voxpupuli / puppet-augeasproviders_ssh Goto Github PK

View Code? Open in Web Editor NEW

7.0 42.0 32.0 314 KB

Augeas-based ssh types and providers for Puppet

License: Apache License 2.0

Ruby 97.37% Shell 0.60% Augeas 2.03%

augeas augeasproviders puppet puppet-module puppet-resources configuration-files ssh ssh-server ssh-keys hacktoberfest

puppet-augeasproviders_ssh's Introduction

puppet-augeasproviders_ssh

ssh: type/provider for ssh files for Puppet

This module provides a new type/provider for Puppet to read and modify ssh config files using the Augeas configuration library.

The advantage of using Augeas over the default Puppet parsedfile implementations is that Augeas will go to great lengths to preserve file formatting and comments, while also failing safely when needed.

This provider will hide all of the Augeas commands etc., you don't need to know anything about Augeas to make use of it.

Requirements

Ensure both Augeas and ruby-augeas 0.3.0+ bindings are installed and working as normal. Both are usually bundled in the puppet agent AIO packages from Puppet Inc.

See Puppet/Augeas pre-requisites.

Installing

The module can be installed easily (documentation):

puppet module install puppet/augeasproviders_ssh

Ensure the module is present in your puppetmaster's own environment (it doesn't have to use it) and that the master has pluginsync enabled. Run the agent on the puppetmaster to cause the custom types to be synced to its local libdir (puppet master --configprint libdir) and then restart the puppetmaster so it loads them.

Compatibility

Puppet versions

In theory. Puppet 2.7 is the minimal version. We currently (2022-08-29) we test against Puppet 6 and 7. Check the Puppet version range in metadata.json for supported versions.

Augeas versions

Augeas Versions	0.10.0	1.0.0	1.1.0	1.2.0
FEATURES
case-insensitive keys	no	yes	yes	yes
PROVIDERS
ssh_config	yes	yes	yes	yes
sshd_config	yes	yes	yes	yes
sshd_config_match	yes	yes	yes	yes
sshd_config_subsystem	yes	yes	yes	yes
sshkey	yes	yes	yes	yes

Documentation and examples

Type documentation can be generated with puppet doc -r type or viewed on the Puppet Forge page.

ssh_config provider

manage simple entry

ssh_config { "ForwardAgent":
  ensure => present,
  value  => "yes",
}

manage array entry

ssh_config { "SendEnv":
  ensure => present,
  value  => ["LC_*", "LANG"],
}

manage entry for a specific host

ssh_config { "X11Forwarding":
  ensure    => present,
  host      => "example.net",
  value     => "yes",
}

manage entries with same name for different hosts

ssh_config { "ForwardAgent global":
  ensure => present,
  key    => "ForwardAgent",
  value  => "no",
}

ssh_config { "ForwardAgent on example.net":
  ensure    => present,
  key       => "ForwardAgent",
  host      => "example.net",
  value     => "yes",
}

manage entry with a comment

ssh_config { "ForwardAgent":
  ensure  => present,
  key     => "ForwardAgent",
  value   => "no",
  comment => "Do not forward",
}

delete entry

ssh_config { "HashKnownHosts":
  ensure => absent,
}

ssh_config { "BatchMode":
  ensure    => absent,
  host      => "example.net",
}

manage entry in another ssh_config location

ssh_config { "CheckHostIP":
  ensure => present,
  value  => "yes",
  target => "/etc/ssh/another_sshd_config",
}

sshd_config provider

manage simple entry

sshd_config { "PermitRootLogin":
  ensure => present,
  value  => "yes",
}

manage array entry

sshd_config { "AllowGroups":
  ensure => present,
  value  => ["sshgroups", "admins"],
}

append to array entry

sshd_config { "AllowGroups":
  ensure       => present,
  value        => ["sshgroups", "admins"],
  array_append => true,
}

manage entry in a Match block

sshd_config { "X11Forwarding":
  ensure    => present,
  condition => "Host foo User root",
  value     => "yes",
}

sshd_config { "AllowAgentForwarding":
  ensure    => present,
  condition => "Host *.example.net",
  value     => "yes",
}

manage entries with same name in different blocks

sshd_config { "X11Forwarding global":
  ensure => present,
  key    => "X11Forwarding",
  value  => "no",
}

sshd_config { "X11Forwarding foo":
  ensure    => present,
  key       => "X11Forwarding",
  condition => "User foo",
  value     => "yes",
}

sshd_config { "X11Forwarding root":
  ensure    => present,
  key       => "X11Forwarding",
  condition => "User root",
  value     => "no",
}

manage entry with a comment

sshd_config { "X11Forwarding":
  ensure  => present,
  key     => "X11Forwarding",
  value   => "no",
  comment => "No X11",
}

delete entry

sshd_config { "PermitRootLogin":
  ensure => absent,
}

sshd_config { "AllowAgentForwarding":
  ensure    => absent,
  condition => "Host *.example.net User *",
}

manage entry in another sshd_config location

sshd_config { "PermitRootLogin":
  ensure => present,
  value  => "yes",
  target => "/etc/ssh/another_sshd_config",
}

sshd_config_match provider

manage entry

sshd_config_match { "Host *.example.net":
  ensure => present,
}

manage entry with position

sshd_config_match { "Host *.example.net":
  ensure   => present,
  position => "before first match",
}

sshd_config_match { "User foo":
  ensure   => present,
  position => "after Host *.example.net",
}

manage entry with a comment

sshd_config_match { "Host *.example.net":
  ensure  => present,
  comment => "Example network",
}

delete entry

sshd_config_match { "User foo Host *.example.net":
  ensure => absent,
}

manage entry in another sshd_config location

sshd_config_match { "Host *.example.net":
  ensure => present,
  target => "/etc/ssh/another_sshd_config",
}

sshd_config_subsystem provider

manage entry

sshd_config_subsystem { "sftp":
  ensure  => present,
  command => "/usr/lib/openssh/sftp-server",
}

manage entry with a comment

sshd_config_subsystem { "sftp":
  ensure  => present,
  command => "/usr/lib/openssh/sftp-server",
  comment => "SFTP sub",
}

delete entry

sshd_config_subsystem { "sftp":
  ensure => absent,
}

manage entry in another sshd_config location

sshd_config_subsystem { "sftp":
  ensure  => present,
  command => "/usr/lib/openssh/sftp-server",
  target  => "/etc/ssh/another_sshd_config",
}

sshkey provider

manage entry

sshkey { "foo.example.com":
  ensure  => present,
  type    => "ssh-rsa",
  key     => "AAADEADMEAT",
}

manage entry with aliases

sshkey { "foo.example.com":
  ensure       => present,
  type         => "ssh-rsa",
  key          => "AAADEADMEAT",
  host_aliases => [ 'foo', '192.168.0.1' ],
}

manage hashed entry

sshkey { "foo.example.com":
  ensure        => present,
  type          => "ssh-rsa",
  key           => "AAADEADMEAT",
  hash_hostname => true,
}

hash existing entry

sshkey { "foo.example.com":
  ensure        => hashed,
  type          => "ssh-rsa",
  key           => "AAADEADMEAT",
  hash_hostname => true,
}

delete entry

sshkey { "foo.example.com":
  ensure => absent,
}

manage entry in another ssh_known_hosts location

sshkey { "foo.example.com":
  ensure  => present,
  type    => "ssh-rsa",
  key     => "AAADEADMEAT",
  target  => "/root/.ssh/known_hosts",
}

Issues

Please file any issues or suggestions on GitHub.

puppet-augeasproviders_ssh's People

Contributors

Stargazers

Watchers

puppet-augeasproviders_ssh's Issues

cannot pull via the Forge

puppet module install herculesteam-augeasproviders_ssh

Notice: Preparing to install into /home/bess/.puppetlabs/etc/code/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Error: Is a directory @ rb_sysopen - /home/brandon/.puppetlabs/opt/puppet/cache/puppet-module/cache/tmp20180208-26566-xan9vh/herculesteam-augeasproviders_ssh-2.5.3/spec/fixtures/unit/puppet/provider/sshd_config_subsystem/auge
Error: Try 'puppet help module install' for usage

Replicated the issue using puppet module install and rake spec

odd behavior of module 2.5.0

After upgrading to module 2.5.0 we experience an odd behavior of the sshkey resource.

Here is the code we use:

  unless empty($::sshdsakey) {
    @@sshkey { "${::certname}_dsa":
      host_aliases => [$::fqdn, $::hostname],
      type         => dsa,
      key          => $::sshdsakey,
      tag          => "sshkey_${::environment}"
    }
  }
  unless empty($::sshrsakey) {
    @@sshkey { "${::certname}_rsa":
      host_aliases => [$::fqdn, $::hostname],
      type         => rsa,
      key          => $::sshrsakey,
      tag          => "sshkey_${::environment}"
    }
  }
  resources { 'sshkey':
    purge    => true,
  }
Sshkey <<| tag == "sshkey_${::environment}" |>> -> File['/etc/ssh/ssh_known_hosts']

Each run now the catalog is 'changed':

... type changed 'ssh-dss AND ssh-rsa' to 'ssh-dss'
... key changed ...

I have tried to use ensure => hashed , but results were pretty much the same
Please advice.
Thanks

Feature request: Use comments to match ```Match``` blocks in sshd_config instead of conditions

I'm using puppet to define a dynamic IP-based Match blocks like:

sshd_config { 'AuthenticationMethods root trusted_ips':
  key       => 'AuthenticationMethods',
  condition => "User root Address ${ip_filter}",
  value     => join($methods, ' '),
  notify    => Service['sshd'],
}

Because the provider of this module uses the condition to check if the setting is already present, whenever the ip_filter change, a new Match block is added to the configuration and the previous one is not touched/modified/replaced/removed.

One solution to this problem would be to insert a comment (e.g. equal to the resource name?) and do the match on this comment instead of using the condition itself.

