Update ssh to e5cfeae06a16497382072d80c65c901aa0e696ea

e5cfeae06a16497382072d80c65c901aa0e696ea Merge pull request redhat-openstack#67 from emning/emptyparams
dff58ffdbd42817a1bec443bf346b48f51492337 Merge pull request redhat-openstack#63 from cristi1979/master
4a3c417e08c4d66ed658850ded467ae04d5b30c3 remove extra end
df44eb54e84d35b81a7e3d9b071ff2acd23eb697 remove one unnecessary if
f4c5fb6a3a6b1ae81eb33122d6c44d4f60e4d1cf first try
a8548878ef1f77c8347d45e3e1ed73fa51a6139b remove concat param from defaults
d7fa366602d8a9637c36ca01f3605ae4c72e9814 rebase
a7b27d1f37e1a8cbaa8bea2f9a659dc4093d6aec some spec cleanups
e40723ab18367e581e9a5837d87175842be907b2 fix spec tests in some parts
c1ba1f2b2987685a4cd54d764e9097540a560510 Merge pull request redhat-openstack#61 from cristi1979/master
8dbb620819864e95889b8bb3720b51f0db3ff25b try to make travis happy
429e66a50828a77451f1390c32a808d31ef1e678 Update client_spec.rb
578f840ad4ab88a5ef5fcc1bef6208b60d008821 Update server_spec.rb
878848267fca97cef381a9339c51ecd96d8704ab Update server_spec.rb
670f415f72f2b7655b18886b2f626fb09270eec6 add concat facts to spec
62d08daf58dca311abf94b234ac68b10d61af580 Merge pull request redhat-openstack#59 from cristi1979/patch-1
2ed488edf615945067cf5c02069b39cff86a0b73 Merge pull request redhat-openstack#58 from cristi1979/master
744298004e49ffe3356d46f381f07c4feee1bbbc add concat fact
131d0e8cbe4f95dfe3090e884398402bf9de937d add concat fact
005a9ad0a4a7141586463c56b0b7a27a0e0217ff add concat dependency
5b33497bb6a7c7c57fa0763e02622c161e4890fc add concat dependecy
06306e3e18d5c379a8d45089e2c2d226a399d520 update version in Modulefile
3906425ff06bcabc4d677a3f01372d8a26f93e94 new release v2.4.0, fixes redhat-openstack#49
ae46458ff0903009c1e5904e8295b4bd4a406cf8 Merge pull request redhat-openstack#53 from softecspa/master
56c77bb09e5f4ff220e80b2edac455d19466a623 Merge pull request redhat-openstack#54 from digitalmediacenter/puppet-lint-fixes
5eff2a667b472a6bc565b814c05445145fedb996 Merge pull request redhat-openstack#56 from greg0ire/proofread_readme
471111aa5431f848b8420ff70f2e9fa383cee9f7 Update README.markdown
0a04f247e75a95230c89cbea9a7674dacaaf944c add documentation
9f5c52c340baaa53c46e87738d7ad47776ba8b6a support to add match blocks from different modules
77019e57e694b6653c1bb64593481c795053baec Fixed some Puppet lint errors
28aaa1cb082954aa86d61c0686e9e6855c75b5f0 improve formatting and style
d3e75d577f582688f5f4382ac867a50eea451d39 add missing period
6ba6e1711157f0d46187c3393f6f42b4cddc7702 fix spelling
3ac2c4191c7dc807da069faead88949ecec0fe16 fix undefined on unexistent addresses
2b007ab54105b2ddd0cc37bda6920b92caf2e3c4 fix for puppet 2.7 ipaddresses() don't return :undefined for ipv6 addresses
8bb6d9b3521cdad3a39108e2caef62913a3f7374 Merge pull request redhat-openstack#51 from aidun/master
24b00091f8c337830de5071cb408a2f437c464a8 Addes support for Suse like os
0bbf492b68b8de75305a6a9f0b5c5ab46b6e6a45 Merge pull request redhat-openstack#47 from xalimar/fix_redhat_sftp_path
1bfa7d2c03d40e3df04337944006ecd4470cab02 Correct path for sftp-server on RedHat
219bd7cefa3034c46a896aaff15907fda74f5379 Merge pull request redhat-openstack#44 from arlimus/sshclient-undef
fac41d0c38f39557d42340b0e5d45e20de7e9839 bugfix: don't set undef values in ssh_config
9389045649b8d7218d7aba86ce280ca3190e2341 Merge branch 'master' of github.com:saz/puppet-ssh
35f4be1394682970c6ce2c01460424a60eb295b8 add hiera example to README, fixes redhat-openstack#43
306c0c72c0d56c7af097b4135a7a622abb7bc5c6 Merge pull request redhat-openstack#38 from strangeman/patch-1
5e9248b42642cc26eb37b0affec1d2b48b8a88c8 Merge pull request redhat-openstack#39 from fries/master
899aac20e42a449e2905ca9795c749f239ae50cb Merge pull request redhat-openstack#41 from Element84/FixFixtures
cc0c5a11d8b4b3d75946652c08523ed6eaf6c667 Merge pull request redhat-openstack#42 from oxilion/ssh_key_conditional
217db22a42fbb47fa63e47d6c49e0094b90e20d1 Merge pull request redhat-openstack#40 from Element84/HandleMissingInterfaces
deb2fcc798700d01311adbf5095fc016d6465372 make all sshkeys conditional
0101ac88b6a1396a87968d59d1ddd4a7645a0896 Updated url of the stdlib module in .fixtures.yml
66cd9df49d7b9b72aae1d71cd79f0b26306813c0 Fixed ipaddresses function in Puppet 3.x
717ea5b8d77252f3b1e0c5c23783954ddfcf8a55 Ensure ssh_known_hosts is present.
1db696708e51b21761208099ef7c297e24dcca98 Fix readme
e90628a5d3d1cd104d0ffb9580e7b7d760d9069b fix failing tests on travis-ci
e1349a0534598dea89e6334bfa07ade8964094c6 add spec tests for ArchLinux (thanks jantman), fixes redhat-openstack#37
23f4657 new release v2.3.6
e6b8ce9 some white space cleanup
03e8b96 make host key distribution fully configurable, fixes redhat-openstack#27
0abda69 update metadata.json
e8a5b70 add missing sshd_dir variable on freebsd
e5f9cec Merge pull request redhat-openstack#35 from TelekomCloud/fix/address_family
a538ca2 Merge pull request redhat-openstack#34 from TelekomCloud/allow_to_undefine_default_sshd_values
8a7b57f Merge pull request redhat-openstack#30 from jantman/archlinux
b0a314d Bug: AddressFamily must be specified before ListenAddress
3e24e5b Allow to undefine default options in sshd_config.
f209378 new release v2.3.5
e6690fc allow multiple ports and listen addresses, refs redhat-openstack#33
5acdcc5 new release v2.3.4
dffda8a Merge pull request redhat-openstack#32 from ChrisPortman/option_ordering
02037f0 Only do scope.lookupvar once
89a42a4 Sort the Options Hash
86d9048 Implement Specific Option Ordering Requirements
3af5933 add support for Archlinux
1426c30 fix spec test on ruby 1.8.7
37fd998 improve spec test
e46a32b new release v2.3.3
1cdcc99 remove fixtures symlinks
6cb3483 fix lint errors
895cbd0 fix gemfile
3727a2c update Rakefile
9eb6039 update travis config
e056eb2 add travis-ci status image to README
