From 73e8996fad744849997f5122da30947f11ff10a8 Mon Sep 17 00:00:00 2001 From: Lubomir Kacalek Date: Thu, 30 Mar 2017 14:52:34 +0200 Subject: [PATCH 1/6] Authorized keys custom path --- attributes/default.rb | 1 + templates/default/opensshd.conf.erb | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/attributes/default.rb b/attributes/default.rb index 8ce83b2..2ee0f5a 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -99,6 +99,7 @@ default['ssh-hardening']['ssh']['server']['password_authentication'] = false default['ssh-hardening']['ssh']['server']['log_level'] = 'verbose' default['ssh-hardening']['ssh']['server']['accept_env'] = ['LANG', 'LC_*', 'LANGUAGE'] +default['ssh-hardening']['ssh']['server']['authorized_keys_path'] = nil # if not nil, full path to an authorized keys folder is expected # sshd sftp options default['ssh-hardening']['ssh']['server']['sftp']['enable'] = false diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb index b6c35f5..94ebdd0 100644 --- a/templates/default/opensshd.conf.erb +++ b/templates/default/opensshd.conf.erb @@ -96,6 +96,11 @@ MaxStartups 10:30:100 # Enable public key authentication PubkeyAuthentication yes +<% if @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] != nil %> +# Customized authorized keys path +AuthorizedKeysFile <%= @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %> +<% end %> + # Never use host-based authentication. It can be exploited. IgnoreRhosts yes IgnoreUserKnownHosts yes From 7e9ca30391d0971af26278521e8b5da48d3356bf Mon Sep 17 00:00:00 2001 From: Lubomir Kacalek Date: Thu, 13 Apr 2017 16:05:07 +0200 Subject: [PATCH 2/6] Test and readme added Signed-off-by: Lubomir Kacalek --- README.md | 2 +- spec/recipes/server_spec.rb | 28 +++++++++++++++++++++++++++- templates/default/opensshd.conf.erb | 2 +- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1517f20..eb90d48 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress'] * `['ssh-hardening']['ssh']['server']['sftp']['enable']` - `false`. Set to `true` to enable the SFTP feature of OpenSSH daemon * `['ssh-hardening']['ssh']['server']['sftp']['group']` - `sftponly`. Sets the `Match Group` option of SFTP to allow SFTP only for dedicated users * `['ssh-hardening']['ssh']['server']['sftp']['chroot']` - `/home/%u`. Sets the directory where the SFTP user should be chrooted - +* `['ssh-hardening']['ssh']['server']['authorized_keys_path']` - `nil`. If not nil, full path to an authorized keys folder is expected ## Usage diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index 151dff4..3e9799b 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -636,4 +636,30 @@ with_content(/AcceptEnv some environment variables/) end end -end + + describe 'customized AuthorizedKeysFile option' do + context 'without customized AuthorizedKeysFile' do + cached(:chef_run) do + ChefSpec::ServerRunner.new.converge(described_recipe) + end + + it 'does not have AuthorizedKeysFile configured' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). + with_content('AuthorizedKeysFile') + end + end + + context 'with customized AuthorizedKeysFile' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile' + end.converge(described_recipe) + end + + it 'has AuthorizedKeysFile configured' do + expect(chef_run).to render_file('/etc/ssh/sshd_config'). + with_content('AuthorizedKeysFile /some/authorizedkeysfile') + end + end + end +end \ No newline at end of file diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb index 94ebdd0..87f97c6 100644 --- a/templates/default/opensshd.conf.erb +++ b/templates/default/opensshd.conf.erb @@ -96,7 +96,7 @@ MaxStartups 10:30:100 # Enable public key authentication PubkeyAuthentication yes -<% if @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] != nil %> +<% if @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %> # Customized authorized keys path AuthorizedKeysFile <%= @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %> <% end %> From 14e256c67d2b726f3a03c1472ed23547f4e364c9 Mon Sep 17 00:00:00 2001 From: lubomir-kacalek Date: Tue, 18 Apr 2017 10:00:19 +0200 Subject: [PATCH 3/6] server_spec.rb based on the RuboCop findings --- spec/recipes/server_spec.rb | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index cd352db..3271f4c 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -664,29 +664,30 @@ end end - describe 'customized