Merge tag '0.8.0'

Release 0.8.0

3 files changed, 46 insertions, 24 deletions

diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index 90a33d8d..a1fde3f6 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,20 +1,22 @@
+# We want to purge unmanaged keys from the authorized_keys file so that only
+# keys added in the provider are valid. Any manually added keys will be
+# overridden.
+#
+# In order to do this, we have to use a custom define to deploy the
+# authorized_keys file because puppet's internal resource doesn't allow
+# purging before populating this file.
+#
+# See the following for more information:
+# https://tickets.puppetlabs.com/browse/PUP-1174
+# https://leap.se/code/issues/2990
+# https://leap.se/code/issues/3010
+#
 define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
-  # We want to purge unmanaged keys from the authorized_keys file so that only
-  # keys added in the provider are valid. Any manually added keys will be
-  # overridden.
-  #
-  # In order to do this, we have to use a custom define to deploy the
-  # authorized_keys file because puppet's internal resource doesn't allow
-  # purging before populating this file.
-  #
-  # See the following for more information:
-  # https://tickets.puppetlabs.com/browse/PUP-1174
-  # https://leap.se/code/issues/2990
-  # https://leap.se/code/issues/3010
-  #
   # This line allows default homedir based on $title variable.
   # If $home is empty, the default is used.
   $homedir = $home ? {'' => "/home/${title}", default => $home}
+  $owner   = $ensure ? {'present' => $title, default => undef }
+  $group   = $ensure ? {'present' => $title, default => undef }
   file {
     "${homedir}/.ssh":
       ensure  => 'directory',
@@ -23,8 +25,8 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
       mode    => '0700';
     "${homedir}/.ssh/authorized_keys":
       ensure  => $ensure,
-      owner   => $ensure ? {'present' => $title, default => undef },
-      group   => $ensure ? {'present' => $title, default => undef },
+      owner   => $owner,
+      group   => $group,
       mode    => '0600',
       require => File["${homedir}/.ssh"],
       content => template('site_sshd/authorized_keys.erb');
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 1da2f1d5..a9202da4 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,6 +1,8 @@
+# configures sshd, mosh, authorized keys and known hosts
 class site_sshd {
-  $ssh   = hiera_hash('ssh')
-  $hosts = hiera('hosts', '')
+  $ssh        = hiera_hash('ssh')
+  $ssh_config = $ssh['config']
+  $hosts      = hiera('hosts', '')
 
   ##
   ## SETUP AUTHORIZED KEYS
@@ -48,15 +50,33 @@ class site_sshd {
     }
   }
 
+  # we cannot use the 'hardened' parameter because leap_cli uses an
+  # old net-ssh gem that is incompatible with the included
+  # "KexAlgorithms curve25519-sha256@libssh.org",
+  # see https://leap.se/code/issues/7591
+  # therefore we don't use it here, but include all other options
+  # that would be applied by the 'hardened' parameter
+  # not all options are available on wheezy
+  if ( $::lsbdistcodename == 'wheezy' ) {
+    $tail_additional_options = 'Ciphers aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+  } else {
+    $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+  }
+
   ##
   ## SSHD SERVER CONFIGURATION
   ##
   class { '::sshd':
-    manage_nagios => false,
-    ports         => [ $ssh['port'] ],
-    use_pam       => 'yes',
-    hardened_ssl  => 'yes',
-    print_motd    => 'no',
-    manage_client => false
+    manage_nagios           => false,
+    ports                   => [ $ssh['port'] ],
+    use_pam                 => 'yes',
+    print_motd              => 'no',
+    tcp_forwarding          => $ssh_config['AllowTcpForwarding'],
+    manage_client           => false,
+    use_storedconfigs       => false,
+    tail_additional_options => $tail_additional_options,
+    hostkey_type            => [ 'rsa', 'dsa', 'ecdsa' ]
   }
 }
diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb
index 69f4d8e6..51bdc5b3 100644
--- a/puppet/modules/site_sshd/templates/authorized_keys.erb
+++ b/puppet/modules/site_sshd/templates/authorized_keys.erb
@@ -1,7 +1,7 @@
 # NOTICE: This file is autogenerated by Puppet
 # all manually added keys will be overridden
 
-<% keys.sort.each do |user, hash| -%>
+<% @keys.sort.each do |user, hash| -%>
 <% if user == 'monitor' -%>
 command="/usr/bin/check_mk_agent",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, <%=hash['type']-%> <%=hash['key']%> <%=user%> 
 <% else -%>