Merge branch 'hostkey_type' into 'master'

Hostkey type This is the pull request associated with: https://labs.riseup.net/code/issues/8285 See merge request !6
2015-04-17 18:43:16 +00:00 · 2015-04-17 18:43:16 +00:00 · d4923b2c3a
commit d4923b2c3a
parent 953ad0f777 5c9ce49321
12 changed files with 41 additions and 21 deletions
--- a/lib/facter/ssh_version.rb
+++ b/lib/facter/ssh_version.rb
@ -0,0 +1,5 @@
+Facter.add("ssh_version") do
+  setcode do
+    ssh_version = Facter::Util::Resolution.exec('ssh -V 2>&1 1>/dev/null').chomp.split(' ')[0].split('_')[1]
+  end
+end
--- a/lib/puppet/parser/functions/ssh_keygen.rb
+++ b/lib/puppet/parser/functions/ssh_keygen.rb
@ -27,3 +27,4 @@ Puppet::Parser::Functions::newfunction(:ssh_keygen, :type => :rvalue, :doc =>
    end
    [File.read(private_key_path),File.read(public_key_path)]
 end
+
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -49,6 +49,10 @@ class sshd(
  $shorewall_source = 'net',
  $sshkey_ipaddress = $::ipaddress,
  $manage_client = true,
+  $hostkey_type = versioncmp($::ssh_version, '6.5') ? {
+    /(^1|0)/ => [ 'rsa', 'ed25519' ],
+    /-1/    => [ 'rsa', 'dsa' ]
+  }
 ) {

  validate_bool($manage_shorewall)
--- a/templates/sshd_config/CentOS_7.erb
+++ b/templates/sshd_config/CentOS_7.erb
@ -35,9 +35,9 @@ ListenAddress <%= address %>
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_etch.erb
@ -20,6 +20,10 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 #Privilege Separation is turned on for security
--- a/templates/sshd_config/Debian_jessie.erb
+++ b/templates/sshd_config/Debian_jessie.erb
@ -22,10 +22,9 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes

--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@ -22,10 +22,9 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes

--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@ -22,8 +22,10 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes

--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@ -22,8 +22,9 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes

--- a/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@ -40,8 +40,9 @@ Protocol 2
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
--- a/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@ -22,8 +22,10 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes

--- a/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@ -20,8 +20,10 @@ ListenAddress <%= address %>
 <% end -%>
 Protocol 2
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes