[MediaWiki-commits] [Gerrit] Add SSH module - change (translatewiki)

Siebrand (Code Review) Thu, 24 Oct 2013 15:03:41 -0700

Siebrand has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/91779



Change subject: Add SSH module
......................................................................

Add SSH module

Change-Id: I86aef1df923a8d31825abe180c2e2e069506927f
---
A puppet/modules/ssh/.DS_Store
A puppet/modules/ssh/.travis.yml
A puppet/modules/ssh/Gemfile
A puppet/modules/ssh/LICENSE
A puppet/modules/ssh/Modulefile
A puppet/modules/ssh/README.md
A puppet/modules/ssh/Rakefile
A puppet/modules/ssh/manifests/client.pp
A puppet/modules/ssh/manifests/init.pp
A puppet/modules/ssh/manifests/params.pp
A puppet/modules/ssh/manifests/server.pp
A puppet/modules/ssh/manifests/user.pp
A puppet/modules/ssh/metadata.json
A puppet/modules/ssh/spec/.DS_Store
A puppet/modules/ssh/spec/classes/server_spec.rb
A puppet/modules/ssh/spec/spec.opts
A puppet/modules/ssh/spec/spec_helper.rb
A puppet/modules/ssh/templates/sshd_config.erb
A puppet/modules/ssh/tests/client.pp
A puppet/modules/ssh/tests/server.pp
A puppet/modules/ssh/tests/user.pp
M puppet/site.pp
22 files changed, 385 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/translatewiki 
refs/changes/79/91779/1