a0f5d5d new release v2.3.2
d276677 some cleanup
096184b Merge pull request redhat-openstack#28 from cruisibesarescondev/patch-1
6338f97 Make logic explicit in template.
1db972b new release v2.3.1
834a6f5 fix Match ordering in sshd config as it needs to be the last part
29f66a1 new release v2.3.0
b01984c fix module on gentoo linux
8df221d Merge pull request redhat-openstack#25 from rfay/storeconfigs_enabled_parameter
3e6f851 Merge pull request redhat-openstack#23 from CyBeRoni/master
1e597d7 Allow turning off storeconfigs/hostkey managment
5ff3d28 Add testing files
2d3c573 Set up a few simple tests
9325650 re-instate check for package name
aac81b6 Merge https://github.com/saz/puppet-ssh
dbabc49 fix syntax
bff4ad6 fix $ensure to actually do what I expect.
58c4944 new release v2.2.0
40bdca2 fix conflicts
90f991b Merge pull request redhat-openstack#20 from amateo/testing
0506606 Reformateo
262fd19 Example of ssh::server::host_key
b224323 change parameter order
14d80d2 new release v2.1.0
e622c64 add freebsd support
883f15b sort hashes to prevent shuffling and restarting ssh unnecessarily
3547fdc make package 'ensure' variable, with 'present' as default
db17c3d Sort hashes in templates so config files are not modified in every puppet run (and so, ssh is not restarted without need)
3fe49d0 Finish Release-1
454f9a8 Finish Release-1
80d4403 Add a ssh::server::host_key define to configure ssh server keys.
ab4f2c5 Add documentation for the define
81aaea6 Add a define to configure ssh server hosts keys
5cfa6e6 Add a variable for ssh config directory
121e5c4 Merge pull request redhat-openstack#19 from saz/devel
a249e85 update to new version 2.0.0
64a2ceb fix README
95a78df improve README
dd888e3 support multiple values for one key
1f87ad6 Update README
568945b Update README
13e5b22 update README, add ssh options
42030ee add default case, if no hash is given
afc32e5 fix is_a condition
23a20d3 fix ssh* templates
a83c787 use template for ssh_config, merge options
1d5f3a5 remove obsolete configline
ef5666f add disable_user_known_hosts variable for now
3f82045 use template for sshd_config file
10426ab Merge branch 'master' of github.com:saz/puppet-ssh
c4c344b ignore .DS_Store files
cb143b9 Merge pull request redhat-openstack#18 from blaind/master
97cc56c update module version to 1.4.0
bb26451 add gentoo support
bc105d5 Parameterize the UserKnownHostsFile /dev/null setting
f588b5e Update module version
cfb5861 Merge pull request redhat-openstack#17 from maestrodev/ensure-present
64b7cea Ensure client package is present, not latest
10675c0 Version 1.2.0
2af255c Merge pull request redhat-openstack#10 from kepstin/sshecdsakey
6215b24 Add a missing } character, oops...
ef3ec06 Export ECDSA hostkeys
c56be03 Version 1.1.1
de782f2 fix scope of ipaddresses variable
e910268 new version 1.1.0, puppetlabs/stdlib >= 2.2.1 as dependency
d92e7f7 use ipaddresses() function in ssh::hostkeys