For the record, I'm currently using the following code to achieve what I need:

$trusted_root_methods = join($methods, ' ')
augeas { 'sshd_2fa_trusted_root_insert':
  context => '/files/etc/ssh/sshd_config',
  changes => [
    'set Match[last()+1]/Condition/User root',
    "set Match[last()]/Condition/Address ${ip_filter}",
    'set Match[last()]/Settings/#comment "Multifactor root from trusted ip"',
    "set \$target/Settings/AuthenticationMethods '${trusted_root_methods}'",
  ],
  before  => Augeas['sshd_2fa_trusted_root_verify'],
  onlyif  => 'match */Settings/#comment[. = "Multifactor root from trusted ip"] size == 0',
  notify  => Service['sshd'],
}
augeas { 'sshd_2fa_trusted_root_verify':
  context => '/files/etc/ssh/sshd_config',
  changes => [
    'defnode target */Settings/#comment[. = "Multifactor root from trusted ip"]/../.. "Multifactor root from trusted ip"',
    'rm  $target/Condition',
    'set $target/Condition/User root',
    "set \$target/Condition/Address ${ip_filter}",
    'rm  $target/Settings',
    'set $target/Settings/#comment "Multifactor root from trusted ip"',
    "set \$target/Settings/AuthenticationMethods '${trusted_root_methods}'",
  ],
  onlyif  => 'match */Settings/#comment[. = "Multifactor root from trusted ip"] size != 0',
  notify  => Service['sshd'],
}

Cannot create new HostKeyAlgorithms entry with augeas > 1.9.0

Augeas 1.9.0 includes this change in the release notes:

Sshd: split HostKeyAlgorithms into list of values; recognize quoted group names with spaces in them (Issue #477)

However, both version 4.0.0 and the head of this repository treat this field as a simple value.
https://github.com/hercules-team/augeasproviders_ssh/blob/a0f3728f7b8a0307e0d3b41e6d30d4d995f948ca/lib/puppet/provider/sshd_config/augeas.rb#L46

As a result, trying to add this configuration directive to an sshd.conf that does not already contain it fails with somewhat unclear errors about the augeas tree

Notice: /Stage[main]/Ssh::Config/Sshd_config[HostKeyAlgorithms]/ensure: created (corrective)
Debug: Puppet::Type::Sshd_config::ProviderAugeas: Save failure details:
/augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config/
/augeas/files/etc/ssh/sshd_config/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sshd.aug:142.12-.47:
/augeas/files/etc/ssh/sshd_config/error/message = Failed to match tree under /
[...]
     { "KexAlgorithms" }
     { "HostKeyAlgorithms" = "ecdsa-sha2-nistp256" }
     { "HostKeyAlgorithms" = "[email protected]" }
     { "HostKeyAlgorithms" = "ecdsa-sha2-nistp384" }
     { "HostKeyAlgorithms" = "[email protected]" }
     { "HostKeyAlgorithms" = "ecdsa-sha2-nistp521" }
     { "HostKeyAlgorithms" = "[email protected]" }
     { "HostKeyAlgorithms" = "ssh-ed25519" }
     { "HostKeyAlgorithms" = "[email protected]" }
     { "HostKeyAlgorithms" = "rsa-sha2-256" }
     { "HostKeyAlgorithms" = "[email protected]" }
     { "HostKeyAlgorithms" = "rsa-sha2-512" }
     { "HostKeyAlgorithms" = "[email protected]" }
     { "HostKeyAlgorithms" = "ssh-rsa" }
     { "HostKeyAlgorithms" = "[email protected]" }
     { "Match" }
     { "Match" }

  with pattern
   (    { /AcceptEnv/ }
      | { /AllowGroups/ }
      | { /AllowUsers/ }
      | { /DenyGroups/ }
      | { /Subsystem/ }
      | { /DenyUsers/ }
      | { /MACs/ }
      | { /Ciphers/ }
      | { /KexAlgorithms/ }
      | { /HostKeyAlgorithms/ }
      | { /[Aa][Cc][Cc][Ee][Pp][Tt][Ee][Nn](([Vv][0-9A-Za-z]|[0-9A-UW-Za-uw-z])[0-9A-Za-z]*|)|[Aa][Cc][Cc][Ee][Pp][Tt][Ee]([0-9A-MO-Za-mo-z][0-9A-Za-z]*|)|[Aa][Cc][Cc][Ee][Pp][Tt]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Aa][Cc][Cc][Ee][Pp]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Aa][Cc][Cc][Ee]([0-9A-OQ-Za-oq-z][0-9A-Za-z]*|)|[Aa][Cc][Cc]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Aa][Ll][Ll][Oo][Ww]([Gg][Rr][Oo][Uu][Pp](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Gg][Rr][Oo][Uu]([0-9A-OQ-Za-oq-z][0-9A-Za-z]*|)|[Gg][Rr][Oo]([0-9A-TV-Za-tv-z][0-9A-Za-z]*|)|[Gg][Rr]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Uu][Ss][Ee][Rr](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Uu][Ss][Ee]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Uu][Ss]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Uu]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[Gg]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]*|)|[Aa][Ll][Ll][Oo]([0-9A-VX-Za-vx-z][0-9A-Za-z]*|)|[Aa][Ll][Ll]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Aa][Ll]([0-9A-KM-Za-km-z][0-9A-Za-z]*|)|[Aa][Cc]([0-9ABD-Zabd-z][0-9A-Za-z]*|)|[Cc][Ii][Pp][Hh][Ee][Rr](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Cc][Ii][Pp][Hh][Ee]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Cc][Ii][Pp][Hh]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Cc][Ii][Pp]([0-9A-GI-Za-gi-z][0-9A-Za-z]*|)|[Cc][Ii]([0-9A-OQ-Za-oq-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Gg][Rr][Oo][Uu][Pp](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Gg][Rr][Oo][Uu]([0-9A-OQ-Za-oq-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Gg][Rr][Oo]([0-9A-TV-Za-tv-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Gg][Rr]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu][Ss][Ee][Rr](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu][Ss][Ee]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu][Ss]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Gg]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy]([0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]*|)|[Dd][Ee][Nn]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Dd][Ee]([0-9A-MO-Za-mo-z][0-9A-Za-z]*|)|[Hh][Oo][Ss][Tt][Kk][Ee][Yy]([Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh][Mm](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh]([0-9A-LN-Za-ln-z][0-9A-Za-z]*|)|[Aa][Ll][Gg][Oo][Rr][Ii][Tt]([0-9A-GI-Za-gi-z][0-9A-Za-z]*|)|[Aa][Ll][Gg][Oo][Rr][Ii]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Aa][Ll][Gg][Oo][Rr]([0-9A-HJ-Za-hj-z][0-9A-Za-z]*|)|[Aa][Ll][Gg][Oo]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Aa][Ll][Gg]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Aa][Ll]([0-9A-FH-Za-fh-z][0-9A-Za-z]*|)|[Aa]([0-9A-KM-Za-km-z][0-9A-Za-z]*|)|[0-9B-Zb-z][0-9A-Za-z]*|)|[Hh][Oo][Ss][Tt][Kk][Ee]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Hh][Oo][Ss][Tt][Kk]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Hh][Oo][Ss][Tt]([0-9A-JL-Za-jl-z][0-9A-Za-z]*|)|[Hh][Oo][Ss]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Hh][Oo]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh][Mm](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh]([0-9A-LN-Za-ln-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt]([0-9A-GI-Za-gi-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr]([0-9A-HJ-Za-hj-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll]([0-9A-FH-Za-fh-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa]([0-9A-KM-Za-km-z][0-9A-Za-z]*|)|[Kk][Ee][Xx]([0-9B-Zb-z][0-9A-Za-z]*|)|[Kk][Ee]([0-9A-WYZa-wyz][0-9A-Za-z]*|)|[Mm][Aa][Tt][Cc](([Hh][0-9A-Za-z]|[0-9A-GI-Za-gi-z])[0-9A-Za-z]*|)|[Mm][Aa][Tt]([0-9ABD-Zabd-z][0-9A-Za-z]*|)|[Mm][Aa][Cc](([Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z])[0-9A-Za-z]*|)|[Mm][Aa]([0-9ABD-SU-Zabd-su-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy][Ss][Tt][Ee](([Mm][0-9A-Za-z]|[0-9A-LN-Za-ln-z])[0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy][Ss][Tt]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy][Ss]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Ss][Uu][Bb]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[Ss][Uu]([0-9AC-Zac-z][0-9A-Za-z]*|)|([Ss][0-9A-TV-Za-tv-z]|[Mm][0-9B-Zb-z]|[Kk][0-9A-DF-Za-df-z]|[Hh][0-9A-NP-Za-np-z]|[Dd][0-9A-DF-Za-df-z]|[Cc][0-9A-HJ-Za-hj-z]|[Aa][0-9ABD-KM-Zabd-km-z]|[0-9BE-GIJLN-RT-Zbe-gijln-rt-z][0-9A-Za-z])[0-9A-Za-z]*|[Ss]|[Mm]|[Kk]|[Hh]|[Dd]|[Cc]|[Aa]|[0-9BE-GIJLN-RT-Zbe-gijln-rt-z]/ = /[^\t\n =]+([\t =]+[^\t\n =]+)*/ }
      | { /#comment/ = /[^\t\n\r ].*[^\t\n\r ]|[^\t\n\r ]/ }
      | { })*
    { /Match/ }*

Error: /Stage[main]/Ssh::Config/Sshd_config[HostKeyAlgorithms]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

In this output, I have the values entered as an array, btu a similar message with all the algorithms on one line appears if I provide them as a simple string.

I can work around this in my case by patching the line I referenced above, but this is not necessarily the appropriate solution for this module overall, since doing so would break users with older versions of augeas. There also seem to be tickets in the augeas and puppet worlds to make the sshd augeas lens recognize more array value (namely in my case GSSAPIKexAlgorithms,PubkeyAcceptedKeyTypes, and CASignatureAlgorithms), which means this problem could reoccur as more arrays are handled "correctly" by the underlying augeas lens but not by this module.