diff --git a/puppet/modules/ssh/.DS_Store b/puppet/modules/ssh/.DS_Store
new file mode 100644
index 0000000..a26e364
--- /dev/null
+++ b/puppet/modules/ssh/.DS_Store
Binary files differ
diff --git a/puppet/modules/ssh/.travis.yml b/puppet/modules/ssh/.travis.yml
new file mode 100644
index 0000000..0983017
--- /dev/null
+++ b/puppet/modules/ssh/.travis.yml
@@ -0,0 +1,31 @@
+language: ruby
+install: sudo ln -s $TRAVIS_BUILD_DIR `dirname $TRAVIS_BUILD_DIR`/ssh
+script:
+  - "bundle install && bundle exec rake lint spec SPEC_OPTS='--format 
documentation' "
+  - "puppet apply --modulepath=`dirname $TRAVIS_BUILD_DIR` --noop 
tests/client.pp"
+  - "puppet apply --modulepath=`dirname $TRAVIS_BUILD_DIR` --noop 
tests/server.pp"
+rvm:
+  - 1.8.7
+  - 1.9.3
+  - ruby-head
+branches:
+  only:
+   - master
+env:
+  - PUPPET_GEM_VERSION="~> 2.6"
+  - PUPPET_GEM_VERSION="~> 2.7"
+  - PUPPET_GEM_VERSION="~> 3.0"
+  - PUPPET_GEM_VERSION="~> 3.1"
+  - PUPPET_GEM_VERSION="~> 3.2"
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+  exclude:
+    - rvm: 1.9.3
+      env: PUPPET_GEM_VERSION="~> 2.7"
+    - rvm: ruby-head
+      env: PUPPET_GEM_VERSION="~> 2.7"
+    - rvm: 1.9.3
+      env: PUPPET_GEM_VERSION="~> 2.6"
+    - rvm: ruby-head
+      env: PUPPET_GEM_VERSION="~> 2.6"
diff --git a/puppet/modules/ssh/Gemfile b/puppet/modules/ssh/Gemfile
new file mode 100644
index 0000000..22c401e
--- /dev/null
+++ b/puppet/modules/ssh/Gemfile
@@ -0,0 +1,17 @@
+source 'https://rubygems.org'
+
+group :development, :test do
+  gem 'rake'
+  gem 'puppetlabs_spec_helper', :require => false
+  gem 'rspec-system-puppet', '~>2.0'
+  gem 'puppet-lint', '~> 0.3.2'
+end
+
+if puppetversion = ENV['PUPPET_GEM_VERSION']
+  gem 'puppet', puppetversion, :require => false
+else
+  gem 'puppet', :require => false
+end
+
+
+# vim:ft=ruby
diff --git a/puppet/modules/ssh/LICENSE b/puppet/modules/ssh/LICENSE
new file mode 100644
index 0000000..4f6b477
--- /dev/null
+++ b/puppet/modules/ssh/LICENSE
@@ -0,0 +1,19 @@
+Copyright (C) 2011 by Eivind Uggedal <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/puppet/modules/ssh/Modulefile b/puppet/modules/ssh/Modulefile
new file mode 100644
index 0000000..64a2e14
--- /dev/null
+++ b/puppet/modules/ssh/Modulefile
@@ -0,0 +1,13 @@
+name 'attachmentgenie-ssh'
+version '1.2.1'
+
+author 'Eivind Uggedal <[email protected]>'
+license 'MIT License'
+project_page 'https://github.com/attachmentgenie/puppet-module-ssh'
+source 'git://github.com/attachmentgenie/puppet-module-ssh.git'
+summary 'Puppet ssh Module'
+description 'Module for configuring ssh.
+
+Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS and 12.04 LTS with
+Puppet 2.6 and 2.7. Patches for other operating systems are welcome.'
+dependency 'puppetlabs/stdlib', '>=2.2.1'
diff --git a/puppet/modules/ssh/README.md b/puppet/modules/ssh/README.md
new file mode 100644
index 0000000..b8e8e5b
--- /dev/null
+++ b/puppet/modules/ssh/README.md
@@ -0,0 +1,50 @@
+[![Build 
Status](https://secure.travis-ci.org/attachmentgenie/puppet-module-ssh.png)](http://travis-ci.org/attachmentgenie/puppet-module-ssh)
+
+Puppet SSH Module
+=================
+
+Module for configuring ssh.
+
+Tested on Debian GNU/Linux 6.0 Squeeze and Ubuntu 10.4 LTS and 12.04 LTS with
+Puppet 2.6 and 2.7. Patches for other operating systems are welcome.
+
+Usage
+-----
+
+The `ssh::client` class installs the ssh client:
+
+    include ssh::client
+
+The `ssh::server` class installs and configures the sshd:
+
+    include ssh::server
+
+You can specify the port the sshd should listen to by including the class
+with this special syntax:
+
+    class { "ssh::server":
+      port => 20009,
+    }
+
+You can also restrict access for only certain users:
+
+    class { "ssh::server":
+      allowed_users => ["uggedal", "manager"],
+    }
+
+And you can permit root logins (not recommended):
+    
+    class { "ssh::server":
+      permit_root_login => 'yes',
+    }
+    
+To permit root logins could be a serious security issue. In most cases you 
should
+use something like ```sudo``` instead.
+
+You can use `ssh::user` to add an authorized ssh key to an existing user
+for effortless authentication with ssh:
+
+    ssh::user { "uggedal":
+      key => "a8a7dgf7ad8j13g",
+      comment => "uggedal.com",
+    }
diff --git a/puppet/modules/ssh/Rakefile b/puppet/modules/ssh/Rakefile
new file mode 100644
index 0000000..b9c5473
--- /dev/null
+++ b/puppet/modules/ssh/Rakefile
@@ -0,0 +1,15 @@
+require 'rubygems'
+require 'bundler/setup'
+
+Bundler.require :default
+
