' -author 'saz' -license 'Apache License, Version 2.0' -summary 'UNKNOWN' -description 'Manage SSH client and server via puppet' -project_page 'https://github.com/saz/puppet-ssh' - -## Add dependencies, if any: -dependency 'puppetlabs/stdlib', '>= 2.2.1' diff --git a/ssh/README.markdown b/ssh/README.markdown index c4dfc97e8..665c5a549 100644 --- a/ssh/README.markdown +++ b/ssh/README.markdown @@ -1,10 +1,12 @@ # puppet-ssh [![Build Status](https://secure.travis-ci.org/saz/puppet-ssh.png)](http://travis-ci.org/saz/puppet-ssh) -Manage SSH client and server via Puppet +Manage SSH client and server via Puppet. ### Gittip [![Support via Gittip](https://rawgithub.com/twolfson/gittip-badge/0.2.0/dist/gittip.png)](https://www.gittip.com/saz/) +Source: https://github.com/saz/puppet-ssh + ## Requirements * Exported resources for host keys management * puppetlabs/stdlib @@ -58,7 +60,7 @@ or ### Hiera example ``` -ssh::storeconfigs_enabled: true, +ssh::storeconfigs_enabled: true ssh::server_options: Protocol: '2' @@ -183,6 +185,31 @@ UsePAM yes PasswordAuthentication no ``` +Values can also be arrays, which will result in the option being specified multiple times + +``` + class { 'ssh::server': + options => { + 'HostKey' => ['/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key'], + }, + } +``` + +Which will lead to the following `sshd_config` file: + + ``` +# File is managed by Puppet + +ChallengeResponseAuthentication no +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +PasswordAuthentication no +``` + ## Defining host keys for server You can define host keys your server will use @@ -207,9 +234,13 @@ Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and ```/etc/ssh/ssh_host_rsa_key.pub``` and restart sshd daemon. -## Adding cutom match blocks +## Adding custom match blocks ``` +class YOURCUSTOMCLASS { + + include ssh + ssh::server::match_block { 'sftp_only': type => 'User', options => { @@ -220,4 +251,27 @@ Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and 'X11Forwarding' => 'no', } } +} +``` + +## Facts + +This module provides facts detailing the available SSH client and server +versions. + +* `ssh_*_version_full` Provides the full version number including the portable + version number. +* `ssh_*_version_major` Provides the first two numbers in the version number. +* `ssh_*_version_release` Provides the first three number components of the + version, no portable version is present. + +Example facter output for OpenSSH `6.6.1p1`: + +``` +ssh_client_version_full => 6.6.1p1 +ssh_client_version_major => 6.6 +ssh_client_version_release => 6.6.1 +ssh_server_version_full => 6.6.1p1 +ssh_server_version_major => 6.6 +ssh_server_version_release => 6.6.1 ``` diff --git a/ssh/lib/facter/ssh_client_version.rb b/ssh/lib/facter/ssh_client_version.rb new file mode 100644 index 000000000..25d98b593 --- /dev/null +++ b/ssh/lib/facter/ssh_client_version.rb @@ -0,0 +1,28 @@ +Facter.add("ssh_client_version_full") do + setcode do + version = Facter::Util::Resolution.exec('sshd -V 2>&1'). + lines. + to_a. + select { |line| line.match(/^OpenSSH_/) }. + first. + rstrip + + version.gsub(/^OpenSSH_([^ ]+).*$/, '\1') + end +end + +Facter.add("ssh_client_version_major") do + setcode do + version = Facter.value('ssh_client_version_full') + + version.gsub(/^([0-9]+\.[0-9]+).*$/, '\1') + end +end + +Facter.add("ssh_client_version_release") do + setcode do + version = Facter.value('ssh_client_version_full') + + version.gsub(/^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$/, '\1') + end +end diff --git a/ssh/lib/facter/ssh_server_version.rb b/ssh/lib/facter/ssh_server_version.rb new file mode 100644 index 000000000..be1ef0cf0 --- /dev/null +++ b/ssh/lib/facter/ssh_server_version.rb @@ -0,0 +1,31 @@ +Facter.add("ssh_server_version_full") do + setcode do + # sshd doesn't actually have a -V option (hopefully one will be added), + # by happy coincidence the usage information that is printed includes the + # version number. + version = Facter::Util::Resolution.exec('sshd -V 2>&1'). + lines. + to_a. + select { |line| line.match(/^OpenSSH_/) }. + first. + rstrip + + version.gsub(/^OpenSSH_([^ ]+).