Add the variable AllowAgentForwarding to be set, with the default of 'no', only the...

template was adjusted for this, as my knowledge of the other operating systems is not good enough
to determine the appropriate setting there

diff --git a/manifests/init.pp b/manifests/init.pp
index 95682fd553b6332077389bf79b2f79e3262c919f..4e796f342b3bfee10100bed809df5513866256cf 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -43,6 +43,9 @@
 #                               Valid Values: yes or no
 #                               Default: no
 #
+# sshd_agent_forwarding:       If you want to allow ssh-agent forwarding
+#                              Valid Values: yes or no
+#                              Default: no
 
 class sshd {
     include sshd::client 
@@ -81,6 +84,10 @@ class sshd::base {
         '' => 'no',
         default => $sshd_x11_forwarding
     }
+    $real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
+       '' => 'no',
+       default => $sshd_agent_forwarding
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',

diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 70c1a3455903b0c2e218fb2ff6a7f8ec18270651..989fa62371d258706f22ccd0025b23626c78ee42 100644 (file)
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -94,9 +94,15 @@ UsePAM no
 
 HostbasedUsesNameFromPacketOnly yes
 AllowTcpForwarding yes
+<%- if real_sshd_agent_forwarding.to_s == 'yes' then %>
+AllowAgentForwarding yes
+<%- else %>
+AllowAgentForwarding no
+<%- end %>
 
 ChallengeResponseAuthentication no
 
 <%- unless real_sshd_allowed_users.to_s.empty? then %>
 AllowUsers <%= real_sshd_allowed_users %>
 <%- end %>
+