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'rspec-system/rake_task'
+require 'puppet-lint/tasks/puppet-lint'
+
+PuppetLint.configuration.send("disable_80chars")
+PuppetLint.configuration.ignore_paths = ["pkg/**/*.pp"]
+
+task :test => [:spec, :lint]
+
+task :default => :test
diff --git a/puppet/modules/ssh/manifests/client.pp 
b/puppet/modules/ssh/manifests/client.pp
new file mode 100644
index 0000000..3f7f047
--- /dev/null
+++ b/puppet/modules/ssh/manifests/client.pp
@@ -0,0 +1,5 @@
+class ssh::client inherits ssh::params {
+  package { 'openssh-client':
+    ensure => present,
+  }
+}
diff --git a/puppet/modules/ssh/manifests/init.pp 
b/puppet/modules/ssh/manifests/init.pp
new file mode 100644
index 0000000..d29b1a6
--- /dev/null
+++ b/puppet/modules/ssh/manifests/init.pp
@@ -0,0 +1 @@
+# Required by Puppet for loading the module
diff --git a/puppet/modules/ssh/manifests/params.pp 
b/puppet/modules/ssh/manifests/params.pp
new file mode 100644
index 0000000..7e058d6
--- /dev/null
+++ b/puppet/modules/ssh/manifests/params.pp
@@ -0,0 +1,28 @@
+class ssh::params {
+  case $::osfamily {
+    'Debian': {
+      $service_name = 'ssh'
+    }
+    'RedHat': {
+      $service_name = 'sshd'
+    }
+    default: {
+      fail("Unsupported osfamily $::osfamily, currently only supports Debian 
and RedHat")
+    }
+  }
+  case $::operatingsystem {
+    'Debian': {
+      case $::operatingsystemrelease {
+        /^7.*$/ : {
+          
$host_keys=['/etc/ssh/ssh_host_rsa_key','/etc/ssh/ssh_host_dsa_key','/etc/ssh/ssh_host_ecdsa_key']
+        }
+        default : {
+          $host_keys=['/etc/ssh/ssh_host_rsa_key','/etc/ssh/ssh_host_dsa_key']
+        }
+      }
+    }
+    default : {
+      $host_keys=['/etc/ssh/ssh_host_rsa_key','/etc/ssh/ssh_host_dsa_key']
+    }
+  }
+}
diff --git a/puppet/modules/ssh/manifests/server.pp 
b/puppet/modules/ssh/manifests/server.pp
new file mode 100644
index 0000000..55bf963
--- /dev/null
+++ b/puppet/modules/ssh/manifests/server.pp
@@ -0,0 +1,34 @@
+class ssh::server(
+  $port='22',
+  $allowed_users=[],
+  $x11_forwarding='no',
+  $password_authentication='no',
+  $subsystem_sftp='/usr/lib/openssh/sftp-server',
+  $permit_root_login='no',
+  $host_keys=$ssh::params::host_keys,
+) inherits ssh::params {
+  package { 'openssh-server':
+    ensure => present,
+  }
+
+  file { '/etc/ssh/sshd_config':
+    content => template('ssh/sshd_config.erb'),
+    require => Package['openssh-server'],
+    owner => root,
+    group => root,
+    mode  => '0644'
+  }
+
+  service { 'ssh':
+    ensure    => running,
+    name      => $ssh::params::service_name,
+    enable    => true,
+    hasstatus => true,
+    subscribe => [Package['openssh-server'], File['/etc/ssh/sshd_config']],
+    require   => File['/etc/ssh/sshd_config'],
+  }
+
+  if $permit_root_login == 'true' {
+    notify { "You permit root login: use it with caution.": }
+  }
+}
diff --git a/puppet/modules/ssh/manifests/user.pp 
b/puppet/modules/ssh/manifests/user.pp
new file mode 100644
index 0000000..4116d8c
--- /dev/null
+++ b/puppet/modules/ssh/manifests/user.pp
@@ -0,0 +1,16 @@
+define ssh::user($key, $ensure=present,$comment='') {
+
+  if $ensure == present {
+    File["/home/$name"] -> Ssh_authorized_key["${name}@${comment}"]
+  } else {
+    Ssh_authorized_key["${name}@${comment}"] -> User[$name]
+    Ssh_authorized_key["${name}@${comment}"] -> Group[$name]
+  }
+
+  ssh_authorized_key { "${name}@${comment}":
+    ensure => $ensure,
+    key    => $key,
+    user   => $name,
+    type   => 'ssh-rsa',
+  }
+}
diff --git a/puppet/modules/ssh/metadata.json b/puppet/modules/ssh/metadata.json
new file mode 100644
index 0000000..d714696
--- /dev/null
+++ b/puppet/modules/ssh/metadata.json
@@ -0,0 +1,18 @@
+{
+  "name": "attachmentgenie-ssh",
+  "version": "1.2.1",
+  "summary": "Puppet ssh Module",
+  "author": "Eivind Uggedal \[email protected]\u003e",
+  "description": "Module for configuring ssh.\n\nTested on Debian GNU/Linux 
6.0 Squeeze and Ubuntu 10.4 LTS and 12.04 LTS with\nPuppet 2.6 and 2.7. Patches 
for other operating systems are welcome.",
+  "dependencies": [
+    {
+      "name": "puppetlabs/stdlib",
+      "version_requirement": "\u003e\u003d2.2.1"
+    }
+  ],
+  "types": [],
+  "checksums": {},
+  "source": "git://github.com/attachmentgenie/puppet-module-ssh.git",
+  "project_page": "https://github.com/attachmentgenie/puppet-module-ssh";,
+  "license": "MIT License"
+}
\ No newline at end of file
diff --git a/puppet/modules/ssh/spec/.DS_Store 
b/puppet/modules/ssh/spec/.DS_Store
new file mode 100644
index 0000000..745f9a3
--- /dev/null
+++ b/puppet/modules/ssh/spec/.DS_Store
Binary files differ
diff --git a/puppet/modules/ssh/spec/classes/server_spec.rb 
b/puppet/modules/ssh/spec/classes/server_spec.rb
new file mode 100644
index 0000000..8af5b06
--- /dev/null
+++ b/puppet/modules/ssh/spec/classes/server_spec.rb
@@ -0,0 +1,37 @@
+require 'spec_helper'
+
+describe 'ssh::server', :type => :class do
+#  let(:title) { 'postfix::relay' }
+  context 'Debian OS 7' do
+    let(:facts) { {:operatingsystem => 'Debian', :osfamily => 'Debian', 
:operatingsystemrelease => '7.1'} }
+  it { should contain_package('openssh-server') }
+  it do 
+   should contain_file('/etc/ssh/sshd_config').with({
+     'owner'  => 'root',
+     'group'  => 'root',
+     'mode'   => '0644',
+   })
+  end
+  it do 
+   should 
contain_file('/etc/ssh/sshd_config').with_content(/\/etc\/ssh\/ssh_host_dsa_key/)
+   should 
contain_file('/etc/ssh/sshd_config').with_content(/\/etc\/ssh\/ssh_host_ecdsa_key/)
+  end
+  end
+
+  context 'Debian OS 6' do
+    let(:facts) { {:operatingsystem => 'Debian', :osfamily => 'Debian', 
:operatingsystemrelease => '6.0'} }
+  it do 
+   should contain_file('/etc/ssh/sshd_config').with({
+     'owner'  => 'root',
+     'group'  => 'root',
+     'mode'   => '0644',
+   })
+  end
+
+    it do 
+      should 
contain_file('/etc/ssh/sshd_config').with_content(/\/etc\/ssh\/ssh_host_dsa_key/)
+      should_not 
contain_file('/etc/ssh/sshd_config').with_content(/\/etc\/ssh\/ssh_host_ecdsa_key/)
+    end
+  end
+end
+
diff --git a/puppet/modules/ssh/spec/spec.opts 
b/puppet/modules/ssh/spec/spec.opts
new file mode 100644
index 0000000..cc0ba5b
--- /dev/null
+++ b/puppet/modules/ssh/spec/spec.opts
@@ -0,0 +1,6 @@
+--format
+s
+--colour
+--loadby
+mtime
+--backtrace
diff --git a/puppet/modules/ssh/spec/spec_helper.rb 
b/puppet/modules/ssh/spec/spec_helper.rb
new file mode 100644
index 0000000..563700b
--- /dev/null
+++ b/puppet/modules/ssh/spec/spec_helper.rb
@@ -0,0 +1,10 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/module_spec_helper'
+require 'rspec-puppet'
+
+RSpec.configure do |c|
+  c.module_path = File.expand_path(File.join(__FILE__, '../../../'))
+  puts 'module_path:'+c.module_path
+  c.manifest_dir = File.expand_path(File.join(__FILE__, '..', 
'fixtures/manifests'))
+  puts 'manifest_dir:'+c.manifest_dir
+end
diff --git a/puppet/modules/ssh/templates/sshd_config.erb 
b/puppet/modules/ssh/templates/sshd_config.erb
new file mode 100644
index 0000000..2ba2c51
--- /dev/null
+++ b/puppet/modules/ssh/templates/sshd_config.erb
@@ -0,0 +1,82 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port <%= @port %>
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+<% @host_keys.each do |key| -%>
+HostKey <%= key %>
+<% end -%>
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin <%= @permit_root_login %>
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile    %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication <%= @password_authentication %>
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding <%= @x11_forwarding %>
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+#Subsystem sftp /usr/lib/openssh/sftp-server
+Subsystem sftp <%= @subsystem_sftp %>
+UsePAM yes
+
+<% if @allowed_users.any? %>
+AllowUsers <%= @allowed_users.join(" ") %>
+<% end %>
diff --git a/puppet/modules/ssh/tests/client.pp 
b/puppet/modules/ssh/tests/client.pp
new file mode 100644
index 0000000..a75fa0a
--- /dev/null
+++ b/puppet/modules/ssh/tests/client.pp
@@ -0,0 +1 @@
+class { 'ssh::client': }
\ No newline at end of file
diff --git a/puppet/modules/ssh/tests/server.pp 
b/puppet/modules/ssh/tests/server.pp
new file mode 100644
index 0000000..87d5732
--- /dev/null
+++ b/puppet/modules/ssh/tests/server.pp
@@ -0,0 +1 @@
+class {'ssh::server': }
diff --git a/puppet/modules/ssh/tests/user.pp b/puppet/modules/ssh/tests/user.pp
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/ssh/tests/user.pp
diff --git a/puppet/site.pp b/puppet/site.pp
index c6d57ff..5bbd6d6 100644
--- a/puppet/site.pp
+++ b/puppet/site.pp
@@ -12,6 +12,7 @@
   include sudo
   include memcached
   include mariadb
+  include ssh
 
   package { 'elasticsearch':
     provider => dpkg,

-- 
To view, visit https://gerrit.wikimedia.org/r/91779
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I86aef1df923a8d31825abe180c2e2e069506927f
Gerrit-PatchSet: 1
Gerrit-Project: translatewiki
Gerrit-Branch: master
Gerrit-Owner: Siebrand <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Add SSH module - change (translatewiki)

Reply via email to