AuthorizedKeysFile option' do +describe 'customized AuthorizedKeysFile option' do context 'without customized AuthorizedKeysFile' do - cached(:chef_run) do - ChefSpec::ServerRunner.new.converge(described_recipe) - end + cached(:chef_run) do + ChefSpec::ServerRunner.new.converge(described_recipe) + end - it 'does not have AuthorizedKeysFile configured' do - expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). - with_content('AuthorizedKeysFile') - end + it 'does not have AuthorizedKeysFile configured' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). + with_content('AuthorizedKeysFile') + end end context 'with customized AuthorizedKeysFile' do - cached(:chef_run) do - ChefSpec::ServerRunner.new do |node| - node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile' - end.converge(described_recipe) - end + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile' + end.converge(described_recipe) + end - it 'has AuthorizedKeysFile configured' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content('AuthorizedKeysFile /some/authorizedkeysfile') - end + it 'has AuthorizedKeysFile configured' do + expect(chef_run).to render_file('/etc/ssh/sshd_config'). + with_content('AuthorizedKeysFile /some/authorizedkeysfile') end end -end \ No newline at end of file +end + +end From 6614cb1507ff46b494c99482840beb372facac45 Mon Sep 17 00:00:00 2001 From: lubomir-kacalek Date: Tue, 18 Apr 2017 10:39:06 +0200 Subject: [PATCH 4/6] attributes white spaces fix Signed-off-by: lubomir-kacalek --- attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attributes/default.rb b/attributes/default.rb index 55e2bdb..ad31668 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -106,7 +106,7 @@ server['log_level'] = 'verbose' server['accept_env'] = ['LANG', 'LC_*', 'LANGUAGE'] server['authorized_keys_path'] = nil # if not nil, full path to an authorized keys folder is expected - + # extra server configuration options server['extras'] = {} From b9945a8cde24e2137dd391b1201256a10b15463d Mon Sep 17 00:00:00 2001 From: lubomir-kacalek Date: Tue, 18 Apr 2017 10:56:50 +0200 Subject: [PATCH 5/6] server_spec.rb formating fix Signed-off-by: lubomir-kacalek --- spec/recipes/server_spec.rb | 41 ++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index 3271f4c..b9729bd 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -664,30 +664,29 @@ end end -describe 'customized AuthorizedKeysFile option' do - context 'without customized AuthorizedKeysFile' do - cached(:chef_run) do - ChefSpec::ServerRunner.new.converge(described_recipe) - end + describe 'customized AuthorizedKeysFile option' do + context 'without customized AuthorizedKeysFile' do + cached(:chef_run) do + ChefSpec::ServerRunner.new.converge(described_recipe) + end - it 'does not have AuthorizedKeysFile configured' do - expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). - with_content('AuthorizedKeysFile') - end - end + it 'does not have AuthorizedKeysFile configured' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). + with_content('AuthorizedKeysFile') + end + end - context 'with customized AuthorizedKeysFile' do - cached(:chef_run) do - ChefSpec::ServerRunner.new do |node| - node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile' - end.converge(described_recipe) - end + context 'with customized AuthorizedKeysFile' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile' + end.converge(described_recipe) + end - it 'has AuthorizedKeysFile configured' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content('AuthorizedKeysFile /some/authorizedkeysfile') + it 'has AuthorizedKeysFile configured' do + expect(chef_run).to render_file('/etc/ssh/sshd_config'). + with_content('AuthorizedKeysFile /some/authorizedkeysfile') + end end end end - -end From 71b4f504f7e8126d0f2a73ea9e937781c28640bb Mon Sep 17 00:00:00 2001 From: lubomir-kacalek Date: Tue, 18 Apr 2017 11:55:40 +0200 Subject: [PATCH 6/6] server_spec.rb formating fix Signed-off-by: lubomir-kacalek --- spec/recipes/server_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index b9729bd..ae003e2 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -673,8 +673,8 @@ it 'does not have AuthorizedKeysFile configured' do expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). with_content('AuthorizedKeysFile') - end end + end context 'with customized AuthorizedKeysFile' do cached(:chef_run) do