Skip to content

Commit

Permalink
Merge pull request #221 from artem-forks/match-groups
Browse files Browse the repository at this point in the history
Support of custom match configuration blocks
  • Loading branch information
chris-rock authored Jul 17, 2019
2 parents c5d1b50 + e289780 commit 8151e35
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 2 deletions.
4 changes: 2 additions & 2 deletions .rubocop.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ AllCops:
Exclude:
- vendor/**/*
- test/**/*
TargetRubyVersion: 2.1 # we need this because of chef 12.5.1 support
TargetRubyVersion: 2.4
Metrics/AbcSize:
Max: 29
Metrics/CyclomaticComplexity:
Expand Down Expand Up @@ -35,4 +35,4 @@ Metrics/BlockLength:
Exclude:
- 'spec/**/*'
Style/FrozenStringLiteralComment:
Enabled: false
Enabled: false
19 changes: 19 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
* `['ssh-hardening']['ssh']['server']['sftp']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled
* `['ssh-hardening']['ssh']['server']['authorized_keys_path']` - `nil`. If not nil, full path to an authorized keys folder is expected
* `['ssh-hardening']['ssh']['server']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details
* `['ssh-hardening']['ssh']['server']['match_blocks']` - `{}`. Match configuration block, see [below](#match-configuration-options-for-sshd) for details

## Usage

Expand Down Expand Up @@ -145,6 +146,24 @@ default['ssh-hardening']['ssh']['client']['extras'].tap do |extra|
end
```

## Match Configuration Options for sshd
Match blocks have to be placed by the end of sshd_config. This can be achieved by using the `match_blocks` attribute tree:

```
default['ssh-hardening']['ssh']['server']['match_blocks'].tap do |match|
match['User root'] = <<~ROOT
AuthorizedKeysFile .ssh/authorized_keys
ROOT
match['User git'] = <<~GIT
Banner none
AuthorizedKeysCommand /bin/false
AuthorizedKeysFile .ssh/authorized_keys
GSSAPIAuthentication no
PasswordAuthentication no
GIT
end
```

## Local Testing

Please install [chef-dk](https://downloads.chef.io/chefdk), [VirtualBox](https://www.virtualbox.org/) or VMware Workstation and [Vagrant](https://www.vagrantup.com/).
Expand Down
3 changes: 3 additions & 0 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@
# extra server configuration options
server['extras'] = {}

# server match configuration block
server['match_blocks'] = {}

# sshd sftp options
server['sftp']['enable'] = false
server['sftp']['log_level'] = 'VERBOSE'
Expand Down
29 changes: 29 additions & 0 deletions spec/recipes/server_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,35 @@
end
end

describe 'match configuration blocks' do
context 'without custom extra config value' do
cached(:chef_run) do
ChefSpec::SoloRunner.new.converge(described_recipe)
end

it 'does not have any match config blocks' do
expect(chef_run).to render_file('/etc/ssh/sshd_config')
expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
with_content(/^# Match Configuration Blocks/)
end
end

context 'with custom match config block value' do
cached(:chef_run) do
ChefSpec::SoloRunner.new do |node|
node.normal['ssh-hardening']['ssh']['server']['match_blocks']['User root'] = <<~ROOT
AuthorizedKeysFile .ssh/authorized_keys
ROOT
end.converge(described_recipe)
end

it 'uses the match config blocks' do
expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^# Match Configuration Blocks/)
expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^Match User root/)
end
end
end

it 'disables the challenge response authentication' do
expect(chef_run).to render_file('/etc/ssh/sshd_config').
with_content(/ChallengeResponseAuthentication no/)
Expand Down
8 changes: 8 additions & 0 deletions templates/default/opensshd.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -245,3 +245,11 @@ X11Forwarding no
#PermitRootLogin no
#X11Forwarding no
<% end %>

<%- unless @node['ssh-hardening']['ssh']['server']['match_blocks'].empty? %>
# Match Configuration Blocks
<%- @node['ssh-hardening']['ssh']['server']['match_blocks'].each do |key, value| %>
Match <%= key %>
<%= value.split("\n").join("\n ") %>
<% end -%>
<% end -%>

0 comments on commit 8151e35

Please sign in to comment.