Is there a way to purge unmanaged config options ?

Hi,

i'd like to make sure that only those config options are present in the sshd_config file that are actually managed by this provider. All other (manually added or old) should get purged.
Is there a way to achieve this with this module ?

An acceptance test needs to be added that exercises the overrides in `lib/puppet/provider/sshkey/augeas.rb`

The lib/puppet/provider/sshkey/augeas.rb enhances the existing sshkey provider.

Prior to puppet 6, this worked seamlessly because the sshkey provider was loaded first.

However, since sshkey is now a separate module, I believe that the override is probably not working (have not explicitly checked) because augeasproviders_ssh comes before sshkey alphabetically.

The fix is probably to explicitly load the parent type prior to trying to load the override.

Bug in handling ports in sshd_config when reducing the number of ports that are active

Starting scenario

Code

puppet apply -e 'sshd_config { "Port": value => [22,2222,22222,2223] }'

Expectation

Port 22
Port 2222
Port 22222
Port 2223

Reality ✔️

Port 22
Port 2222
Port 22222
Port 2223

Reduce by two entries

Code

puppet apply -e 'sshd_config { "Port": value => [22,2222] }'

Expectation

Port 22
Port 2222

Reality ❌

Port 22
Port 2222
Port 2223

Run Puppet again

Code

puppet apply -e 'sshd_config { "Port": value => [22,2222] }'

Expectation

Port 22
Port 2222

Reality ✔️

Port 22
Port 2222

Ok to upgrade augeasproviders_core?

Can someone validate compatibility with the latest https://github.com/hercules-team/augeasproviders_core and update dependancies as such?

sshd_config needs to consider KexAlgorithms, Ciphers and AcceptEnv to be arrays

See voxpupuli/puppet-augeasproviders#128

The provider seems to reject and fail on Subsystem and AcceptEnv options for sshd_config

Hello I have tried to update the sshd_config file options (Subsytem) (AcceptEnv) and I get this
Could not evaluate: Failed to save Augeas tree to file
I'm testing them as shown here

sshd_config {"AcceptEnv":
  ensure => present,
  value => "LANG LC_*",
  }

sshd_config {"Subsystem":
  ensure => present,
  value => "sftp /usr/lib/ssh/sftp-server",
  }

It seems that when there are white spaces, *, or any special symbols there is a failure since if I just place

sshd_config {"AcceptEnv":
  ensure => present,
  value => "LANGLC",
  }

it works well and updates the file
did you test this particular options in the sshd_config puppet provider as mine above
I'm on Ubuntu 12.04
puppet 3.7.1

Release 3.0.0 missing from forge

There is a release version 3.0.0 available trough github, but the latest version on forge is still 2.5.3.

Is that intentional?

sshd_config does not restart sshd service

Not able to find any documentation on how to ensure the sshd service (RHEL 6) gets restarted when using sshd_config from augeasproviders_ssh. I don't see any notify parameter for the sshd_config resource and restarting sshd does not appear to be built in and assumed when using sshd_config from augeasproviders_ssh.

`augeas` should not be the default provider for `sshkey`

I started using this module for the ssh_config type, but meanwhile it became the default provider for sshkey (a type from the sshkeys_core module). This has had a hideous impact on performance.

In my testing, 2000 resources take 330 seconds to enforce (even with no changes), compared to 0.91 seconds if I force the provider back to parsed.

It's not uncommon to manage a large number of sshkey resources, so I think using this module to manage sshkey resources should be opt-in, (or the sshkey provider moved into its own module).

Error when generating types for environment isolation

puppet generate types throws the following error:

Error: /etc/puppetlabs/code/environments/test/modules/augeasproviders_ssh/lib/puppet/type/sshd_config_match.rb: title patterns that use procs are not supported.

Using module versions:

# puppet module list --environment test | grep herculesteam
├── herculesteam-augeasproviders_core (v2.1.4)
├── herculesteam-augeasproviders_ssh (v2.5.3)

ssh_known_hosts lense to allow end of line comment

It would be nice if the augeas lense for the ssh_known_hosts file would tolerate end of line comments on existing entries in the file. The following lense grammar has this feature, so it should be easy to add:

https://github.com/hercules-team/augeas/blob/master/lenses/known_hosts.aug

It would also be great if the sshkey resource would take an optional 'comment' parameter so that comments could be added to new sshkey entries.

EOL comments not parsed

sshd_config { 'UsePrivilegeSeparation':
  ensure => 'present',
  value  => ['sandbox           # Default for new installations.'],
}

Provide a class with parameters which allows defining resources from hiera.

Either a whole lot of (puppet2.x/3) create_resources or $param.each || loops.

Conflicting sshd_config w/ condition does not result in failure

I would expect the following to result in a catalog failure as the same setting is set two different ways:

sshd_config { 'Host anotherhost.example.com PermitRootLogin':
  key => 'PermitRootLogin',
  ensure => present,
  condition => 'Host anotherhost.example.com',
  value => 'without-password',
}
sshd_config { 'Host rootallowed.example.com PermitRootLogin':
  key => 'PermitRootLogin',
  ensure => present,
  condition => 'Host anotherhost.example.com',
  value => 'yes',
}

but instead results in the value flip-flopping in the same run:

puppet apply ./sshd_test.pp
Notice: Compiled catalog for jc-sol11.example.com in environment production in 0.04 seconds
Notice: /Stage[main]/Main/Sshd_config[Host anotherhost.example.com PermitRootLogin]/value: value changed ['yes'] to 'without-password'
Notice: /Stage[main]/Main/Sshd_config[Host rootallowed.example.com PermitRootLogin]/value: value changed ['without-password'] to 'yes'

The ssh_config lens does not appear to account for an Include line outside of Hosts entries in ssh_config

RHEL 8's version of ssh (version 8.0) includes the following line by default in ssh_config:
Include /etc/ssh/ssh_config.d/*.conf

Is there a way to manage this with the code as-is or is some development work necessary to accommodate this?

Can't set GlobalKnownHostsFile

We want to set GlobalKnownHostsFile in /etc/ssh/ssh_config on default ubuntu 14.04 ssh_config.

    ssh_config { 'GlobalKnownHostsFile':
        ensure => present,
        host   => '*',
        value  => '/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 /etc/ssh/all_ssh_known_hosts',
    }

This fails as long there are spaces in value.
If we use value => ['/etc/ssh/ssh_known_hosts', '/etc/ssh/ssh_known_hosts2', '/etc/ssh/all_ssh_known_hosts'] module creates several key value pairs.

But documentation requires space seperated values:

     GlobalKnownHostsFile
             Specifies one or more files to use for the global host key database, separated by whitespace.  The default is /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2.

Puppet debug run:

Notice: /Stage[main]/Profiles::Ssh::Client/Ssh_config[GlobalKnownHostsFile]/value: value changed ['/etc/ssh/ssh_known_hosts'] to '/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 /etc/ssh/all_ssh_known_hosts'
Debug: Puppet::Type::Ssh_config::ProviderAugeas: Save failure details:
/augeas/files/etc/ssh/ssh_config/error/path = /files/etc/ssh/ssh_config/Host
/augeas/files/etc/ssh/ssh_config/error/lens = /usr/share/augeas/lenses/dist/ssh.aug:74.17-.63:
/augeas/files/etc/ssh/ssh_config/error/message = Failed to match
    ({ /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ } | { } | { /SendEnv/ } | { /ProxyCommand/ = /[^\001-\004\t\n ][^\001-\004\n]*[^\001-\004\t\n ]|[^\001-\004\t\n ]/ } | { /RemoteForward/ } | { /LocalForward/ } | { /MACs/ } | { /Ciphers/ } | { /Cipher((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Ciphe([0-9A-Za-qs-z][0-9A-Za-z]*|)|Ciph([0-9A-Za-df-z][0-9A-Za-z]*|)|Cip([0-9A-Za-gi-z][0-9A-Za-z]*|)|Ci([0-9A-Za-oq-z][0-9A-Za-z]*|)|Hos((t[0-9A-Za-z]|[0-9A-Za-su-z])[0-9A-Za-z]*|)|Ho([0-9A-Za-rt-z][0-9A-Za-z]*|)|LocalForwar((d[0-9A-Za-z]|[0-9A-Za-ce-z])[0-9A-Za-z]*|)|LocalForwa([0-9A-Za-qs-z][0-9A-Za-z]*|)|LocalForw([0-9A-Zb-z][0-9A-Za-z]*|)|LocalFor([0-9A-Za-vx-z][0-9A-Za-z]*|)|LocalFo([0-9A-Za-qs-z][0-9A-Za-z]*|)|LocalF([0-9A-Za-np-z][0-9A-Za-z]*|)|Local([0-9A-EG-Za-z][0-9A-Za-z]*|)|Loca([0-9A-Za-km-z][0-9A-Za-z]*|)|Loc([0-9A-Zb-z][0-9A-Za-z]*|)|Lo([0-9A-Zabd-z][0-9A-Za-z]*|)|MAC((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|MA([0-9ABD-Za-z][0-9A-Za-z]*|)|ProxyComman((d[0-9A-Za-z]|[0-9A-Za-ce-z])[0-9A-Za-z]*|)|ProxyComma([0-9A-Za-mo-z][0-9A-Za-z]*|)|ProxyComm([0-9A-Zb-z][0-9A-Za-z]*|)|ProxyCom([0-9A-Za-ln-z][0-9A-Za-z]*|)|ProxyCo([0-9A-Za-ln-z][0-9A-Za-z]*|)|ProxyC([0-9A-Za-np-z][0-9A-Za-z]*|)|Proxy([0-9ABD-Za-z][0-9A-Za-z]*|)|Prox([0-9A-Za-xz][0-9A-Za-z]*|)|Pro([0-9A-Za-wyz][0-9A-Za-z]*|)|Pr([0-9A-Za-np-z][0-9A-Za-z]*|)|RemoteForwar((d[0-9A-Za-z]|[0-9A-Za-ce-z])[0-9A-Za-z]*|)|RemoteForwa([0-9A-Za-qs-z][0-9A-Za-z]*|)|RemoteForw([0-9A-Zb-z][0-9A-Za-z]*|)|RemoteFor([0-9A-Za-vx-z][0-9A-Za-z]*|)|RemoteFo([0-9A-Za-qs-z][0-9A-Za-z]*|)|RemoteF([0-9A-Za-np-z][0-9A-Za-z]*|)|Remote([0-9A-EG-Za-z][0-9A-Za-z]*|)|Remot([0-9A-Za-df-z][0-9A-Za-z]*|)|Remo([0-9A-Za-su-z][0-9A-Za-z]*|)|Rem([0-9A-Za-np-z][0-9A-Za-z]*|)|Re([0-9A-Za-ln-z][0-9A-Za-z]*|)|SendEn((v[0-9A-Za-z]|[0-9A-Za-uw-z])[0-9A-Za-z]*|)|SendE([0-9A-Za-mo-z][0-9A-Za-z]*|)|Send([0-9A-DF-Za-z][0-9A-Za-z]*|)|Sen([0-9A-Za-ce-z][0-9A-Za-z]*|)|Se([0-9A-Za-mo-z][0-9A-Za-z]*|)|(S[0-9A-Za-df-z]|R[0-9A-Za-df-z]|P[0-9A-Za-qs-z]|M[0-9B-Za-z]|L[0-9A-Za-np-z]|H[0-9A-Za-np-z]|C[0-9A-Za-hj-z]|[0-9ABD-GI-KNOQT-Za-z][0-9A-Za-z])[0-9A-Za-z]*|S|R|P|M|L|H|C|[0-9ABD-GI-KNOQT-Za-z]/ = /[^\001-\004\t\n ]+/ })*
  with tree
    { "#comment" = "ForwardAgent no" } { "#comment" = "ForwardX11 no" } { "#comment" = "ForwardX11Trusted yes" } { "#comment" = "RhostsRSAAuthentication no" } { "#comment" = "RSAAuthentication yes" } { "#comment" = "PasswordAuthentication yes" } { "#comment" = "HostbasedAuthentication no" } { "#comment" = "GSSAPIAuthentication no" } { "#comment" = "GSSAPIDelegateCredentials no" } { "#comment" = "GSSAPIKeyExchange no" } { "#comment" = "GSSAPITrustDNS no" } { "#comment" = "BatchMode no" } { "#comment" = "CheckHostIP yes" } { "#comment" = "AddressFamily any" } { "#comment" = "ConnectTimeout 0" } { "#comment" = "StrictHostKeyChecking ask" } { "#comment" = "IdentityFile ~/.ssh/identity" } { "#comment" = "IdentityFile ~/.ssh/id_rsa" } { "#comment" = "IdentityFile ~/.ssh/id_dsa" } { "#comment" = "Port 22" } { "#comment" = "Protocol 2,1" } { "#comment" = "Cipher 3des" } { "#comment" = "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc" } { "#comment" = "MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160" } { "#comment" = "EscapeChar ~" } { "#comment" = "Tunnel no" } { "#comment" = "TunnelDevice any:any" } { "#comment" = "PermitLocalCommand no" } { "#comment" = "VisualHostKey no" } { "#comment" = "ProxyCommand ssh -q -W %h:%p gateway.example.com" } { "#comment" = "RekeyLimit 1G 1h" } { "SendEnv" } { "HashKnownHosts" = "yes" } { "GSSAPIAuthentication" = "yes" } { "GSSAPIDelegateCredentials" = "no" } { "GlobalKnownHostsFile" = "/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 /etc/ssh/all_ssh_known_hosts" }
Error: /Stage[main]/Profiles::Ssh::Client/Ssh_config[GlobalKnownHostsFile]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

When will be supported on Puppet 2019.x

error when attempting to manage GSSAPIKexAlgorithms

When I try to manage GSSAPIKexAlgorithms I get an error like this:

Error: /Stage[main]/Stdcfg::Sshd/Sshd_config[GSSAPIKexAlgorithms]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

augeasproviders: 2.4.1
augeasproviders_core: 2.6.0
augeasproviders_base: 2.1.0
augeasproviders_ssh: 3.2.1
puppet-agent-5.5.18-1.el7.x86_64 on CentOS 7

If I follow how this working correctly, the sshd lense is coming from the puppet-agent RPM. And as I browse through it it doesn't look like it understands the GSSAPIKexAlgorithms parameter.

What's the best way forward? Is there a way to provide a custom lens through the augeasproviders_ssh module? Or can we implement our own custom lens and use it with our module?

puppet resource sshd_config does not display match values

I created "Match" settings using:

sshd_config { 'Host anotherhost.example.com PermitRootLogin':
  key => 'PermitRootLogin',
  ensure => present,
  condition => 'Host anotherhost.example.com',
  value => 'without-password',
}
sshd_config { 'Host rootallowed.example.com PermitRootLogin':
  key => 'PermitRootLogin',
  ensure => present,
  condition => 'Host rootallowed.example.com',
  value => 'yes',
}

and verified the sshd_config to see that they were created, but the command "puppet resource sshd_config" does not display them. Is this a known limitation?

sshkey provider is missing the instances class method

This method is necessary for purging unmanaged resources (error I'm getting is Error: /Stage[main]/Ssh/Resources[sshkey]: Failed to generate additional resources using 'generate': Provider augeas has not defined the 'instances' class method).

sshkey known host lens not found

I'm unable to get sshkey to work. I see the there is a lens provided within the module's lib directory.. Is this supposed to be used/installed automatically? There is no known_hosts.aug in /usr/share/augeas/lenses/dist.

Error

Error: /Stage[main]/Profiles::Base/Profiles::Base::Modules::Stage1/Openssh-known-hosts/Sshkey[github.com]: Could not evaluate: Augeas didn't load /etc/ssh/ssh_known_hosts with Known_Hosts.lns:

Example

    sshkey { 'github.com':
        ensure => present,
        host_aliases => ['*.github.com'],
        type => 'ssh-rsa',
        key => '...',
    }

Running

CentOs 6.6 x64
ruby-augeas-0.4.1-3.el6.x86_64
augeas-1.0.0-7.el6_6.1.x86_64
augeas-libs-1.0.0-7.el6_6.1.x86_64
herculesteam-augeasproviders_ssh 2.4.0

AllowGroups does not work with condition.

This doesn't work:

sshd_config_match { "LocalPort 2022":
  ensure   => present,
}

sshd_config { "AllowGroups":
  ensure    => present,
  condition => 'LocalPort 2022',
  value     => ['filedrop'],
}

The error is:

Error: /Stage[main]/Main/Node[__node_regexp__a-z0-9-filedrop-d]/Sshd_config[AllowGroups]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

If i enable debug logging it looks like this:

Notice: /Stage[main]/Main/Node[__node_regexp__a-z0-9-filedrop-d]/Sshd_config[AllowGroups]/ensure: created
Debug: Puppet::Type::Sshd_config::ProviderAugeas: Save failure details:
/augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config/Match/Settings
/augeas/files/etc/ssh/sshd_config/error/lens = /usr/share/augeas/lenses/dist/sshd.aug:129.12-.44:
/augeas/files/etc/ssh/sshd_config/error/message = Failed to match 
    ({ /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]_[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ } | { } | { /[Aa][Cc][Cc][Ee][Pp][Tt][Ee][Nn](([Vv][0-9A-Za-z]|[0-9A-UW-Za-uw-z])[0-9A-Za-z]_|)|[Aa][Cc][Cc][Ee][Pp][
-DF-Za-df-z][0-9A-Za-z]_|)|[Aa][Cc][Cc][Ee][Pp]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Aa][Cc][Cc][Ee]([0-9A-OQ-Za-oq-z][0-9A-Za-z]_|)|[Aa][Cc][Cc]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Aa][Ll][Ll][Oo][Ww]([Gg][Rr][Oo][Uu][P
[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|)|[Gg][Rr][Oo]([0-9A-TV-Za-tv-z][0-9A-Za-z]*|)|[Gg][Rr]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Uu][Ss][Ee][Rr](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Uu][Ss][Ee]([0-9A-QS-Za-qs-
T-Za-rt-z][0-9A-Za-z]*|)|[Gg]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]_|)|[Aa][Ll][Ll][Oo]([0-9A-VX-Za-vx-z][0-9A-Za-z]_|)|[Aa][Ll][Ll]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Aa][Ll]([0-9A-KM-Z
Pp][Hh][Ee][Rr]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp]%28[0-9A-GI-Za-gi-z][0-9A-Za-z]*|%29|
Uu][Pp]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo][Uu]%28[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo]%28[0-9A-TV-Za-tv-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr]%28[0-9
A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu][Ss][Ee]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu][Ss]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[
0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]_|)|[Dd][Ee][Nn]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Dd][Ee]([0-9A-MO-Za-mo-z][0-9A-Za-z]_|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh][Mm](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z
9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt]([0-9A-GI-Za-gi-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr]([0-9A-HJ-Za-hj-z][0-9A-Za-
][Ee][Xx][Aa][Ll][Gg]%28[0-9A-NP-Za-np-z][0-9A-Za-z]*|%29|[Kk][Ee][Xx][Aa][Ll]%28[0-9A-FH-Za-fh-z][0-9A-Za-z]*|%29|[Kk][Ee][Xx][Aa]%28[0-9A-KM-Za-km-z][0-9A-Za-z]*|%29|[Kk][Ee][Xx]%28[0-9B-Zb-z][0-9A-Za-z]*|%29|[Kk][Ee]%28[0-9A-WYZ
z]%29[0-9A-Za-z]*|)|[Mm][Aa][Tt]([0-9ABD-Zabd-z][0-9A-Za-z]*|)|[Mm][Aa][Cc](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Mm][Aa]([0-9ABD-SU-Zabd-su-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy][Ss][Tt][Ee](%28[Mm][0-9A-
-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Ss][Uu][Bb][Ss][Yy][Ss]%28[0-9A-SU-Za-su-z][0-9A-Za-z]*|%29|[Ss][Uu][Bb][Ss][Yy]%28[0-9A-RT-Za-rt-z][0-9A-Za-z]*|%29|[Ss][Uu][Bb][Ss]%28[0-9A-XZa-xz][0-9A-Za-z]*|%29|[Ss][Uu][Bb]%28[0-9A-RT-Za-rt-
-tv-z]|[Mm][0-9B-Zb-z]|[Kk][0-9A-DF-Za-df-z]|[Dd][0-9A-DF-Za-df-z]|[Cc][0-9A-HJ-Za-hj-z]|[Aa][0-9ABD-KM-Zabd-km-z]|[0-9BE-JLN-RT-Zbe-jln-rt-z][0-9A-Za-z]%29[0-9A-Za-z]*|[Ss]|[Mm]|[Kk]|[Dd]|[Cc]|[Aa]|[0-9BE-JLN-RT-Zb
comment/ = /[^001-004tnr ][^001-004n]*[^001-004tnr ]|[^001-004tnr ]/ } | { } | { /[Aa][Cc][Cc][Ee][Pp][Tt][Ee][Nn]%28%28[Vv][0-9A-Za-z]|[0-9A-UW-Za-uw-z]%29[0-9A-Za-z]*|%29|[Aa][Cc][Cc][Ee][Pp][Tt][Ee]%28[
-z][0-9A-Za-z]*|%29|[Aa][Cc][Cc][Ee][Pp]%28[0-9A-SU-Za-su-z][0-9A-Za-z]*|%29|[Aa][Cc][Cc][Ee]%28[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|%29|[Aa][Cc][Cc]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Aa][Ll][Ll][Oo][Ww]%28[Gg][Rr][Oo][Uu][Pp]%28%28[Ss][
Za-oq-z][0-9A-Za-z]*|%29|[Gg][Rr][Oo]%28[0-9A-TV-Za-tv-z][0-9A-Za-z]*|%29|[Gg][Rr]%28[0-9A-NP-Za-np-z][0-9A-Za-z]*|%29|[Uu][Ss][Ee][Rr]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Uu][Ss][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Z
][0-9A-Za-z]*|%29|[Gg]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]*|%29|[Aa][Ll][Ll][Oo]%28[0-9A-VX-Za-vx-z][0-9A-Za-z]*|%29|[Aa][Ll][Ll]%28[0-9A-NP-Za-np-z][0-9A-Za-z]*|%29|[Aa][Ll]%28[0-9A-KM-Za-km-z][0
e][Rr]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp]%28[0-9A-GI-Za-gi-z][0-9A-Za-z]*|%29|[Cc][Ii]%28
[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo][Uu]%28[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo]%28[0-9A-TV-Za-tv-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr]%28[0-9A-NP-Za-n
0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Uu][Ss][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Uu][Ss]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Uu]%28[0-9A-RT-Za-rt-z][0-9A-Za-z]*|%29|[Dd][Ee][N
V-Za-fh-tv-z][0-9A-Za-z]*|)|[Dd][Ee][Nn]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Dd][Ee]([0-9A-MO-Za-mo-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh][Mm](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Kk]
|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt]([0-9A-GI-Za-gi-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr]([0-9A-HJ-Za-hj-z][0-9A-Za-z]*|)|[Kk
[Aa][Ll][Gg]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll]([0-9A-FH-Za-fh-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa]([0-9A-KM-Za-km-z][0-9A-Za-z]*|)|[Kk][Ee][Xx]([0-9B-Zb-z][0-9A-Za-z]*|)|[Kk][Ee]([0-9A-WYZa-wyz][0-
Za-z]*|)|[Mm][Aa][Tt]([0-9ABD-Zabd-z][0-9A-Za-z]*|)|[Mm][Aa][Cc](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Mm][Aa]([0-9ABD-SU-Zabd-su-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy][Ss][Tt][Ee](([Mm][0-9A-Za-z]|[0-
-df-z][0-9A-Za-z]_|)|[Ss][Uu][Bb][Ss][Yy][Ss]([0-9A-SU-Za-su-z][0-9A-Za-z]_|)|[Ss][Uu][Bb][Ss][Yy]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Ss][Uu][Bb]([0-9A-RT-Za-rt-z][0-9A-Z
m][0-9B-Zb-z]|[Kk][0-9A-DF-Za-df-z]|[Dd][0-9A-DF-Za-df-z]|[Cc][0-9A-HJ-Za-hj-z]|[Aa][0-9ABD-KM-Zabd-km-z]|[0-9BE-JLN-RT-Zbe-jln-rt-z][0-9A-Za-z])[0-9A-Za-z]*|[Ss]|[Mm]|[Kk]|[Dd]|[Cc]|[Aa]|[0-9BE-JLN-RT-Zbe-jln-rt-
  with tree
    { "X11Forwarding" = "no" } { "PasswordAuthentication" = "yes" } { "AllowTCPForwarding" = "no" } { "AllowGroups" }
Error: /Stage[main]/Main/Node[__node_regexp__a-z0-9-filedrop-d]/Sshd_config[AllowGroups sftp]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

Validation issues when trying to limit root access to IP address

I'm looking to limit root access to a specific ip address, however there seems to be some validation that throws an error and stops the config being created and applied. This seems to be because the same config directive is used multiple times, even if it's silo'd in a match block.

# By default, it appears PermitRootLogin is set to yes, I need this to be set to no.
        sshd_config { "PermitRootLogin":
                ensure => absent,       
        }
# I try and create a match rule that links to a specific IP address
        sshd_config { "PermitRootLogin":
                ensure  => present,
                value   => 'yes',
                condition => 'User [email protected]'
        }

The result is the following error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: 
Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Sshd_config[PermitRootLogin] is already declared at (file: 
/etc/puppetlabs/code/environments/production/modules/custom_ssh_mod/manifests/init.pp, line: 8); cannot redeclare (file: 
/etc/puppetlabs/code/environments/production/modules/custom_ssh_mod/manifests/init.pp, line: 13) (file: 
/etc/puppetlabs/code/environments/production/modules/custom_ssh_mod/manifests/init.pp, line: 13, column: 9) on node test-machine.somewhere.com

Release new version to fix compatability with puppet 7.28+ and 8.3+

Hello,

First, a bit of back context: Back in February, #65 was merged. This PR was originally written to address #64, which was addressed in an interim manner in #68 in 2022. As I alluded to in #64, I also submitted hercules-team/augeas#721, which would not be sufficiently addressed with #68, but would in #65, which flexibly handles augeas updates to which labels were strings and which were arrays. hercules-team/augeas#721 was merged back in November 2022, and we thus set up a situation where if a puppet update incorporated that change before #65 was merged and released, this module would break in the same way as #64 and #68 originally described.

With that background explained; Puppet 8.3 was released in November 2023, and Puppet 7.28 was released in January 2024, both incorporating a bump of augeas from 1.13.0 to 1.14.1, which includes hercules-team/augeas#721 . As noted in https://www.puppet.com/docs/puppet/7/release_notes_puppet#enhancements_puppet_x-7-28-0-PA-5944 and https://www.puppet.com/docs/puppet/8/release_notes_puppet#enhancements_puppet_x-8-3-0-PA-4938, this breaks the use of augeas in the way predicted in #64, because the label is now an array and not a string. This was also observed in #99 on this repository.

I have tested in my local environment, and in order to address this situation with the use of the module, my change in #65 must be present. This change is also confirmed backwards-compatible with pre-7.28/8.3 .

Therefore, I humbly ask that a new release of this module be cut when possible, to allow for people not able to run from the git repo that is ahead of the latest release to be able to address this issue. A release note highlighting the puppet release notes would also be appreciated, as I believe people may need to further adjust their config/use of the module to switch from a string to an array.

ListenAddress must come after AddressFamily in sshd_config

The sshd configuration file requires that AddressFamily come before ListenAddress.

This is not in the man page and some OSs will yell at you while others will silently die.

Patch forthcoming.

sshd_config_subsystem does not allow for manging the same subsystem name in multiple targets

Hi,

It seems that sshd_config_subsystem does not allow one to manage the parameter as a resource in multiple files. For instance, this gives a duplicate resource error:

sshd_config_subsystem { "sftp":
   target => '/etc/ssh/sshd_config',
   command => '/bin/false',
}

sshd_config_subsystem { "sftp":
   target => '/etc/ssh/sshd_config_chroot',
   command => 'internal-sftp',
}

This isn't really show-stopper for us since I think by the time we need it, we'll have our SFTP service migrated to a newer version of OpenSSH where we can have get the access control that we need in a single SSH service, but I was testing an implementation with CentOS 6 and thought I would pass along the problem.

Thanks!

Skylar

Sshd_config[PubkeyAcceptedKeyTypes]: Could not evaluate: Failed to save Augeas tree to file.

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 7.x
Ruby: bundled
Distribution: Debian
Module version: 6.0.0

How to reproduce (e.g Puppet code you use)

Save this as sshd.pp:

sshd_config {
      'PubkeyAcceptedKeyTypes':
        ensure => present,
        #value  => [ '+ssh-dss' ];
        value  => '+ssh-dss';
}

Run using default sshd_config file:

cp /usr/share/openssh/sshd_config /etc/ssh/sshd_config
puppet apply sshd.pp

What are you seeing

Error: /Stage[main]/Main/Sshd_config[PubkeyAcceptedKeyTypes]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

Debug output shows:

Debug: Puppet::Type::Sshd_config::ProviderAugeas: Save failure details:
/augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config/
/augeas/files/etc/ssh/sshd_config/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sshd.aug:154.12-.47:
/augeas/files/etc/ssh/sshd_config/error/message = Failed to match tree under /

     { "#comment" = "$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $" }
etc
  with pattern
etc.

