Skip to content

Commit

Permalink
Merge pull request #172 from lubomir-kacalek/master
Browse files Browse the repository at this point in the history
Authorized keys custom path
  • Loading branch information
artem-sidorenko authored Apr 18, 2017
2 parents eaf6c11 + 71b4f50 commit 2e89e52
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 2 deletions.
3 changes: 1 addition & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,9 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
* `['ssh-hardening']['ssh']['server']['sftp']['enable']` - `false`. Set to `true` to enable the SFTP feature of OpenSSH daemon
* `['ssh-hardening']['ssh']['server']['sftp']['group']` - `sftponly`. Sets the `Match Group` option of SFTP to allow SFTP only for dedicated users
* `['ssh-hardening']['ssh']['server']['sftp']['chroot']` - `/home/%u`. Sets the directory where the SFTP user should be chrooted

* `['ssh-hardening']['ssh']['server']['authorized_keys_path']` - `nil`. If not nil, full path to an authorized keys folder is expected
* `['ssh-hardening']['ssh']['server']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details


## Usage

Add the recipes to the run_list:
Expand Down
1 change: 1 addition & 0 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@
server['password_authentication'] = false
server['log_level'] = 'verbose'
server['accept_env'] = ['LANG', 'LC_*', 'LANGUAGE']
server['authorized_keys_path'] = nil # if not nil, full path to an authorized keys folder is expected

# extra server configuration options
server['extras'] = {}
Expand Down
26 changes: 26 additions & 0 deletions spec/recipes/server_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -663,4 +663,30 @@
with_content(/AcceptEnv some environment variables/)
end
end

describe 'customized AuthorizedKeysFile option' do
context 'without customized AuthorizedKeysFile' do
cached(:chef_run) do
ChefSpec::ServerRunner.new.converge(described_recipe)
end

it 'does not have AuthorizedKeysFile configured' do
expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
with_content('AuthorizedKeysFile')
end
end

context 'with customized AuthorizedKeysFile' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile'
end.converge(described_recipe)
end

it 'has AuthorizedKeysFile configured' do
expect(chef_run).to render_file('/etc/ssh/sshd_config').
with_content('AuthorizedKeysFile /some/authorizedkeysfile')
end
end
end
end
5 changes: 5 additions & 0 deletions templates/default/opensshd.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,11 @@ MaxStartups 10:30:100
# Enable public key authentication
PubkeyAuthentication yes

<% if @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %>
# Customized authorized keys path
AuthorizedKeysFile <%= @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %>
<% end %>

# Never use host-based authentication. It can be exploited.
IgnoreRhosts yes
IgnoreUserKnownHosts yes
Expand Down

0 comments on commit 2e89e52

Please sign in to comment.