Adding two new options for sshd_config PermitEmptyPasswords and
PermitUserEnvironment
diff --git a/README.md b/README.md
index caccc50..49e5a41 100644
--- a/README.md
+++ b/README.md
@@ -222,6 +222,21 @@
- *Default*: undef
+sshd_config_permitemptypasswords
+--------------------------------
+PermitEmptyPasswords option in sshd_config. When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
+Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
+sshd_config_permituserenvironment
+---------------------------------
+PermitUserEnvironment option in sshd_config. Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is “no”. Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.
+Valid values are 'yes' and 'no'.
+
+
+- *Default*: undef
+
sshd_config_port
---------------------------
String, Integer or Array to specify listen port[s] for sshd. Port option in sshd_config.
diff --git a/manifests/init.pp b/manifests/init.pp
index bee42a6..ee99870 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -34,6 +34,8 @@
$sshd_config_group = 'root',
$sshd_config_loglevel = 'INFO',
$sshd_config_mode = 'USE_DEFAULTS',
+ $sshd_config_permitemptypasswords = undef,
+ $sshd_config_permituserenvironment = undef,
$sshd_config_port = '22',
$sshd_config_syslog_facility = 'AUTH',
$sshd_config_template = 'ssh/sshd_config.erb',
@@ -459,6 +461,12 @@
if $ssh_config_hash_known_hosts_real != undef {
validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
}
+ if $sshd_config_permitemptypasswords != undef {
+ validate_re($sshd_config_permitemptypasswords, '^(yes|no)$', "ssh::sshd_config_permitemptypasswords may be either 'yes' or 'no' and is set to <${sshd_config_permitemptypasswords}>.")
+ }
+ if $sshd_config_permituserenvironment != undef {
+ validate_re($sshd_config_permituserenvironment, '^(yes|no)$', "ssh::sshd_config_permituserenvironment may be either 'yes' or 'no' and is set to <${sshd_config_permituserenvironment}>.")
+ }
case type3x($sshd_config_port) {
'string': {
validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 6f5aa4b..457f29e 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -398,6 +398,8 @@
:sshd_config_subsystem_sftp => '/opt/ssh/bin/sftp',
:sshd_kerberos_authentication => 'no',
:sshd_password_authentication => 'no',
+ :sshd_config_permitemptypasswords => 'no',
+ :sshd_config_permituserenvironment => 'no',
:sshd_pubkeyauthentication => 'no',
:sshd_allow_tcp_forwarding => 'no',
:sshd_x11_forwarding => 'no',
@@ -480,6 +482,8 @@
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key/) }
it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_dsa_key/) }
it { should contain_file('sshd_config').with_content(/^StrictModes yes$/) }
+ it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment no/) }
+ it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords no/) }
it { should_not contain_file('sshd_config').with_content(/^MaxAuthTries/) }
it { should_not contain_file('sshd_config').with_content(/^MaxStartups/) }
it { should_not contain_file('sshd_config').with_content(/^MaxSessions/) }
@@ -977,6 +981,64 @@
end
end
+ describe 'with sshd_config_permitemptypasswords' do
+ let :facts do
+ default_facts.merge(
+ {
+ }
+ )
+ end
+
+ ['yes','no'].each do |value|
+ context "set to #{value}" do
+ let (:params) {{ 'sshd_config_permitemptypasswords' => value }}
+
+ it { should contain_file('sshd_config').with_content(/^PermitEmptyPasswords #{value}$/) }
+ end
+ end
+
+ context 'set to invalid value on valid osfamily' do
+ let :params do
+ { :sshd_config_permitemptypasswords => 'invalid' }
+ end
+
+ it 'should fail' do
+ expect {
+ should contain_class('ssh')
+ }.to raise_error(Puppet::Error,/ssh::sshd_config_permitemptypasswords may be either \'yes\' or \'no\' and is set to <invalid>\./)
+ end
+ end
+ end
+
+ describe 'with sshd_config_permituserenvironment' do
+ let :facts do
+ default_facts.merge(
+ {
+ }
+ )
+ end
+
+ ['yes','no'].each do |value|
+ context "set to #{value}" do
+ let (:params) {{ 'sshd_config_permituserenvironment' => value }}
+
+ it { should contain_file('sshd_config').with_content(/^PermitUserEnvironment #{value}$/) }
+ end
+ end
+
+ context 'set to invalid value on valid osfamily' do
+ let :params do
+ { :sshd_config_permituserenvironment => 'invalid' }
+ end
+
+ it 'should fail' do
+ expect {
+ should contain_class('ssh')
+ }.to raise_error(Puppet::Error,/ssh::sshd_config_permituserenvironment may be either \'yes\' or \'no\' and is set to <invalid>\./)
+ end
+ end
+ end
+
describe 'sshd_config_port param' do
let :facts do
default_facts.merge(
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index e3eabe3..4412b73 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -107,6 +107,9 @@
PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %>
<% end -%>
#PermitEmptyPasswords no
+<% if @sshd_config_permitemptypasswords != nil -%>
+PermitEmptyPasswords <%= @sshd_config_permitemptypasswords %>
+<% end -%>
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
@@ -165,6 +168,9 @@
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
+<% if @sshd_config_permituserenvironment != nil -%>
+PermitUserEnvironment <%= @sshd_config_permituserenvironment %>
+<% end -%>
#Compression delayed
#ClientAliveInterval 0
ClientAliveInterval <%= @sshd_client_alive_interval %>