*$/, '\1') + end +end + +Facter.add("ssh_server_version_major") do + setcode do + version = Facter.value('ssh_server_version_full') + + version.gsub(/^([0-9]+\.[0-9]+).*$/, '\1') + end +end + +Facter.add("ssh_server_version_release") do + setcode do + version = Facter.value('ssh_server_version_full') + + version.gsub(/^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$/, '\1') + end +end diff --git a/ssh/manifests/client/config.pp b/ssh/manifests/client/config.pp index 1c9d45333..d708d5dce 100644 --- a/ssh/manifests/client/config.pp +++ b/ssh/manifests/client/config.pp @@ -1,8 +1,8 @@ class ssh::client::config { file { $ssh::params::ssh_config: ensure => present, - owner => 0, - group => 0, + owner => '0', + group => '0', content => template("${module_name}/ssh_config.erb"), require => Class['ssh::client::install'], } diff --git a/ssh/manifests/client/install.pp b/ssh/manifests/client/install.pp index 86771d770..ae38a7719 100644 --- a/ssh/manifests/client/install.pp +++ b/ssh/manifests/client/install.pp @@ -2,7 +2,8 @@ if $ssh::params::client_package_name { if !defined(Package[$ssh::params::client_package_name]) { package { $ssh::params::client_package_name: - ensure => $ssh::client::ensure, + ensure => $ssh::client::ensure, + allow_virtual => false, } } } diff --git a/ssh/manifests/hostkeys.pp b/ssh/manifests/hostkeys.pp index f7bbbb88d..1d9383a4b 100644 --- a/ssh/manifests/hostkeys.pp +++ b/ssh/manifests/hostkeys.pp @@ -4,23 +4,50 @@ if $::sshdsakey { @@sshkey { "${::fqdn}_dsa": + ensure => present, host_aliases => $host_aliases, type => dsa, key => $::sshdsakey, } + } else { + @@sshkey { "${::fqdn}_dsa": + ensure => absent, + } } if $::sshrsakey { @@sshkey { "${::fqdn}_rsa": + ensure => present, host_aliases => $host_aliases, type => rsa, key => $::sshrsakey, } + } else { + @@sshkey { "${::fqdn}_rsa": + ensure => absent, + } } if $::sshecdsakey { @@sshkey { "${::fqdn}_ecdsa": + ensure => present, host_aliases => $host_aliases, type => 'ecdsa-sha2-nistp256', key => $::sshecdsakey, } + } else { + @@sshkey { "${::fqdn}_ecdsa": + ensure => absent, + } + } + if $::sshed25519key { + @@sshkey { "${::fqdn}_ed25519": + ensure => present, + host_aliases => $host_aliases, + type => 'ed25519', + key => $::sshed25519key, + } + } else { + @@sshkey { "${::fqdn}_ed25519": + ensure => absent, + } } } diff --git a/ssh/manifests/init.pp b/ssh/manifests/init.pp index 4f913556c..5124357b0 100644 --- a/ssh/manifests/init.pp +++ b/ssh/manifests/init.pp @@ -1,15 +1,18 @@ class ssh ( $server_options = {}, $client_options = {}, + $version = 'present', $storeconfigs_enabled = true ) inherits ssh::params { class { 'ssh::server': storeconfigs_enabled => $storeconfigs_enabled, options => $server_options, + ensure => $version, } class { 'ssh::client': storeconfigs_enabled => $storeconfigs_enabled, options => $client_options, + ensure => $version, } } diff --git a/ssh/manifests/knownhosts.pp b/ssh/manifests/knownhosts.pp index 1ea1848f4..f9d5ce005 100644 --- a/ssh/manifests/knownhosts.pp +++ b/ssh/manifests/knownhosts.pp @@ -1,5 +1,3 @@ class ssh::knownhosts { - Sshkey <<| |>> { - ensure => present, - } + Sshkey <<| |>> } diff --git a/ssh/manifests/params.pp b/ssh/manifests/params.pp index 332d940a4..1eeda81a2 100644 --- a/ssh/manifests/params.pp +++ b/ssh/manifests/params.pp @@ -28,7 +28,17 @@ $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' - $sftp_server_path = '/usr/lib/openssh/sftp-server' + $sftp_server_path = '/usr/libexec/sftp-server' + } + openbsd: { + $server_package_name = undef + $client_package_name = undef + $sshd_dir = '/etc/ssh' + $sshd_config = '/etc/ssh/sshd_config' + $ssh_config = '/etc/ssh/ssh_config' + $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' + $service_name = 'sshd' + $sftp_server_path = '/usr/libexec/sftp-server' } Archlinux: { $server_package_name = 'openssh' @@ -52,8 +62,8 @@ $service_name = 'sshd' $sftp_server_path = '/usr/lib64/ssh/sftp-server' } - Suse: { - $service_name = 'sshd.service' + OpenSuSE: { + $service_name = 'sshd' $sftp_server_path = '/usr/lib/ssh/sftp-server' } default: { @@ -73,6 +83,16 @@ $service_name = 'sshd' $sftp_server_path = '/usr/lib/misc/sftp-server' } + Amazon: { + $server_package_name = 'openssh-server' + $client_package_name = 'openssh-clients' + $sshd_dir = '/etc/ssh' + $sshd_config = '/etc/ssh/sshd_config' + $ssh_config = '/etc/ssh/ssh_config' + $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' + $service_name = 'sshd' + $sftp_server_path = '/usr/libexec/openssh/sftp-server' + } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } @@ -80,13 +100,29 @@ } } - $sshd_default_options = { - 'ChallengeResponseAuthentication' => 'no', - 'X11Forwarding' => 'yes', - 'PrintMotd' => 'no', - 'AcceptEnv' => 'LANG LC_*', - 'Subsystem' => "sftp ${sftp_server_path}", - 'UsePAM' => 'yes', + # OpenBSDs openssh doesn't link against PAM, therefore + # it doesn't know about the UsePAM option + case $::osfamily { + openbsd: { + $sshd_default_options = { + 'ChallengeResponseAuthentication' => 'no', + 'X11Forwarding' => 'yes', + 'PrintMotd' => 'no', + 'AcceptEnv' => 'LANG LC_*', + 'Subsystem' => "sftp ${sftp_server_path}", + } + } + default: { + $sshd_default_options = { + 'ChallengeResponseAuthentication' => 'no', + 'X11Forwarding' => 'yes', + 'PrintMotd' => 'no', + 'AcceptEnv' => 'LANG LC_*', + 'Subsystem' => "sftp ${sftp_server_path}", + 'UsePAM' => 'yes', + } + + } } $ssh_default_options = { diff --git a/ssh/manifests/server/config.pp b/ssh/manifests/server/config.pp index c56944d09..c71a17c6b 100644 --- a/ssh/manifests/server/config.pp +++ b/ssh/manifests/server/config.pp @@ -3,8 +3,8 @@ concat { $ssh::params::sshd_config: ensure => present, - owner => 0, - group => 0, + owner => '0', + group => '0', mode => '0600', } diff --git a/ssh/manifests/server/install.pp b/ssh/manifests/server/install.pp index 58b5ca1d3..8d7a7279c 100644 --- a/ssh/manifests/server/install.pp +++ b/ssh/manifests/server/install.pp @@ -3,7 +3,8 @@ if $ssh::params::server_package_name { if !defined(Package[$ssh::params::server_package_name]) { package { $ssh::params::server_package_name: - ensure => $ssh::server::ensure, + ensure => $ssh::server::ensure, + allow_virtual => false, } } } diff --git a/ssh/metadata.json b/ssh/metadata.json index 08d41906b..64f4734d3 100644 --- a/ssh/metadata.json +++ b/ssh/metadata.json @@ -21,6 +21,9 @@ { "operatingsystem": "FreeBSD" }, + { + "operatingsystem": "OpenBSD" + }, { "operatingsystem": "Gentoo" }, @@ -39,7 +42,7 @@ } ], "name": "saz-ssh", - "version": "2.4.0", + "version": "2.5.0", "source": "git://github.com/saz/puppet-ssh.git", "author": "saz", "license": "Apache License, Version 2.0", diff --git a/ssh/templates/sshd_match_block.erb b/ssh/templates/sshd_match_block.erb index 149af6254..6e0cb0869 100644 --- a/ssh/templates/sshd_match_block.erb +++ b/ssh/templates/sshd_match_block.erb @@ -1,6 +1,6 @@ Match <%= @type %> <%= @name %> -<%- @options.keys.each do |k| -%> +<%- @options.keys.sort.each do |k| -%> <%- v = @options[k] -%> <%- if v != :undef -%> <%= k %> <%= v %>