diff --git a/manifests/params.pp b/manifests/params.pp index d6af325..5b4b6c1 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,238 +1,238 @@ # @summary # Params class # # @api private # class ssh::params { case $::osfamily { 'Debian': { $server_package_name = 'openssh-server' $client_package_name = 'openssh-client' $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'ssh' $sftp_server_path = '/usr/lib/openssh/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'RedHat': { $server_package_name = 'openssh-server' $client_package_name = 'openssh-clients' $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/openssh/sftp-server' if versioncmp($::operatingsystemmajrelease, '7') >= 0 { $host_priv_key_group = 'ssh_keys' } else { - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } } 'FreeBSD', 'DragonFly': { $server_package_name = undef $client_package_name = undef $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'OpenBSD': { $server_package_name = undef $client_package_name = undef $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'Darwin': { $server_package_name = undef $client_package_name = undef $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'com.openssh.sshd' $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'ArchLinux': { $server_package_name = 'openssh' $client_package_name = 'openssh' $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd.service' $sftp_server_path = '/usr/lib/ssh/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'Suse': { $server_package_name = 'openssh' $client_package_name = 'openssh' $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 case $::operatingsystem { 'SLES': { $service_name = 'sshd' # $::operatingsystemmajrelease isn't available on e.g. SLES 10 case $::operatingsystemrelease { /^10\./, /^11\./: { if ($::architecture == 'x86_64') { $sftp_server_path = '/usr/lib64/ssh/sftp-server' } else { $sftp_server_path = '/usr/lib/ssh/sftp-server' } } default: { $sftp_server_path = '/usr/lib/ssh/sftp-server' } } } 'OpenSuse': { $service_name = 'sshd' $sftp_server_path = '/usr/lib/ssh/sftp-server' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } } 'Solaris': { case $::operatingsystem { 'SmartOS': { $server_package_name = undef $client_package_name = undef $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'svc:/network/ssh:default' $sftp_server_path = 'internal-sftp' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } default: { $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'svc:/network/ssh:default' $sftp_server_path = 'internal-sftp' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 case versioncmp($::kernelrelease, '5.10') { 1: { # Solaris 11 and later $server_package_name = '/service/network/ssh' $client_package_name = '/network/ssh' } 0: { # Solaris 10 $server_package_name = 'SUNWsshdu' $client_package_name = 'SUNWsshu' } default: { # Solaris 9 and earlier not supported fail("Unsupported platform: ${::osfamily}/${::kernelrelease}") } } } } } default: { case $::operatingsystem { 'Gentoo': { $server_package_name = 'openssh' $client_package_name = 'openssh' $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/lib/misc/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'Amazon': { $server_package_name = 'openssh-server' $client_package_name = 'openssh-clients' $sshd_dir = '/etc/ssh' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/openssh/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } } } # ssh & sshd default options: # - OpenBSD doesn't know about UsePAM # - Sun_SSH doesn't know about UsePAM & AcceptEnv; SendEnv & HashKnownHosts case $::osfamily { 'OpenBSD': { $sshd_default_options = { 'ChallengeResponseAuthentication' => 'no', 'X11Forwarding' => 'yes', 'PrintMotd' => 'no', 'AcceptEnv' => 'LANG LC_*', 'Subsystem' => "sftp ${sftp_server_path}", } $ssh_default_options = { 'Host *' => { 'SendEnv' => 'LANG LC_*', 'HashKnownHosts' => 'yes', }, } } 'Solaris': { $sshd_default_options = { 'ChallengeResponseAuthentication' => 'no', 'X11Forwarding' => 'yes', 'PrintMotd' => 'no', 'Subsystem' => "sftp ${sftp_server_path}", 'HostKey' => [ "${sshd_dir}/ssh_host_rsa_key", "${sshd_dir}/ssh_host_dsa_key", ], } $ssh_default_options = { } } default: { $sshd_default_options = { 'ChallengeResponseAuthentication' => 'no', 'X11Forwarding' => 'yes', 'PrintMotd' => 'no', 'AcceptEnv' => 'LANG LC_*', 'Subsystem' => "sftp ${sftp_server_path}", 'UsePAM' => 'yes', } $ssh_default_options = { 'Host *' => { 'SendEnv' => 'LANG LC_*', 'HashKnownHosts' => 'yes', }, } } } $validate_sshd_file = false $user_ssh_directory_default_mode = '0700' $user_ssh_config_default_mode = '0600' $collect_enabled = true # Collect sshkey resources $issue_net = '/etc/issue.net' } diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 26a20e0..a009c53 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -1,166 +1,166 @@ require 'spec_helper' describe 'ssh::server::host_key', type: :define do let :title do 'something' end let(:pre_condition) { 'class {"::ssh::params": }' } let :facts do { osfamily: 'RedHat', operatingsystemmajrelease: '6' } end describe 'with public_key_content, private_key_content and certificate_content' do let :params do { public_key_content: 'abc', private_key_content: 'bcd', certificate_content: 'cde' } end it do is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). with_owner(0). - with_group('root'). + with_group(0). with_mode('0600'). with_path('/etc/ssh/something') is_expected.to contain_file('something_cert'). with_content('cde'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something-cert.pub') end end describe 'with public_key_content and private_key_content' do let :params do { public_key_content: 'abc', private_key_content: 'bcd' } end it do is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). with_owner(0). - with_group('root'). + with_group(0). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end describe 'with *_key_content and *_key_source, *_key_source takes precedence' do let :params do { public_key_content: 'abc', public_key_source: 'a', private_key_content: 'bcd', private_key_source: 'b' } end it do is_expected.to contain_file('something_pub'). without_content. with_source('a'). with_ensure('present'). with_owner(0). with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). without_content. with_source('b'). with_ensure('present'). with_owner(0). - with_group('root'). + with_group(0). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end describe 'with private_key_content and no public_key_content' do let :params do { private_key_content: 'bcd' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) end end describe 'with public_key_content and no private_key_content' do let :params do { public_key_content: 'abc' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) end end describe 'with private_key_source and no public_key_source' do let :params do { private_key_source: 'bcd' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) end end describe 'with public_key_source and no private_key_source' do let :params do { public_key_source: 'abc' } end it 'fails' do expect do is_expected.to compile end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) end end end # vim: tabstop=2 shiftwidth=2 softtabstop=2