Error: /Stage[main]/Main/Sshd_config[PubkeyAcceptedKeyTypes]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

What behaviour did you expect instead

I was hoping it would add the option to /etc/ssh/sshd_config

Output log

Any additional information you'd like to impart

Multiple Port entries should be supported

The sshd_config file allows multiple ports to be specified. These should be supported as a passed Array.

Change to sshd_config not restarting daemon

I made a change in Puppet using sshd_config resource to add an HMAC to the approved list. When the modification was pushed to the client, sshd wasn't restarted. I had to manually restart sshd for the change to take effect.

entries with same name in different blocks fail

The following simple code fails:

  $group1 = 'group1'
  $group2 = 'group2'

  sshd_config {"ChrootDirector ${group1}":
    ensure    => present,
    condition => "Group ${group1}",
    value     => '/home/group1/%u',
  }

  sshd_config {"ChrootDirectory ${group2}":
    ensure    => present,
    condition => "Group ${group2}",
    value     => '/home/group2/%u',
  }

Here is the error message:

Notice: /Stage[main]/Main/Sshd_config[ChrootDirector group1]/ensure: created
Error: /Stage[main]/Main/Sshd_config[ChrootDirector group1]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.
Notice: /Stage[main]/Main/Sshd_config[ChrootDirectory group2]/ensure: created
Error: /Stage[main]/Main/Sshd_config[ChrootDirectory group2]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

undefined method `provider' for nil:NilClass

I added the module to my puppet master (in the moduledir) and have verified that the custom types have been synced to the libdir:

[root@..... provider]# pwd
/var/opt/lib/pe-puppet/lib/puppet/provider
[root@..... provider]# ls
file_concat    ini_subsetting      pe_puppetdb_conn_validator  rabbitmq_vhost       sensu_client_subscription  ssh_config
file_line      java_ks             postgresql_psql             reboot               sensu_dashboard_config     sshd_config
firewall       ldapdn              rabbitmq_exchange           sensu_api_config     sensu_filter               sshd_config_subsystem
firewallchain  package             rabbitmq_plugin             sensu_check          sensu_handler
firewall.rb    pe_postgresql_conf  rabbitmq_user               sensu_check_config   sensu_rabbitmq_config
ini_setting    pe_postgresql_psql  rabbitmq_user_permissions   sensu_client_config  sensu_redis_config
[root@..... provider]#

but am receiving the following error when running puppet agent.

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not autoload puppet/type/sshd_config_subsystem: Could not autoload puppet/provider/sshd_config_subsystem/augeas: undefined method `provider' for nil:NilClass on node stg01-************

This specific piece of code is :

sshd_config_subsystem { "sftp":
  ensure  => present,
  command => "internal-sftp",
}

The same result is experienced when using sshd_config types as well.

Problems with Ciphers and KexAlgorithms on EL6/EL7

Running this on a fully patched CentOS 6.6:

[root@host ~]# cat /etc/centos-release 
CentOS release 6.6 (Final)
[root@host ~]# cat /root/sshd_config_test 
# this is a test
Protocol 2
[root@host ~]# cat test.pp 
sshd_config { 'Ciphers':
   value  => ['aes128-cbc','aes128-ctr'],
   ensure => 'present',
   target => '/root/sshd_config_test'
}
[root@host ~]# puppet apply --debug test.pp 
#### SNIP ####
Info: Applying configuration version '1434005958'
Notice: /Stage[main]/Main/Sshd_config[Ciphers]/ensure: created
Debug: Puppet::Type::Sshd_config::ProviderAugeas: Save failure details:
/augeas/files/root/sshd_config_test/error/path = /files/root/sshd_config_test
/augeas/files/root/sshd_config_test/error/lens = /usr/share/augeas/lenses/dist/sshd.aug:123.12-125.36:
/augeas/files/root/sshd_config_test/error/message = Failed to match 
    ({ /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ } | { } | { /AcceptEnv/ } | { /AllowGroups/ } | { /AllowUsers/ } | { /DenyGroups/ } | { /Subsystem/ } | { /DenyUsers/ } | { /MACs/ } | { /AcceptEn((v[0-9A-Za-z]|[0-9A-Za-uw-z])[0-9A-Za-z]*|)|AcceptE([0-9A-Za-mo-z][0-9A-Za-z]*|)|Accept([0-9A-DF-Za-z][0-9A-Za-z]*|)|Accep([0-9A-Za-su-z][0-9A-Za-z]*|)|Acce([0-9A-Za-oq-z][0-9A-Za-z]*|)|Acc([0-9A-Za-df-z][0-9A-Za-z]*|)|Allow(Group((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Grou([0-9A-Za-oq-z][0-9A-Za-z]*|)|Gro([0-9A-Za-tv-z][0-9A-Za-z]*|)|Gr([0-9A-Za-np-z][0-9A-Za-z]*|)|User((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Use([0-9A-Za-qs-z][0-9A-Za-z]*|)|Us([0-9A-Za-df-z][0-9A-Za-z]*|)|U([0-9A-Za-rt-z][0-9A-Za-z]*|)|G([0-9A-Za-qs-z][0-9A-Za-z]*|)|[0-9A-FH-TV-Za-z][0-9A-Za-z]*|)|Allo([0-9A-Za-vx-z][0-9A-Za-z]*|)|All([0-9A-Za-np-z][0-9A-Za-z]*|)|Al([0-9A-Za-km-z][0-9A-Za-z]*|)|Ac([0-9A-Zabd-z][0-9A-Za-z]*|)|DenyGroup((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|DenyGrou([0-9A-Za-oq-z][0-9A-Za-z]*|)|DenyGro([0-9A-Za-tv-z][0-9A-Za-z]*|)|DenyGr([0-9A-Za-np-z][0-9A-Za-z]*|)|DenyUser((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|DenyUse([0-9A-Za-qs-z][0-9A-Za-z]*|)|DenyUs([0-9A-Za-df-z][0-9A-Za-z]*|)|DenyU([0-9A-Za-rt-z][0-9A-Za-z]*|)|DenyG([0-9A-Za-qs-z][0-9A-Za-z]*|)|Deny([0-9A-FH-TV-Za-z][0-9A-Za-z]*|)|Den([0-9A-Za-xz][0-9A-Za-z]*|)|De([0-9A-Za-mo-z][0-9A-Za-z]*|)|MAC((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Matc((h[0-9A-Za-z]|[0-9A-Za-gi-z])[0-9A-Za-z]*|)|Mat([0-9A-Zabd-z][0-9A-Za-z]*|)|Ma([0-9A-Za-su-z][0-9A-Za-z]*|)|MA([0-9ABD-Za-z][0-9A-Za-z]*|)|Subsyste((m[0-9A-Za-z]|[0-9A-Za-ln-z])[0-9A-Za-z]*|)|Subsyst([0-9A-Za-df-z][0-9A-Za-z]*|)|Subsys([0-9A-Za-su-z][0-9A-Za-z]*|)|Subsy([0-9A-Za-rt-z][0-9A-Za-z]*|)|Subs([0-9A-Za-xz][0-9A-Za-z]*|)|Sub([0-9A-Za-rt-z][0-9A-Za-z]*|)|Su([0-9A-Zac-z][0-9A-Za-z]*|)|(S[0-9A-Za-tv-z]|M[0-9B-Zb-z]|D[0-9A-Za-df-z]|A[0-9A-Zabd-km-z]|[0-9BCE-LN-RT-Za-z][0-9A-Za-z])[0-9A-Za-z]*|S|M|D|A|[0-9BCE-LN-RT-Za-z]/ = /[^\001-\004\t\n ]+([\t ]+[^\001-\004\t\n ]+)*/ })*{ /Match/ }*
  with tree
    { "#comment" = "this is a test" } { "Protocol" = "2" } { "Ciphers" }
Error: /Stage[main]/Main/Sshd_config[Ciphers]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.
Debug: Finishing transaction 70246676121620
Debug: Storing state
Debug: Stored state in 0.04 seconds
Notice: Finished catalog run in 0.07 seconds
[root@host ~]# rpm -qa | grep augeas
augeas-libs-1.0.0-7.el6_6.1.x86_64
ruby-augeas-0.4.1-3.el6.x86_64
[root@host ~]#

The same problem appears on CentOS 7:

[root@centos7 ~]# cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core) 
[root@centos7 ~]# cat test.pp 
sshd_config { 'Ciphers':
   value  => 'aes128-cbc,aes128-ctr',
   ensure => 'present',
   target => '/root/sshd_config_test'
}
[root@centos7 ~]# cat /root/sshd_config_test 
# this is a test
Protocol 2
[root@centos7 ~]# puppet apply --debug test.pp 
#### SNIP ####
Info: Applying configuration version '1434006975'
Notice: /Stage[main]/Main/Sshd_config[Ciphers]/ensure: created
Debug: Puppet::Type::Sshd_config::ProviderAugeas: Save failure details:
/augeas/files/root/sshd_config_test/error/path = /files/root/sshd_config_test
/augeas/files/root/sshd_config_test/error/lens = /usr/share/augeas/lenses/dist/sshd.aug:123.12-125.36:
/augeas/files/root/sshd_config_test/error/message = Failed to match 
    ({ /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ } | { } | { /AcceptEnv/ } | { /AllowGroups/ } | { /AllowUsers/ } | { /DenyGroups/ } | { /Subsystem/ } | { /DenyUsers/ } | { /MACs/ } | { /AcceptEn((v[0-9A-Za-z]|[0-9A-Za-uw-z])[0-9A-Za-z]*|)|AcceptE([0-9A-Za-mo-z][0-9A-Za-z]*|)|Accept([0-9A-DF-Za-z][0-9A-Za-z]*|)|Accep([0-9A-Za-su-z][0-9A-Za-z]*|)|Acce([0-9A-Za-oq-z][0-9A-Za-z]*|)|Acc([0-9A-Za-df-z][0-9A-Za-z]*|)|Allow(Group((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Grou([0-9A-Za-oq-z][0-9A-Za-z]*|)|Gro([0-9A-Za-tv-z][0-9A-Za-z]*|)|Gr([0-9A-Za-np-z][0-9A-Za-z]*|)|User((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Use([0-9A-Za-qs-z][0-9A-Za-z]*|)|Us([0-9A-Za-df-z][0-9A-Za-z]*|)|U([0-9A-Za-rt-z][0-9A-Za-z]*|)|G([0-9A-Za-qs-z][0-9A-Za-z]*|)|[0-9A-FH-TV-Za-z][0-9A-Za-z]*|)|Allo([0-9A-Za-vx-z][0-9A-Za-z]*|)|All([0-9A-Za-np-z][0-9A-Za-z]*|)|Al([0-9A-Za-km-z][0-9A-Za-z]*|)|Ac([0-9A-Zabd-z][0-9A-Za-z]*|)|DenyGroup((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|DenyGrou([0-9A-Za-oq-z][0-9A-Za-z]*|)|DenyGro([0-9A-Za-tv-z][0-9A-Za-z]*|)|DenyGr([0-9A-Za-np-z][0-9A-Za-z]*|)|DenyUser((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|DenyUse([0-9A-Za-qs-z][0-9A-Za-z]*|)|DenyUs([0-9A-Za-df-z][0-9A-Za-z]*|)|DenyU([0-9A-Za-rt-z][0-9A-Za-z]*|)|DenyG([0-9A-Za-qs-z][0-9A-Za-z]*|)|Deny([0-9A-FH-TV-Za-z][0-9A-Za-z]*|)|Den([0-9A-Za-xz][0-9A-Za-z]*|)|De([0-9A-Za-mo-z][0-9A-Za-z]*|)|MAC((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Matc((h[0-9A-Za-z]|[0-9A-Za-gi-z])[0-9A-Za-z]*|)|Mat([0-9A-Zabd-z][0-9A-Za-z]*|)|Ma([0-9A-Za-su-z][0-9A-Za-z]*|)|MA([0-9ABD-Za-z][0-9A-Za-z]*|)|Subsyste((m[0-9A-Za-z]|[0-9A-Za-ln-z])[0-9A-Za-z]*|)|Subsyst([0-9A-Za-df-z][0-9A-Za-z]*|)|Subsys([0-9A-Za-su-z][0-9A-Za-z]*|)|Subsy([0-9A-Za-rt-z][0-9A-Za-z]*|)|Subs([0-9A-Za-xz][0-9A-Za-z]*|)|Sub([0-9A-Za-rt-z][0-9A-Za-z]*|)|Su([0-9A-Zac-z][0-9A-Za-z]*|)|(S[0-9A-Za-tv-z]|M[0-9B-Zb-z]|D[0-9A-Za-df-z]|A[0-9A-Zabd-km-z]|[0-9BCE-LN-RT-Za-z][0-9A-Za-z])[0-9A-Za-z]*|S|M|D|A|[0-9BCE-LN-RT-Za-z]/ = /[^\001-\004\t\n ]+([\t ]+[^\001-\004\t\n ]+)*/ })*{ /Match/ }*
  with tree
    { "#comment" = "this is a test" } { "Protocol" = "2" } { "Ciphers" }
Error: /Stage[main]/Main/Sshd_config[Ciphers]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.
Debug: Finishing transaction 35328780
Debug: Storing state
Debug: Stored state in 0.09 seconds
Notice: Finished catalog run in 0.23 seconds
### SNIP ###
[root@centos7 ~]# rpm -qa | grep -i augeas
augeas-libs-1.1.0-17.el7.x86_64
ruby-augeas-0.5.0-1.el7.x86_64
[root@centos7 ~]#

I think this was fixed in a later version of augeas-libs, but contrary to the documentation, augeas lenses doesn't appear in the epel repo for either CentOS 6 or CentOS 7, which means we're stuck using versions from the base repo.

I think this bug is related to #11 - which was sadly marked as wontfix... the easiest way to fix this is to bundle an updated sshd lens with this module. Or, stop treating Ciphers and KexAlgorithms as arrays if doing so isn't supported by the lens. Or encourage puppetlabs to host updated augeas RPMs for EL 6 & 7.

Cannot use group with spaces in Match statement

Hello,

I haven't been able to make the following snippet work:

sshd_config { "Match Group Domain users AllowUsers *":
  ensure    => 'present',
  condition => {"Group" => "Domain users"},
  key       => 'AllowUsers',
  value     => '*',
}

If added manually to sshd_config it works (with double quotes) so I guess it's a bug here !

Regards, Adam.

AcceptEnv does not properly use array

I want to add a variable for AcceptEnv but I have run into a problem. I collected all of the existing AcceptEnv settings in the existing sshd_config file. I set up the following resource in a manifest with the one I wanted to add at the end:

sshd_config { 'AcceptEnv':
    ensure => present,
    value  => ["LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_COLLATE", "LC_MONETARY", "LC_MESSAGES", "LC_PAPER", "LC_NAME", "LC_ADDRESS",   "LC_TELEPHONE", "LC_MEASUREMENT", "LC_IDENTIFICATION", "LC_ALL", "LANGUAGE XMODIFIERS", "DUO_PASSCODE"],
    notify => Service['sshd'],
}

When running that with puppet agent I get the following:

Notice: /Stage[main]/Reshpc_argon::Frontend/Sshd_config[AcceptEnv]/value: value changed ['LANG', 'LC_CTYPE', 'LC_NUMERIC', 'LC_TIME', 'LC_COLLATE', 'LC_MONETARY', 'LC_MESSAGES', 'LC_PAPER', 'LC_NAME', 'LC_ADDRESS', 'LC_TELEPHONE', 'LC_MEASUREMENT', 'LC_IDENTIFICATION', 'LC_ALL', 'LANGUAGE', 'XMODIFIERS'] to 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS DUO_PASSCODE'
Error: /Stage[main]/Reshpc_argon::Frontend/Sshd_config[AcceptEnv]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

It appears that the values from the file are being recognized properly but the text of what will replace the content does not look like it is getting passed as an array.

Problem with sshd_config and MACs/Ciphers

I'm having some trouble with the following settings in my manifest:

  sshd_config { 'Ciphers':
    ensure => present,
    value => [ 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'arcfour', ],
  }
  sshd_config { 'MACs':
    ensure => present,
    value => [ 'hmac-sha1', 'hmac-ripemd160', ],
  }

They work fine on Ubuntu 14.04 (augeas 1.2.0, ruby-augeas 0.5.0), but on Ubuntu 12.04 (augeas 0.10.0, ruby-augeas 0.3.0) I get an error with Ciphers:

debug: Puppet::Type::Sshd_config::ProviderAugeas: Warning: Augeas >= 1.0.0 is required for case-insensitive support in sshd_config resources
debug: Puppet::Type::Sshd_config::ProviderAugeas: Warning: Augeas >= 1.0.0 is required for case-insensitive support in sshd_config resources
debug: Puppet::Type::Sshd_config::ProviderAugeas: Save failure details:
/augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config
/augeas/files/etc/ssh/sshd_config/error/lens = /usr/share/augeas/lenses/dist/sshd.aug:123.12-125.36:
/augeas/files/etc/ssh/sshd_config/error/message = Failed to match
    ({ /#comment/ = /[^\001-\004\t\n ][^\001-\004\n]*[^\001-\004\t\n ]|[^\001-\004\t\n ]/ } | { } | { /AcceptEnv/ } | { /AllowGroups/ } | { /AllowUsers/ } | { /DenyGroups/ } | { /Subsystem/ } | { /DenyUsers/ } | { /MACs/ } | { /AcceptEn((v[0-9A-Za-z]|[0-9A-Za-uw-z])[0-9A-Za-z]*|)|AcceptE([0-9A-Za-mo-z][0-9A-Za-z]*|)|Accept([0-9A-DF-Za-z][0-9A-Za-z]*|)|Accep([0-9A-Za-su-z][0-9A-Za-z]*|)|Acce([0-9A-Za-oq-z][0-9A-Za-z]*|)|Acc([0-9A-Za-df-z][0-9A-Za-z]*|)|Allow(Group((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Grou([0-9A-Za-oq-z][0-9A-Za-z]*|)|Gro([0-9A-Za-tv-z][0-9A-Za-z]*|)|Gr([0-9A-Za-np-z][0-9A-Za-z]*|)|User((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Use([0-9A-Za-qs-z][0-9A-Za-z]*|)|Us([0-9A-Za-df-z][0-9A-Za-z]*|)|U([0-9A-Za-rt-z][0-9A-Za-z]*|)|G([0-9A-Za-qs-z][0-9A-Za-z]*|)|[0-9A-FH-TV-Za-z][0-9A-Za-z]*|)|Allo([0-9A-Za-vx-z][0-9A-Za-z]*|)|All([0-9A-Za-np-z][0-9A-Za-z]*|)|Al([0-9A-Za-km-z][0-9A-Za-z]*|)|Ac([0-9A-Zabd-z][0-9A-Za-z]*|)|DenyGroup((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|DenyGrou([0-9A-Za-oq-z][0-9A-Za-z]*|)|DenyGro([0-9A-Za-tv-z][0-9A-Za-z]*|)|DenyGr([0-9A-Za-np-z][0-9A-Za-z]*|)|DenyUser((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|DenyUse([0-9A-Za-qs-z][0-9A-Za-z]*|)|DenyUs([0-9A-Za-df-z][0-9A-Za-z]*|)|DenyU([0-9A-Za-rt-z][0-9A-Za-z]*|)|DenyG([0-9A-Za-qs-z][0-9A-Za-z]*|)|Deny([0-9A-FH-TV-Za-z][0-9A-Za-z]*|)|Den([0-9A-Za-xz][0-9A-Za-z]*|)|De([0-9A-Za-mo-z][0-9A-Za-z]*|)|MAC((s[0-9A-Za-z]|[0-9A-Za-rt-z])[0-9A-Za-z]*|)|Matc((h[0-9A-Za-z]|[0-9A-Za-gi-z])[0-9A-Za-z]*|)|Mat([0-9A-Zabd-z][0-9A-Za-z]*|)|Ma([0-9A-Za-su-z][0-9A-Za-z]*|)|MA([0-9ABD-Za-z][0-9A-Za-z]*|)|Subsyste((m[0-9A-Za-z]|[0-9A-Za-ln-z])[0-9A-Za-z]*|)|Subsyst([0-9A-Za-df-z][0-9A-Za-z]*|)|Subsys([0-9A-Za-su-z][0-9A-Za-z]*|)|Subsy([0-9A-Za-rt-z][0-9A-Za-z]*|)|Subs([0-9A-Za-xz][0-9A-Za-z]*|)|Sub([0-9A-Za-rt-z][0-9A-Za-z]*|)|Su([0-9A-Zac-z][0-9A-Za-z]*|)|(S[0-9A-Za-tv-z]|M[0-9B-Zb-z]|D[0-9A-Z
a-df-z]|A[0-9A-Zabd-km-z]|[0-9BCE-LN-RT-Za-z][0-9A-Za-z])[0-9A-Za-z]*|S|M|D|A|[0-9BCE-LN-RT-Za-z]/ = /[^\001-\004\t\n ]+([\t ]+[^\001-\004\t\n ]+)*/ })*{ /Match/ }*
  with tree
    { "#comment" = "Package generated configuration file" } { "#comment" = "See the sshd_config(5) manpage for details" } {  } { "#comment" = "What ports, IPs and protocols we listen for" } { "Port" = "722" } { "#comment" = "Use these options to restrict which interfaces/protocols sshd will bind to" } { "#comment" = "ListenAddress ::" } { "#comment" = "ListenAddress 0.0.0.0" } { "Protocol" = "2" } { "#comment" = "HostKeys for protocol version 2" } { "HostKey" = "/etc/ssh/ssh_host_rsa_key" } { "HostKey" = "/etc/ssh/ssh_host_dsa_key" } { "HostKey" = "/etc/ssh/ssh_host_ecdsa_key" } { "#comment" = "Privilege Separation is turned on for security" } { "UsePrivilegeSeparation" = "yes" } {  } { "#comment" = "Lifetime and size of ephemeral version 1 server key" } { "KeyRegenerationInterval" = "3600" } { "ServerKeyBits" = "768" } {  } { "#comment" = "Logging" } { "SyslogFacility" = "AUTH" } { "LogLevel" = "INFO" } {  } { "#comment" = "Authentication:" } { "LoginGraceTime" = "120" } { "PermitRootLogin" = "without-password" } { "StrictModes" = "yes" } {  } { "RSAAuthentication" = "yes" } { "PubkeyAuthentication" = "yes" } { "#comment" = "AuthorizedKeysFile  %h/.ssh/authorized_keys" } {  } { "#comment" = "Don't read the user's ~/.rhosts and ~/.shosts files" } { "IgnoreRhosts" = "yes" } { "#comment" = "For this to work you will also need host keys in /etc/ssh_known_hosts" } { "RhostsRSAAuthentication" = "no" } { "#comment" = "similar for protocol version 2" } { "HostbasedAuthentication" = "no" } { "#comment" = "Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication" } { "#comment" = "IgnoreUserKnownHosts yes" } {  } { "#comment" = "To enable empty passwords, change to yes (NOT RECOMMENDED)" } { "PermitEmptyPasswords" = "no" } {  } { "#comment" = "Change to yes to enable challenge-response passwords (beware issues with" } { "#comment" = "some PAM modules and threads)" } { "ChallengeResponseAuthentication" = "no" } {  } { "#comment" = "Change to no to disable tunnelled clear text passwords" } { "#comment" = "PasswordAuthentication yes" } {  } { "#comment" = "Kerberos options" } { "#comment" = "KerberosAuthentication no" } { "#comment" = "KerberosGetAFSToken no" } { "#comment" = "KerberosOrLocalPasswd yes" } { "#comment" = "KerberosTicketCleanup yes" } {  } { "#comment" = "GSSAPI options" } { "#comment" = "GSSAPIAuthentication no" } { "#comment" = "GSSAPICleanupCredentials yes" } {  } { "X11Forwarding" = "yes" } { "X11DisplayOffset" = "10" } { "PrintMotd" = "no" } { "PrintLastLog" = "yes" } { "TCPKeepAlive" = "yes" } { "#comment" = "UseLogin no" } {  } { "#comment" = "MaxStartups 10:30:60" } { "#comment" = "Banner /etc/issue.net" } {  } { "#comment" = "Allow client to pass locale environment variables" } { "AcceptEnv" } {  } { "Subsystem" } {  } { "#comment" = "Set this to 'yes' to enable PAM authentication, account processing," } { "#comment" = "and session processing. If this is enabled, PAM authentication will" } { "#comment" = "be allowed through the ChallengeResponseAuthentication and" } { "#comment" = "PasswordAuthentication.  Depending on your PAM configuration," } { "#comment" = "PAM authentication via ChallengeResponseAuthentication may bypass" } { "#comment" = "the setting of "PermitRootLogin without-password"." } { "#comment" = "If you just want the PAM account and session checks to run without" } { "#comment" = "PAM authentication, then enable this but set PasswordAuthentication" } { "#comment" = "and ChallengeResponseAuthentication to 'no'." } { "UsePAM" = "yes" } { "MACs" } { "Ciphers" }

Looking at that output I noticed it's using the /usr/share/augeas/lenses/dist/sshd.aug lens, and that looks like it doesn't know Ciphers is a list item in the older augeas.

Although the documentation for this module suggests it should work, I'm guessing it's not supported on the older augeas? Or is there a workaround I can try?

And finally, on RHEL (augeas 1.0.0, ruby-augeas 0.4.1) neither Ciphers or MACs appear to work, but that doesn't affect me as much.

HostKeyAlgorithms and KexAlgorithms not supported in ssh_config

These two settings are handled wrongly in current release.

In lib/puppet/provider/ssh_config/augeas.rb, change to the following:

  def self.set_value(aug, base, path, label, value)
    if label =~ /Ciphers|SendEnv|MACs|(HostKey|Kex)Algorithms|GlobalKnownHostsFile/i
      aug.rm("#{path}/*")

the new piece being (HostKey|Kex)Algorithms added to the label regex.

How to handle parameters like HostKey and Port

sshd_config allows multiple instance of HostKey, Port, ListenAddress...
How can I use module to assure only configured values are present

for example,
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

But not any other, like version 1, for example
HostKey /etc/ssh/ssh_host_key

Thanks

Sshd.lns fails to parse Match block

While trying to apply the following code

  sshd_config { 'PermitRootLogin':
    value  => 'no',
  }

receive the following error message

Error: /Stage[main]/Ssh/Sshd_config[PermitRootLogin]: Could not evaluate: Augeas didn't load /etc/ssh/sshd_config with Sshd.lns from /opt/puppetlabs/puppet/cache/lib/augeas/lenses: Get did not match entire input (line:148, character:0)

The line 148 starts match block added by GitLab installer:

Match User git    # Apply the AuthorizedKeysCommands to the git user only
  AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
  AuthorizedKeysCommandUser git
Match all    # End match, settings apply to all users again

Match LocalPort : Augeas didn't load input

Hello,

I have a sshd config that fits my needs and work properly. I try to puppetize it.
I have an error on my sshd_config evaluation:

Error: /Stage[main]/Profiles::Base::Linux::Ssh/Sshd_config[LogLevel]: Could not evaluate: Augeas didn't load /etc/ssh/sshd_config with Sshd.lns from /var/opt/lib/pe-puppet/lib/augeas/lenses: Get did not match entire input (line:135, character:0)

The 135 is the match block:

Match LocalPort 6875
   AllowUsers localise
   PermitRootLogin no
   PasswordAuthentication no
   PubkeyAuthentication yes

Is 'Match LocalPort' supported ?
I don't really know augeas, but is there anything I can do to help havig this working ?

Thanks !
Mélanie.

sshkey provider broken with Puppet 6

puppetlabs/puppetlabs-sshkeys_core#27 breaks compatibility by making type a parameter.

voxpupuli / puppet-augeasproviders_ssh Goto Github PK

puppet-augeasproviders_ssh's Introduction

puppet-augeasproviders_ssh

ssh: type/provider for ssh files for Puppet

Requirements

Installing

Compatibility

Puppet versions

Augeas versions

Documentation and examples

ssh_config provider

manage simple entry

manage array entry

manage entry for a specific host

manage entries with same name for different hosts

manage entry with a comment

delete entry

manage entry in another ssh_config location

sshd_config provider

manage simple entry

manage array entry

append to array entry

manage entry in a Match block

manage entries with same name in different blocks

manage entry with a comment

delete entry

manage entry in another sshd_config location

sshd_config_match provider

manage entry

manage entry with position

manage entry with a comment

delete entry

manage entry in another sshd_config location

sshd_config_subsystem provider

manage entry

manage entry with a comment

delete entry

manage entry in another sshd_config location

sshkey provider

manage entry

manage entry with aliases

manage hashed entry

hash existing entry

delete entry

manage entry in another ssh_known_hosts location

Issues

puppet-augeasproviders_ssh's People

Contributors

Stargazers

Watchers

Forkers

puppet-augeasproviders_ssh's Issues

Starting scenario

Code

Expectation

Reality ✔️

Reduce by two entries

Code

Expectation

Reality ❌

Run Puppet again

Code

Expectation

Reality ✔️

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

What are you seeing

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Recommend Projects

Recommend Topics

Recommend Org

Jobs