set KbdInteractiveAuthentication on newer SSH versions

saz · saz · commit 345e303fb6b2 · 2025-10-30T14:01:59.000+01:00
diff --git a/README.md b/README.md
@@ -1,15 +1,9 @@
 # Puppet SSH
 
-[![Puppet Forge modules by saz](https://img.shields.io/puppetforge/mc/saz.svg)](https://forge.puppetlabs.com/saz)
-[![Puppet Forge](http://img.shields.io/puppetforge/v/saz/ssh.svg)](https://forge.puppetlabs.com/saz/ssh)
-[![Puppet Forge downloads](https://img.shields.io/puppetforge/dt/saz/ssh.svg)](https://forge.puppetlabs.com/saz/ssh)
-[![Puppet Forge score](https://img.shields.io/puppetforge/f/saz/ssh.svg)](https://forge.puppetlabs.com/saz/ssh)
-[![Build Status](https://github.com/saz/puppet-ssh/workflows/CI/badge.svg)](https://github.com/saz/puppet-ssh/actions?query=workflow%3ACI)
-
 Manage SSH client and server via Puppet.
-Source: https://github.com/saz/puppet-ssh
 
 ## Requirements
+
 * Exported resources for host keys management
 * puppetlabs/stdlib
 * puppetlabs/concat
@@ -31,6 +25,7 @@ options => {
 This is working for both, client and server.
 
 ### Both client, server and per user client configuration
+
 Host keys will be collected and distributed unless
  `storeconfigs_enabled` is `false`.
 
@@ -71,6 +66,7 @@ class { 'ssh':
 ```
 
 ### Hiera example
+
 ```yaml
 ssh::storeconfigs_enabled: true
 
@@ -106,6 +102,7 @@ ssh::users_client_options:
 ```
 
 ### Client only
+
 Collected host keys from servers will be written to `known_hosts` unless
  `storeconfigs_enabled` is `false`
 
@@ -189,6 +186,7 @@ SSH configuration file will be `/var/lib/bob/.ssh/config`.
 ```
 
 ### Server only
+
 Host keys will be collected for client distribution unless
  `storeconfigs_enabled` is `false`
 
@@ -226,7 +224,6 @@ class { 'ssh::server':
 }
 ```
 
-
 ## Default options
 
 ### Client
@@ -251,6 +248,7 @@ class { 'ssh::server':
 ```
 
 ## Overwriting default options
+
 Default options will be merged with options passed in.
 If an option is set both as default and via options parameter, the latter
 will win.
@@ -305,6 +303,7 @@ PasswordAuthentication no
 ```
 
 ## Defining host keys for server
+
 You can define host keys your server will use
 
 ```puppet
@@ -327,7 +326,6 @@ ssh::server::host_key {'ssh_host_rsa_key':
 Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and
 ```/etc/ssh/ssh_host_rsa_key.pub``` and restart sshd daemon.
 
-
 ## Adding custom match blocks
 
 ```puppet
diff --git a/data/AIX.yaml b/data/AIX.yaml
@@ -8,9 +8,8 @@ ssh::server::service_name: 'sshd'
 ssh::sftp_server_path: '/usr/sbin/sftp-server'
 ssh::server::host_priv_key_group: 0
 ssh::server::default_options:
-  AcceptEnv: 'LANG LC_*'
-  ChallengeResponseAuthentication: 'no'
+  X11Forwarding: 'yes'
   PrintMotd: 'no'
+  AcceptEnv: 'LANG LC_*'
   Subsystem: "sftp %{lookup('ssh::sftp_server_path')}"
   UsePAM: 'no'
-  X11Forwarding: 'yes'
diff --git a/data/OpenBSD.yaml b/data/OpenBSD.yaml
@@ -7,7 +7,6 @@ ssh::server::service_name: 'sshd'
 ssh::sftp_server_path: '/usr/libexec/sftp-server'
 ssh::server::host_priv_key_group: 0
 ssh::server::default_options:
-  ChallengeResponseAuthentication: 'no'
   X11Forwarding: 'yes'
   PrintMotd: 'no'
   AcceptEnv: 'LANG LC_*'
diff --git a/data/Solaris.yaml b/data/Solaris.yaml
@@ -6,12 +6,11 @@ ssh::server::service_name: 'svc:/network/ssh:default'
 ssh::sftp_server_path: 'internal-sftp'
 
 ssh::server::default_options:
-  ChallengeResponseAuthentication: 'no'
   X11Forwarding: 'yes'
   PrintMotd: 'no'
   Subsystem: "sftp %{lookup('ssh::sftp_server_path')}"
   HostKey:
     - "%{lookup('ssh::server::sshd_dir')}/ssh_host_rsa_key"
     - "%{lookup('ssh::server::sshd_dir')}/ssh_host_dsa_key"
-  
+
 ssh::client::default_options: {}
diff --git a/data/common.yaml b/data/common.yaml
@@ -29,7 +29,6 @@ ssh::server::issue_net              : '/etc/issue.net'
 ssh::knownhosts::collect_enabled    : true
 
 ssh::server::default_options:
-  ChallengeResponseAuthentication: 'no'
   X11Forwarding: 'yes'
   PrintMotd: 'no'
   AcceptEnv: 'LANG LC_*'
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -101,7 +101,12 @@
   if $use_augeas {
     $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config })
   } else {
-    $merged_options = deep_merge($default_options, $options)
+    if 'ssh_server_version_release' in $facts and $facts['ssh_server_version_release'] and versioncmp($facts['ssh_server_version_release'], '8.6') >= 0 {
+      $default_options_real = $default_options + { 'KbdInteractiveAuthentication' => 'no' }
+    } else {
+      $default_options_real = $default_options + { 'ChallengeResponseAuthentication' => 'no' }
+    }
+    $merged_options = deep_merge($default_options_real, $options)
   }
 
   contain ssh::server::install
diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb
@@ -7,6 +7,18 @@
     context "on #{os}" do
       let(:facts) { os_facts }
 
+      case os_facts[:os]['name']
+      when 'Debian'
+        if os_facts[:os]['release']['major'] == '12'
+          context 'with ssh_server_version_release set to 10.0' do
+            let(:facts) { os_facts.merge(ssh_server_version_release: '10.0') }
+
+            sshd_config = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nKbdInteractiveAuthentication no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\nUsePAM yes\nX11Forwarding yes\n"
+            it { is_expected.to contain_concat__fragment('global config').with_content(sshd_config) }
+          end
+        end
+      end
+
       svc_name = case os_facts[:os]['family']
                  when 'Debian'
                    'ssh'