Puppetfile

@@ -139,7 +139,7 @@ mod 'sahara',
   :git => 'https://github.com/stackforge/puppet-sahara.git'
 
 mod 'ssh',
-  :commit => 'd6571f8c43ac55d20a6afd8a8ce3f86ac4b0d7a4',
+  :commit => 'e5cfeae06a16497382072d80c65c901aa0e696ea',
   :git => 'https://github.com/saz/puppet-ssh.git'
 
 mod 'staging',

ssh/.fixtures.yml

@@ -0,0 +1,6 @@
+fixtures:
+  repositories:
+    stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib"
+    concat: "https://github.com/puppetlabs/puppetlabs-concat"
+  symlinks:
+    ssh: "#{source_dir}"

ssh/.gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3']
+gem 'puppet', puppetversion
+gem 'puppetlabs_spec_helper', '>= 0.1.0', :require => false
+gem 'puppet-lint', '>= 0.3.2'
+gem 'facter', '>= 1.7.0', "< 1.8.0"
+
+# vim:ft=ruby

ssh/.gitignore

@@ -1,3 +1,3 @@
 pkg/
 *.swp
-metadata.json
+.DS_Store

ssh/.travis.yml

@@ -0,0 +1,38 @@
+---
+branches:
+  only:
+    - master
+language: ruby
+bundler_args: --without development
+script: 'bundle exec rake validate && bundle exec rake lint && SPEC_OPTS="--format documentation" bundle exec rake spec'
+after_success:
+  - git clone -q git://github.com/puppetlabs/ghpublisher.git .forge-releng
+  - .forge-releng/publish
+rvm:
+  - 1.8.7
+  - 1.9.3
+env:
+  matrix:
+    - PUPPET_GEM_VERSION="~> 2.7.0"
+    - PUPPET_GEM_VERSION="~> 3.0.0"
+    - PUPPET_GEM_VERSION="~> 3.1.0"
+    - PUPPET_GEM_VERSION="~> 3.2.0"
+    - PUPPET_GEM_VERSION="~> 3.3.0"
+    - PUPPET_GEM_VERSION="~> 3.4.0"
+  global:
+  - PUBLISHER_LOGIN=saz
+  - secure: |-
+      bMAcMOMNUgKl7mVDNc47HwT7A8s3SvVRgy4Gu49XbyQ4C/pQ/TCSVlhyvNS7AHAA5BoZcypC
+      23f69ykM4qVFGKDEi+oy6rfWXq8WVgyqA9r30Gcg95Plna5fRt/8lmbfBpa+DLRuUYhbzOXg
+      RuXT20V+nQOHDfp7fuC0EBQxIfM=
+matrix:
+  include:
+    - rvm: 2.0.0
+      env: PUPPET_GEM_VERSION="~> 3.2.0"
+    - rvm: 2.0.0
+      env: PUPPET_GEM_VERSION="~> 3.3.0"
+    - rvm: 1.8.7
+      env: PUPPET_GEM_VERSION="~> 2.6.0"
+notifications:
+  email: false
+gemfile: .gemfile

ssh/Modulefile

@@ -1,8 +1,11 @@
 name    'saz-ssh'
-version '1.0.3'
+version '2.4.0'
 source 'git://github.com/saz/puppet-ssh.git'
 author 'saz'
 license 'Apache License, Version 2.0'
 summary 'UNKNOWN'
 description 'Manage SSH client and server via puppet'
 project_page 'https://github.com/saz/puppet-ssh'
+
+## Add dependencies, if any:
+dependency 'puppetlabs/stdlib', '>= 2.2.1'

ssh/README.markdown

@@ -1,28 +1,223 @@
-# SSH Client and Server Puppet Module
+# puppet-ssh [![Build Status](https://secure.travis-ci.org/saz/puppet-ssh.png)](http://travis-ci.org/saz/puppet-ssh)
 
 Manage SSH client and server via Puppet
 
-## Client only
-Collected host keys from servers will be written to known_hosts
+### Gittip
+[![Support via Gittip](https://rawgithub.com/twolfson/gittip-badge/0.2.0/dist/gittip.png)](https://www.gittip.com/saz/)
+
+## Requirements
+* Exported resources for host keys management
+* puppetlabs/stdlib
+
+## Usage
+
+Since version 2.0.0 only non-default values are written to both,
+client and server, configuration files.
+
+Multiple occurrences of one config key (e.g. sshd should be listening on
+port 22 and 2222) should be passed as an array.
+
+```
+    options => {
+      'Port' => [22, 2222],
+    }
+```
+
+This is working for both, client and server.
+
+### Both client and server
+Host keys will be collected and distributed unless
+ `storeconfigs_enabled` is `false`.
+
+```
+    include ssh
+```
+
+or
+
+```
+    class { 'ssh':
+      storeconfigs_enabled => false,
+      server_options => {
+        'Match User www-data' => {
+          'ChrootDirectory' => '%h',
+          'ForceCommand' => 'internal-sftp',
+          'PasswordAuthentication' => 'yes',
+          'AllowTcpForwarding' => 'no',
+          'X11Forwarding' => 'no',
+        },
+        'Port' => [22, 2222, 2288],
+      },
+      client_options => {
+        'Host *.amazonaws.com' => {
+          'User' => 'ec2-user',
+        },
+      },
+    }
+```
+
+### Hiera example
+```
+ssh::storeconfigs_enabled: true,
+
+ssh::server_options:
+    Protocol: '2'
+    ListenAddress:
+        - '127.0.0.0'
+        - '%{::hostname}'
+    PasswordAuthentication: 'yes'
+    SyslogFacility: 'AUTHPRIV'
+    UsePAM: 'yes'
+    X11Forwarding: 'yes'
+
+ssh::client_options:
+    'Host *':
+        SendEnv: 'LANG LC_*'
+        ForwardX11Trusted: 'yes'
+        ServerAliveInterval: '10'
+```
+
+### Client only
+Collected host keys from servers will be written to `known_hosts` unless
+ `storeconfigs_enabled` is `false`
 
 ```
     include ssh::client
 ```
 
-## Server only
-Host keys will be collected for client distribution
+or
+
+```
+    class { 'ssh::client':
+      storeconfigs_enabled => false,
+      options => {
+        'Host short' => {
+          'User' => 'my-user',
+          'HostName' => 'extreme.long.and.complicated.hostname.domain.tld',
+        },
+        'Host *' => {
+          'User' => 'andromeda',
+          'UserKnownHostsFile' => '/dev/null',
+        },
+      },
+    }
+```
+
+### Server only
+Host keys will be collected for client distribution unless
+ `storeconfigs_enabled` is `false`
 
 ```
     include ssh::server
 ```
 
-## Both client and server
-Host keys will be collected and distributed
+or
 
 ```
-    include ssh
+    class { 'ssh::server':
+      storeconfigs_enabled => false,
+      options => {
+        'Match User www-data' => {
+          'ChrootDirectory' => '%h',
+          'ForceCommand' => 'internal-sftp',
+          'PasswordAuthentication' => 'yes',
+          'AllowTcpForwarding' => 'no',
+          'X11Forwarding' => 'no',
+        },
+        'PasswordAuthentication' => 'no',
+        'PermitRootLogin'        => 'no',
+        'Port'                   => [22, 2222],
+      },
+    }
 ```
+
+## Default options
 
-# Requirements
-Requires Exported resources and augeas in order to work
+### Client
 
+```
+    'Host *'                 => {
+      'SendEnv'              => 'LANG LC_*',
+      'HashKnownHosts'       => 'yes',
+      'GSSAPIAuthentication' => 'yes',
+    }
+```
+
+### Server
+
+```
+    'ChallengeResponseAuthentication' => 'no',
+    'X11Forwarding'                   => 'yes',
+    'PrintMotd'                       => 'no',
+    'AcceptEnv'                       => 'LANG LC_*',
+    'Subsystem'                       => 'sftp /usr/lib/openssh/sftp-server',
+    'UsePAM'                          => 'yes',
+```
+
+## Overwriting default options
+Default options will be merged with options passed in.
+If an option is set both as default and via options parameter, the latter will
+will win.
+
+The following example will disable X11Forwarding, which is enabled by default:
+
+```
+    class { 'ssh::server':
+      options           => {
+        'X11Forwarding' => 'no',
+      },
+    }
+```
+
+Which will lead to the following `sshd_config` file:
+
+ ```
+# File is managed by Puppet
+
+ChallengeResponseAuthentication no
+X11Forwarding no
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+PasswordAuthentication no
+```
+
+## Defining host keys for server
+You can define host keys your server will use
+
+```
+ssh::server::host_key {'ssh_host_rsa_key':
+  private_key_content => '<the private key>',
+  public_key_content  => '<the public key>',
+}
+```
+
+Alternately, you could create the host key providing the files, instead
+of the content:
+
+```
+ssh::server::host_key {'ssh_host_rsa_key':
+  private_key_source => 'puppet:///mymodule/ssh_host_rsa_key',
+  public_key_source  => 'puppet:///mymodule/ssh_host_rsa_key.pub',
+}
+```
+
+Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and
+```/etc/ssh/ssh_host_rsa_key.pub``` and restart sshd daemon.
+
+
+## Adding cutom match blocks
+
+```
+  ssh::server::match_block { 'sftp_only':
+    type    => 'User',
+    options => {
+      'ChrootDirectory'        => "/sftp/%u",
+      'ForceCommand'           => 'internal-sftp',
+      'PasswordAuthentication' => 'no',
+      'AllowTcpForwarding'     => 'no',
+      'X11Forwarding'          => 'no',
+    }
+  }
+```

ssh/Rakefile

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
+
+desc "Run puppet in noop mode and check for syntax errors."
+task :validate do
+  Dir['manifests/**/*.pp'].each do |manifest|
+    sh "puppet parser validate --noop #{manifest}"
+  end
+  Dir['spec/**/*.rb','lib/**/*.rb'].each do |ruby_file|
+    sh "ruby -c #{ruby_file}" unless ruby_file =~ /spec\/fixtures/
+  end
+  Dir['templates/**/*.erb'].each do |template|
+    sh "erb -P -x -T '-' #{template} | ruby -c"
+  end
+end