Feature #9672
Updated by James Turnbull over 1 year ago
The following patches allows puppet to properly identify ecdsa keys use by SSH. These are now enabled by default in OpenBSD. I'd like to see these put into puppet. See ticket #4488 as well.
<pre>
--- lib/puppet/type/ssh_authorized_key.rb.orig Sat Aug 6 14:18:42 2011
+++ lib/puppet/type/ssh_authorized_key.rb Thu Sep 22 16:22:13 2011
@@ -23,11 +23,10 @@ module Puppet
newproperty(:type) do
desc "The encryption type used: ssh-dss or ssh-rsa."
- newvalue("ssh-dss")
- newvalue("ssh-rsa")
-
- aliasvalue(:dsa, "ssh-dss")
- aliasvalue(:rsa, "ssh-rsa")
+ newvalues :'ssh-dss', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521'
+
+ aliasvalue(:dsa, :'ssh-dss')
+ aliasvalue(:rsa, :'ssh-rsa')
end
newproperty(:key) do
--- spec/unit/type/ssh_authorized_key_spec.rb.orig Sat Aug 6 14:19:01 2011
+++ spec/unit/type/ssh_authorized_key_spec.rb Thu Sep 22 16:23:15 2011
@@ -70,23 +70,11 @@ describe ssh_authorized_key do
describe "for type" do
-
- it "should support ssh-dss" do
- proc { @class.new(:name => "whev", :type => "ssh-dss", :user => "nobody") }.should_not raise_error
- end
-
- it "should support ssh-rsa" do
- proc { @class.new(:name => "whev", :type => "ssh-rsa", :user => "nobody") }.should_not raise_error
- end
-
- it "should support :dsa" do
- proc { @class.new(:name => "whev", :type => :dsa, :user => "nobody") }.should_not raise_error
- end
-
- it "should support :rsa" do
- proc { @class.new(:name => "whev", :type => :rsa, :user => "nobody") }.should_not raise_error
- end
-
+ [:'ssh-dss', :'ssh-rsa', :rsa, :dsa, :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521'].each do |keytype|
+ it "should support #{keytype}" do
+ proc { @class.new(:name => "whev", :type => keytype, :user => "nobody") }.should_not raise_error
+ end
+ end
it "should alias :rsa to :ssh-rsa" do
key = @class.new(:name => "whev", :type => :rsa, :user => "nobody")
key.should(:type).should == :'ssh-rsa'
--- lib/puppet/provider/ssh_authorized_key/parsed.rb.orig Sat Aug 6 14:18:42 2011
+++ lib/puppet/provider/ssh_authorized_key/parsed.rb Fri Sep 23 09:30:15 2011
@@ -17,7 +17,11 @@ require 'puppet/provider/parsedfile'
:fields => %w{options type key name},
:optional => %w{options},
:rts => /^\s+/,
- :match => /^(?:(.+) )?(ssh-dss|ssh-rsa) ([^ ]+) ?(.*)$/,
+ # The name field is not optional here. Lines without a name
+ # will be matched by the "text_line :unrecognised" rule instead.
+ # (Do not change the (.+) at the end to (.*), or make the preceding
+ # space optional.)
+ :match => /^(?:(.+) )?(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521) ([^ ]+) (.+)$/,
:post_parse => proc { |h|
h[:name] = "" if h[:name] == :absent
h[:options] ||= [:absent]
@@ -33,6 +37,8 @@ require 'puppet/provider/parsedfile'
:optional => %w{options},
:rts => /^\s+/,
:match => /^(?:(.+) )?(\d+) (\d+) (\d+)(?: (.+))?$/
+
+ text_line :unrecognised, :match => //
def dir_perm
0700
</pre>
<pre>
--- lib/puppet/type/ssh_authorized_key.rb.orig Sat Aug 6 14:18:42 2011
+++ lib/puppet/type/ssh_authorized_key.rb Thu Sep 22 16:22:13 2011
@@ -23,11 +23,10 @@ module Puppet
newproperty(:type) do
desc "The encryption type used: ssh-dss or ssh-rsa."
- newvalue("ssh-dss")
- newvalue("ssh-rsa")
-
- aliasvalue(:dsa, "ssh-dss")
- aliasvalue(:rsa, "ssh-rsa")
+ newvalues :'ssh-dss', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521'
+
+ aliasvalue(:dsa, :'ssh-dss')
+ aliasvalue(:rsa, :'ssh-rsa')
end
newproperty(:key) do
--- spec/unit/type/ssh_authorized_key_spec.rb.orig Sat Aug 6 14:19:01 2011
+++ spec/unit/type/ssh_authorized_key_spec.rb Thu Sep 22 16:23:15 2011
@@ -70,23 +70,11 @@ describe ssh_authorized_key do
describe "for type" do
-
- it "should support ssh-dss" do
- proc { @class.new(:name => "whev", :type => "ssh-dss", :user => "nobody") }.should_not raise_error
- end
-
- it "should support ssh-rsa" do
- proc { @class.new(:name => "whev", :type => "ssh-rsa", :user => "nobody") }.should_not raise_error
- end
-
- it "should support :dsa" do
- proc { @class.new(:name => "whev", :type => :dsa, :user => "nobody") }.should_not raise_error
- end
-
- it "should support :rsa" do
- proc { @class.new(:name => "whev", :type => :rsa, :user => "nobody") }.should_not raise_error
- end
-
+ [:'ssh-dss', :'ssh-rsa', :rsa, :dsa, :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521'].each do |keytype|
+ it "should support #{keytype}" do
+ proc { @class.new(:name => "whev", :type => keytype, :user => "nobody") }.should_not raise_error
+ end
+ end
it "should alias :rsa to :ssh-rsa" do
key = @class.new(:name => "whev", :type => :rsa, :user => "nobody")
key.should(:type).should == :'ssh-rsa'
--- lib/puppet/provider/ssh_authorized_key/parsed.rb.orig Sat Aug 6 14:18:42 2011
+++ lib/puppet/provider/ssh_authorized_key/parsed.rb Fri Sep 23 09:30:15 2011
@@ -17,7 +17,11 @@ require 'puppet/provider/parsedfile'
:fields => %w{options type key name},
:optional => %w{options},
:rts => /^\s+/,
- :match => /^(?:(.+) )?(ssh-dss|ssh-rsa) ([^ ]+) ?(.*)$/,
+ # The name field is not optional here. Lines without a name
+ # will be matched by the "text_line :unrecognised" rule instead.
+ # (Do not change the (.+) at the end to (.*), or make the preceding
+ # space optional.)
+ :match => /^(?:(.+) )?(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521) ([^ ]+) (.+)$/,
:post_parse => proc { |h|
h[:name] = "" if h[:name] == :absent
h[:options] ||= [:absent]
@@ -33,6 +37,8 @@ require 'puppet/provider/parsedfile'
:optional => %w{options},
:rts => /^\s+/,
:match => /^(?:(.+) )?(\d+) (\d+) (\d+)(?: (.+))?$/
+
+ text_line :unrecognised, :match => //
def dir_perm
0700
</pre>