From 7d57530f0c6e86867d5c3bf0e160bd9dc19f2093 Mon Sep 17 00:00:00 2001 From: Francisco <50325976+FcoCalero@users.noreply.github.com> Date: Tue, 7 Oct 2025 17:25:56 +0200 Subject: [PATCH] Handle multiple include globs for SLES 15 --- CHANGELOG.md | 7 +++ README.md | 4 ++ data/os/SLES/15.yaml | 76 ++++++----------------- manifests/init.pp | 32 ++++++---- manifests/server.pp | 34 ++++++---- metadata.json | 9 +++ spec/classes/server_params_spec.rb | 2 +- spec/fixtures/testing/SLES-15_ssh_config | 12 ++++ spec/fixtures/testing/SLES-15_sshd_config | 17 +++++ templates/ssh_config.erb | 4 +- templates/sshd_config.erb | 4 +- 11 files changed, 117 insertions(+), 84 deletions(-) create mode 100644 spec/fixtures/testing/SLES-15_ssh_config create mode 100644 spec/fixtures/testing/SLES-15_sshd_config diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c643ad4..65f7845f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). +## [Unreleased] + +### Added + +- Align the SLES 15 SSH defaults and fixtures with the vendor-provided configuration templates. +- Document SLES 10–15 among the supported platforms. + ## [v5.1.1](https://github.com/ghoneycutt/puppet-module-ssh/tree/v5.1.1) (2024-12-30) [Full Changelog](https://github.com/ghoneycutt/puppet-module-ssh/compare/v5.1.0...v5.1.1) diff --git a/README.md b/README.md index a11314cb..efe8f51c 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,10 @@ known to work on many, many platforms since its creation in 2010. * EL 7 * EL 8 * EL 9 + * SLES 10 + * SLES 11 + * SLES 12 + * SLES 15 * Ubuntu 18.04 LTS * Ubuntu 20.04 LTS * Ubuntu 22.04 LTS diff --git a/data/os/SLES/15.yaml b/data/os/SLES/15.yaml index f9076d36..47da4812 100644 --- a/data/os/SLES/15.yaml +++ b/data/os/SLES/15.yaml @@ -1,72 +1,32 @@ --- # (Suse) SLES 15 defaults in alphabetical order per class ssh::forward_x11_trusted: 'yes' -ssh::gss_api_authentication: 'yes' -ssh::hash_known_hosts: 'no' ssh::host: '*' +ssh::include: + - '/etc/ssh/ssh_config.d/*.conf' + - '/usr/etc/ssh/ssh_config.d/*.conf' ssh::packages: - 'openssh' +# SLES 15 groups the locale SendEnv directives across three lines. ssh::send_env: - - 'LANG' - - 'LANGUAGE' - - 'LC_ADDRESS' - - 'LC_ALL' - - 'LC_COLLATE' - - 'LC_CTYPE' - - 'LC_IDENTIFICATION' - - 'LC_MEASUREMENT' - - 'LC_MESSAGES' - - 'LC_MONETARY' - - 'LC_NAME' - - 'LC_NUMERIC' - - 'LC_PAPER' - - 'LC_TELEPHONE' - - 'LC_TIME' + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL' +# SLES 15 groups the locale AcceptEnv directives across the same three lines. ssh::server::accept_env: - - 'LANG' - - 'LC_ADDRESS' - - 'LC_ALL' - - 'LC_COLLATE' - - 'LC_CTYPE' - - 'LC_IDENTIFICATION' - - 'LC_MEASUREMENT' - - 'LC_MESSAGES' - - 'LC_MONETARY' - - 'LC_NAME' - - 'LC_NUMERIC' - - 'LC_PAPER' - - 'LC_TELEPHONE' - - 'LC_TIME' + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL' -ssh::server::address_family: 'any' -ssh::server::allow_tcp_forwarding: 'yes' -ssh::server::banner: 'none' -ssh::server::kbd_interactive_authentication: 'yes' -ssh::server::client_alive_count_max: 3 -ssh::server::client_alive_interval: 0 -ssh::server::gss_api_authentication: 'yes' -ssh::server::gss_api_cleanup_credentials: 'yes' -ssh::server::hostbased_authentication: 'no' -ssh::server::host_key: - - '/etc/ssh/ssh_host_rsa_key' -ssh::server::ignore_rhosts: 'yes' -ssh::server::ignore_user_known_hosts: 'no' -ssh::server::login_grace_time: 120 -#ssh::server::packages: -# - 'openssh' -ssh::server::password_authentication: 'yes' +ssh::server::authorized_keys_file: + - '.ssh/authorized_keys' +ssh::server::client_alive_interval: 180 +ssh::server::include: + - '/etc/ssh/sshd_config.d/*.conf' + - '/usr/etc/ssh/sshd_config.d/*.conf' ssh::server::permit_root_login: 'yes' -ssh::server::permit_tunnel: 'no' -ssh::server::port: - - 22 -ssh::server::print_motd: 'yes' -ssh::server::pubkey_authentication: 'yes' +ssh::server::print_motd: 'no' ssh::server::subsystem: 'sftp /usr/lib/ssh/sftp-server' -ssh::server::syslog_facility: 'AUTH' -ssh::server::tcp_keep_alive: 'yes' -ssh::server::use_dns: 'yes' ssh::server::use_pam: 'yes' ssh::server::x11_forwarding: 'yes' -ssh::server::x11_use_localhost: 'yes' -ssh::server::xauth_location: '/usr/bin/xauth' diff --git a/manifests/init.pp b/manifests/init.pp index f4d19301..57de6009 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -622,17 +622,27 @@ } if $include { - $include_dir = dirname($include) - file { 'ssh_config_include_dir': - ensure => 'directory', - path => $include_dir, - owner => $include_dir_owner, - group => $include_dir_group, - mode => $include_dir_mode, - purge => $include_dir_purge, - recurse => $include_dir_purge, - force => $include_dir_purge, - require => $packages_require, + case $include { + String: { + $include_dir = dirname($include) + file { 'ssh_config_include_dir': + ensure => 'directory', + path => $include_dir, + owner => $include_dir_owner, + group => $include_dir_group, + mode => $include_dir_mode, + purge => $include_dir_purge, + recurse => $include_dir_purge, + force => $include_dir_purge, + require => $packages_require, + } + } + Array: { + $include_dir = undef + } + default: { + $include_dir = undef + } } } else { $include_dir = undef diff --git a/manifests/server.pp b/manifests/server.pp index fdf1d233..826cf35c 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -621,18 +621,28 @@ } if $include { - $include_dir = dirname($include) - file { 'sshd_config_include_dir': - ensure => 'directory', - path => $include_dir, - owner => $include_dir_owner, - group => $include_dir_group, - mode => $include_dir_mode, - purge => $include_dir_purge, - recurse => $include_dir_purge, - force => $include_dir_purge, - require => $packages_require, - notify => $notify_service, + case $include { + String: { + $include_dir = dirname($include) + file { 'sshd_config_include_dir': + ensure => 'directory', + path => $include_dir, + owner => $include_dir_owner, + group => $include_dir_group, + mode => $include_dir_mode, + purge => $include_dir_purge, + recurse => $include_dir_purge, + force => $include_dir_purge, + require => $packages_require, + notify => $notify_service, + } + } + Array: { + $include_dir = undef + } + default: { + $include_dir = undef + } } } else { $include_dir = undef diff --git a/metadata.json b/metadata.json index 79623ff3..0670d8bf 100644 --- a/metadata.json +++ b/metadata.json @@ -69,6 +69,15 @@ "9" ] }, + { + "operatingsystem": "SLES", + "operatingsystemrelease": [ + "10", + "11", + "12", + "15" + ] + }, { "operatingsystem": "Scientific", "operatingsystemrelease": [ diff --git a/spec/classes/server_params_spec.rb b/spec/classes/server_params_spec.rb index 29e6beb8..e7850386 100644 --- a/spec/classes/server_params_spec.rb +++ b/spec/classes/server_params_spec.rb @@ -135,7 +135,7 @@ end ['SLED', 'SLES'].each do |name| - ['10', '11', '12'].each do |major| + ['10', '11', '12', '15'].each do |major| context "on #{name} #{major} with i386 architecture path for sftp subsystem is /usr/lib/ssh/sftp-server" do let(:facts) do { diff --git a/spec/fixtures/testing/SLES-15_ssh_config b/spec/fixtures/testing/SLES-15_ssh_config new file mode 100644 index 00000000..8a7b5d85 --- /dev/null +++ b/spec/fixtures/testing/SLES-15_ssh_config @@ -0,0 +1,12 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# +# See https://man.openbsd.org/ssh_config for more info + +Host * + ForwardX11Trusted yes + Include /etc/ssh/ssh_config.d/*.conf + Include /usr/etc/ssh/ssh_config.d/*.conf + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL diff --git a/spec/fixtures/testing/SLES-15_sshd_config b/spec/fixtures/testing/SLES-15_sshd_config new file mode 100644 index 00000000..33732867 --- /dev/null +++ b/spec/fixtures/testing/SLES-15_sshd_config @@ -0,0 +1,17 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# +# See https://man.openbsd.org/sshd_config for more info + +Include /etc/ssh/sshd_config.d/*.conf +Include /usr/etc/ssh/sshd_config.d/*.conf +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +AuthorizedKeysFile .ssh/authorized_keys +ClientAliveInterval 180 +PermitRootLogin yes +PrintMotd no +Subsystem sftp /usr/lib/ssh/sftp-server +UsePAM yes +X11Forwarding yes diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 8f6f6086..df225990 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -146,7 +146,9 @@ Host <%= @host %> IgnoreUnknown <%= @ignore_unknown.join(',') %> <% end -%> <% if @include != nil -%> - Include <%= @include %> +<% Array(@include).each do |v| -%> + Include <%= v %> +<% end -%> <% end -%> <% if @ip_qos != nil -%> IPQoS <%= @ip_qos %> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 52b3a710..9238217f 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -4,7 +4,9 @@ # See https://man.openbsd.org/sshd_config for more info <% if @include != nil -%> -Include <%= @include %> +<% Array(@include).each do |v| -%> +Include <%= v %> +<% end -%> <% end -%> <% if @accept_env != nil -%> <% @accept_env.each do |v| -%>