openstack
/
fuel-library
Code Issues Proposed changes

Updated ssh module 

Updated ssh module to fix sftp subsystem bug in CenOS

Upstream version: 2.4.0
Upstream SHA: e5cfeae06a16497382072d80c65c901aa0e696ea

Change-Id: I7f72aab77d982a3e47618a82f7dda9312c8699b9
Closes-bug: #1415078
This commit is contained in:
Tomasz 'Zen' Napierala 2015-01-27 16:31:44 +01:00
parent abcccb60c1
commit 4c5df22e5d
17 changed files with 280 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
deployment/puppet/ssh/.fixtures.yml
View File

@ -1,5 +1,6 @@
fixtures:
repositories:
stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib"
stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib"
concat: "https://github.com/puppetlabs/puppetlabs-concat"
symlinks:
ssh: "#{source_dir}"

2
deployment/puppet/ssh/Modulefile
View File

@ -1,5 +1,5 @@
name 'saz-ssh'
version '2.3.6'
version '2.4.0'
source 'git://github.com/saz/puppet-ssh.git'
author 'saz'
license 'Apache License, Version 2.0'

63
deployment/puppet/ssh/README.markdown
View File

@ -14,20 +14,20 @@ Manage SSH client and server via Puppet
Since version 2.0.0 only non-default values are written to both,
client and server, configuration files.
Multiple occurances of one config key (e.g. sshd should be listening on
Multiple occurrences of one config key (e.g. sshd should be listening on
port 22 and 2222) should be passed as an array.
```
options => {
Port => [22, 2222],
'Port' => [22, 2222],
}
```
This is working for both, client and server
This is working for both, client and server.
### Both client and server
Host keys will be collected and distributed unless
storeconfigs_enabled => false
`storeconfigs_enabled` is `false`.
```
include ssh
@ -46,7 +46,7 @@ or
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
},
Port => [22, 2222, 2288],
'Port' => [22, 2222, 2288],
},
client_options => {
'Host *.amazonaws.com' => {
@ -56,9 +56,30 @@ or
}
```
### Hiera example
```
ssh::storeconfigs_enabled: true,
ssh::server_options:
Protocol: '2'
ListenAddress:
- '127.0.0.0'
- '%{::hostname}'
PasswordAuthentication: 'yes'
SyslogFacility: 'AUTHPRIV'
UsePAM: 'yes'
X11Forwarding: 'yes'
ssh::client_options:
'Host *':
SendEnv: 'LANG LC_*'
ForwardX11Trusted: 'yes'
ServerAliveInterval: '10'
```
### Client only
Collected host keys from servers will be written to known_hosts unless
storeconfigs_enabled => false
Collected host keys from servers will be written to `known_hosts` unless
`storeconfigs_enabled` is `false`
```
include ssh::client
@ -84,7 +105,7 @@ or
### Server only
Host keys will be collected for client distribution unless
storeconfigs_enabled => false
`storeconfigs_enabled` is `false`
```
include ssh::server
@ -109,7 +130,7 @@ or
},
}
```
## Default options
### Client
@ -121,7 +142,7 @@ or
'GSSAPIAuthentication' => 'yes',
}
```
### Server
```
@ -132,7 +153,7 @@ or
'Subsystem' => 'sftp /usr/lib/openssh/sftp-server',
'UsePAM' => 'yes',
```
## Overwriting default options
Default options will be merged with options passed in.
If an option is set both as default and via options parameter, the latter will
@ -148,9 +169,9 @@ The following example will disable X11Forwarding, which is enabled by default:
}
```
Which will lead to the following sshd_config file:
Which will lead to the following `sshd_config` file:
```
```
# File is managed by Puppet
ChallengeResponseAuthentication no
@ -184,3 +205,19 @@ ssh::server::host_key {'ssh_host_rsa_key':
Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and
```/etc/ssh/ssh_host_rsa_key.pub``` and restart sshd daemon.
## Adding cutom match blocks
```
ssh::server::match_block { 'sftp_only':
type => 'User',
options => {
'ChrootDirectory' => "/sftp/%u",
'ForceCommand' => 'internal-sftp',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
}
}
```

13
deployment/puppet/ssh/lib/puppet/parser/functions/ipaddresses.rb
View File

@ -5,7 +5,10 @@ EOS
) do |args|
interfaces = lookupvar('interfaces')
return false if (interfaces == :undefined)
# In Puppet v2.7, lookupvar returns :undefined if the variable does
# not exist. In Puppet 3.x, it returns nil.
# See http://docs.puppetlabs.com/guides/custom_functions.html
return false if (interfaces.nil? || interfaces == :undefined)
result = []
if interfaces.count(',') > 0
@ -14,10 +17,10 @@ EOS
if ! iface.include?('lo')
ipaddr = lookupvar("ipaddress_#{iface}")
ipaddr6 = lookupvar("ipaddress6_#{iface}")
if ipaddr
if ipaddr and (ipaddr!= :undefined)
result << ipaddr
end
if ipaddr6
if ipaddr6 and (ipaddr6!= :undefined)
result << ipaddr6
end
end
@ -26,10 +29,10 @@ EOS
if ! interfaces.include?('lo')
ipaddr = lookupvar("ipaddress_#{interfaces}")
ipaddr6 = lookupvar("ipaddress6_#{interfaces}")
if ipaddr
if ipaddr and (ipaddr!= :undefined)
result << ipaddr
end
if ipaddr6
if ipaddr6 and (ipaddr6!= :undefined)
result << ipaddr6
end
end

3
deployment/puppet/ssh/manifests/client/config.pp
View File

@ -9,6 +9,7 @@ class ssh::client::config {
# Workaround for http://projects.reductivelabs.com/issues/2014
file { $ssh::params::ssh_known_hosts:
mode => '0644',
ensure => present,
mode => '0644',
}
}

20
deployment/puppet/ssh/manifests/hostkeys.pp
View File

@ -2,15 +2,19 @@ class ssh::hostkeys {
$ipaddresses = ipaddresses()
$host_aliases = flatten([ $::fqdn, $::hostname, $ipaddresses ])
@@sshkey { "${::fqdn}_dsa":
host_aliases => $host_aliases,
type => dsa,
key => $::sshdsakey,
if $::sshdsakey {
@@sshkey { "${::fqdn}_dsa":
host_aliases => $host_aliases,
type => dsa,
key => $::sshdsakey,
}
}
@@sshkey { "${::fqdn}_rsa":
host_aliases => $host_aliases,
type => rsa,
key => $::sshrsakey,
if $::sshrsakey {
@@sshkey { "${::fqdn}_rsa":
host_aliases => $host_aliases,
type => rsa,
key => $::sshrsakey,
}
}
if $::sshecdsakey {
@@sshkey { "${::fqdn}_ecdsa":

23
deployment/puppet/ssh/manifests/params.pp
View File

@ -18,7 +18,7 @@ class ssh::params {
$ssh_config = '/etc/ssh/ssh_config'
$ssh_known_hosts = '/etc/ssh/ssh_known_hosts'
$service_name = 'sshd'
$sftp_server_path = '/usr/lib/openssh/sftp-server'
$sftp_server_path = '/usr/libexec/openssh/sftp-server'
}
freebsd: {
$server_package_name = undef
@ -40,6 +40,27 @@ class ssh::params {
$service_name = 'sshd.service'
$sftp_server_path = '/usr/lib/ssh/sftp-server'
}
Suse: {
$server_package_name = 'openssh'
$client_package_name = 'openssh'
$sshd_dir = '/etc/ssh'
$sshd_config = '/etc/ssh/sshd_config'
$ssh_config = '/etc/ssh/ssh_config'
$ssh_known_hosts = '/etc/ssh/ssh_known_hosts'
case $::operatingsystem {
Sles: {
$service_name = 'sshd'
$sftp_server_path = '/usr/lib64/ssh/sftp-server'
}
Suse: {
$service_name = 'sshd.service'
$sftp_server_path = '/usr/lib/ssh/sftp-server'
}
default: {
fail("Unsupported platform: ${::osfamily}/${::operatingsystem}")
}
}
}
default: {
case $::operatingsystem {
gentoo: {

2
deployment/puppet/ssh/manifests/server.pp
View File

@ -9,6 +9,8 @@ class ssh::server(
include ssh::server::config
include ssh::server::service
File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]
anchor { 'ssh::server::start': }
anchor { 'ssh::server::end': }

19
deployment/puppet/ssh/manifests/server/config.pp
View File

@ -1,11 +1,16 @@
class ssh::server::config {
file { $ssh::params::sshd_config:
ensure => present,
owner => 0,
group => 0,
mode => '0600',
File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]
concat { $ssh::params::sshd_config:
ensure => present,
owner => 0,
group => 0,
mode => '0600',
}
concat::fragment { 'global config':
target => $ssh::params::sshd_config,
content => template("${module_name}/sshd_config.erb"),
require => Class['ssh::server::install'],
notify => Class['ssh::server::service'],
order => '00'
}
}

7
deployment/puppet/ssh/manifests/server/match_block.pp Normal file
View File

@ -0,0 +1,7 @@
define ssh::server::match_block ($type = 'user', $order = 50, $options,) {
concat::fragment { "match_block ${name}":
target => $ssh::params::sshd_config,
content => template("${module_name}/sshd_match_block.erb"),
order => $order,
}
}

59
deployment/puppet/ssh/metadata.json Normal file
View File

@ -0,0 +1,59 @@
{
"operatingsystem_support": [
{
"operatingsystem": "RedHat"
},
{
"operatingsystem": "CentOS"
},
{
"operatingsystem": "OracleLinux"
},
{
"operatingsystem": "Scientific"
},
{
"operatingsystem": "Debian"
},
{
"operatingsystem": "Ubuntu"
},
{
"operatingsystem": "FreeBSD"
},
{
"operatingsystem": "Gentoo"
},
{
"operatingsystem": "ArchLinux"
}
],
"requirements": [
{
"name": "pe",
"version_requirement": "3.2.x"
},
{
"name": "puppet",
"version_requirement": "3.x"
}
],
"name": "saz-ssh",
"version": "2.4.0",
"source": "git://github.com/saz/puppet-ssh.git",
"author": "saz",
"license": "Apache License, Version 2.0",
"summary": "UNKNOWN",
"description": "Manage SSH client and server via puppet",
"project_page": "https://github.com/saz/puppet-ssh",
"dependencies": [
{
"name": "puppetlabs/stdlib",
"version_requirement": ">= 2.2.1"
},
{
"name": "puppetlabs/concat",
"version_requirement": ">= 1.0.0"
}
]
}

6
deployment/puppet/ssh/spec/classes/client_spec.rb
View File

@ -6,7 +6,8 @@ describe 'ssh::client', :type => 'class' do
{
:osfamily => 'Debian',
:interfaces => 'eth0',
:ipaddress_eth0 => '192.168.1.1'
:ipaddress_eth0 => '192.168.1.1',
:concat_basedir => '/tmp'
}
end
it {
@ -18,7 +19,8 @@ describe 'ssh::client', :type => 'class' do
{
:osfamily => 'Debian',
:interfaces => 'eth0',
:ipaddress_eth0 => '192.168.1.1'
:ipaddress_eth0 => '192.168.1.1',
:concat_basedir => '/tmp'
}
end
let :params do

102
deployment/puppet/ssh/spec/classes/server_spec.rb
View File

@ -2,22 +2,22 @@ require 'spec_helper'
describe 'ssh::server' do
let :default_params do
{
:ensure => 'present',
:ensure => 'present',
:storeconfigs_enabled => true,
:options => {}
:options => {}
}
end
[ {},
{
:ensure => 'latest',
:ensure => 'latest',
:storeconfigs_enabled => true,
:options => {}
:options => {}
},
{
:ensure => 'present',
:ensure => 'present',
:storeconfigs_enabled => false,
:options => {}
:options => {}
}
].each do |param_set|
describe "when #{param_set == {} ? "using default" : "specifying"} class parameters" do
@ -32,9 +32,10 @@ describe 'ssh::server' do
['Debian'].each do |osfamily|
let :facts do
{
:osfamily => osfamily,
:interfaces => 'eth0',
:ipaddress_eth0 => '192.168.1.1'
:osfamily => osfamily,
:interfaces => 'eth0',
:ipaddress_eth0 => '192.168.1.1',
:concat_basedir => '/tmp'
}
end
@ -48,29 +49,74 @@ describe 'ssh::server' do
)}
it { should contain_service('ssh').with(
'ensure' => 'running',
'enable' => true,
'ensure' => 'running',
'enable' => true,
'hasrestart' => true,
'hasstatus' => true
'hasstatus' => true
)}
it 'should compile the template based on the class parameters' do
content = param_value(
subject,
'file',
'/etc/ssh/sshd_config',
'content'
)
expected_lines = [
'ChallengeResponseAuthentication no',
'X11Forwarding yes',
'PrintMotd no',
'AcceptEnv LANG LC_*',
'Subsystem sftp /usr/lib/openssh/sftp-server',
'UsePAM yes'
]
(content.split("\n") & expected_lines).should =~ expected_lines
it { should contain_class('concat::setup') }
it { should contain_concat('/etc/ssh/sshd_config') }
it { should contain_concat__fragment('global config').with(
:target => '/etc/ssh/sshd_config',
:content => '# File is managed by Puppet
AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
PrintMotd no
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
X11Forwarding yes
'
)}
end
describe "on Arch" do
let :facts do
{
:osfamily => 'Archlinux',
:lsbdistdescription => 'Arch Linux',
:lsbdistid => 'Arch',
:operatingsystem => 'Archlinux',
:interfaces => 'enp4s0',
:ipaddress_eth0 => '192.168.1.1',
:concat_basedir => '/tmp'
}
end
it { should contain_class('ssh::params') }
it { should contain_package('openssh').with(
:ensure => param_hash[:ensure],
:name => 'openssh'
)}
it { should contain_file('/etc/ssh/sshd_config').with(
'owner' => 0,
'group' => 0
)}
it { should contain_service('sshd.service').with(
'ensure' => 'running',
'enable' => true,
'hasrestart' => true,
'hasstatus' => true
)}
it { should contain_class('concat::setup') }
it { should contain_concat('/etc/ssh/sshd_config') }
it { should contain_concat__fragment('global config').with(
:target => '/etc/ssh/sshd_config',
:content => '# File is managed by Puppet
AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
PrintMotd no
Subsystem sftp /usr/lib/ssh/sftp-server
UsePAM yes
X11Forwarding yes
'
)}
end
end
end

5
deployment/puppet/ssh/spec/fixtures/.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
# Ignore everything in this directory
*
# Except this file
!.gitignore
!site.pp

8
deployment/puppet/ssh/templates/ssh_config.erb
View File

@ -6,18 +6,22 @@
<%- v.sort.each do |key, value| -%>
<%- if value.is_a?(Array) -%>
<%- value.each do |a| -%>
<%- if a != '' -%>
<%= key %> <%= a %>
<%- end -%>
<%- else -%>
<%- end -%>
<%- elsif value != '' -%>
<%= key %> <%= value %>
<%- end -%>
<%- end -%>
<%- else -%>
<%- if v.is_a?(Array) -%>
<%- v.each do |a| -%>
<%- if a != '' -%>
<%= k %> <%= a %>
<%- end -%>
<%- else -%>
<%- end -%>
<%- elsif v != :undef and v != '' -%>
<%= k %> <%= v %>
<%- end -%>
<%- end -%>

8
deployment/puppet/ssh/templates/sshd_config.erb
View File

@ -30,18 +30,22 @@ ListenAddress <%= listen %>
<%- value = v[key] -%>
<%- if value.is_a?(Array) -%>
<%- value.each do |a| -%>
<%- if a != '' -%>
<%= key %> <%= a %>
<%- end -%>
<%- else -%>
<%- end -%>
<%- elsif value != '' -%>
<%= key %> <%= value %>
<%- end -%>
<%- end -%>
<%- else -%>
<%- if v.is_a?(Array) -%>
<%- v.each do |a| -%>
<%- if a != '' -%>
<%= k %> <%= a %>
<%- end -%>
<%- elsif v != :undef -%>
<%- end -%>
<%- elsif v != :undef and v != '' -%>
<%= k %> <%= v %>
<%- end -%>
<%- end -%>

8
deployment/puppet/ssh/templates/sshd_match_block.erb Normal file
View File

@ -0,0 +1,8 @@
Match <%= @type %> <%= @name %>
<%- @options.keys.each do |k| -%>
<%- v = @options[k] -%>
<%- if v != :undef -%>
<%= k %> <%= v %>
<%- end -%>
<%- end -%>