Commit 011001fb authored by Christopher Huhn's avatar Christopher Huhn
Browse files

Merge branch '29-handle-etc-ssh-ssh_known_hosts'

parents b500f0e0 9fd25c05
......@@ -78,6 +78,12 @@ platforms:
provision: true
vagrantfiles:
- vagrant.rb
provisioner:
client_rb:
# Chef 15 no longer collects passwd information by default
# cf. https://stackoverflow.com/a/70749387/9793012
'ohai.optional_plugins = ':
- :Passwd
suites:
- name: sys_accounts
......@@ -269,6 +275,15 @@ suites:
root:
'*':
AddKeysToAgent: ask
known_hosts:
git.gsi.de:
ssh-rsa: AAAAB3NzaC1yc2EAAAADAQABAAABAQCeDOfPabxvYr+HNlBfE4plYktECkYIDRE3ggxjPOSGIH1SEMp+eMvbm46/aGXRBtEcHDXNju+CS2P+RjiNVV7UWzbkrsi3uyjDoDwMRlJyhvPR79fS4nsxI04ztk0GrYYZRGoDj9LcVdXWHYN/Ru70K2U+G2bQ8l2otMYVKdnsIssd1MOBpISy7fursYmC31U/Bpn19nfn0sRpdL8WNrjmJukFTzaSAJQIzciF/uTkAw5qmmJXRsl7aXyk5S690SQx8Wj1Jk8+AM508zdeD/M6vnWXDQQWZPYi1IcB+GA+7mQr9ijo3qJ9dIT54iZUAWmZU1KGYh5PBD93OnuiFh3P
ecdsa-sha2-nistp256: AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHXJoiDuGO3tveTCbbQONo9mBCXohPlziqGJAMvW8BY/WRMTW+C4Thoc2L69JZtV/FHF7fGpJ/g81Ljrxm4Huk8=
ssh-ed25519: AAAAC3NzaC1lZDI1NTE5AAAAINftkQCmVICGs0rdcZ13OQhdaQMjrYhsFF1ACtNwMseR
github.com:
ecdsa-sha2-nistp256: AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
ssh-ed25519: AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
ssh-rsa: AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
ssh_config:
- '*.example.org':
SendEnv: TGIF
......
......@@ -2,6 +2,11 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [1.65.0] - 2022-04-29
### Added
- [`sys::ssh`] [Manage `/etc/ssh/ssh_known_hosts`](https://git.gsi.de/chef/cookbooks/sys/-/merge_requests/44)
## [1.64.3] - 2022-04-27
### Added
......
Configures the SSH daemon and deploys a public keys an configurations for a given user account.
# `sys::ssh`
Globally configures the SSH daemon and client and deploys public keys and configs for given user accounts.
`attributes/ssh.rb`
`recipes/ssh.rb`
......@@ -8,8 +10,9 @@ Configures the SSH daemon and deploys a public keys an configurations for a give
## Global Daemon Configuration
Configure the SSH daemon using attributes in `node.sys.sshd.config` (read the `sshd_config` manual for a list of all available configuration key-value pairs). Note that when the daemon configuration is empty the original `/etc/ssh/sshd_config` file wont be modified.
Configure the SSH daemon using attributes in `node['sys']['sshd']['config']`
(read the `sshd_config` manual for a list of all available configuration key-value pairs).
The original `/etc/ssh/sshd_config` file will be left untouched if `node['sys']['sshd']['config']` is empty.
"sys" => {
"sshd" => {
......@@ -23,7 +26,11 @@ Configure the SSH daemon using attributes in `node.sys.sshd.config` (read the `s
## User Configuration
All hashes in `node.sys.ssh.config[account]` (where account is an existing user) represent an SSH configuration (read the `ssh_config` manual for a list of all available configuration options). The user specific configuration is written to `$HOME/.ssh/config`. A key defines the `Host` keywords restriction pattern, and the value contains a list of configuration key-value pairs stored in a hash:
All hashes in `node['sys']['ssh']['config'][account]` (where account is an existing user) represent an SSH configuration
(read the `ssh_config` manual for a list of all available configuration options).
The user specific configuration is written to `$HOME/.ssh/config`.
A key defines the `Host` keywords restriction pattern, and the
value contains a list of configuration key-value pairs stored in a hash:
"sys" => {
"ssh" => {
......@@ -46,7 +53,7 @@ All hashes in `node.sys.ssh.config[account]` (where account is an existing user)
}
}
The example above writes configuration files for the users `devops` and `noops` into their home-directories.
The example above writes configuration files for the users `devops` and `noops` into their `~/.ssh/config`.
Alternatively use the resource `sys_ssh_config`:
......@@ -64,10 +71,11 @@ Alternatively use the resource `sys_ssh_config`:
## User Authorized Keys
All hashes in `node.sys.ssh.authorize[account]` (where account is an existing user) have the following attributes:
All hashes in `node['sys']['ssh']['authorize'][account]` (where account is an existing user)
have the following attributes:
* `keys` (required) contains at least one SSH public key per user account.
* `managed` (default false) overwrites existing keys deviating form the given list `keys` when true.
* `managed` (default `false`) set to true to delete existing keys not on the given list `keys`.
For example:
......@@ -98,3 +106,29 @@ Alternatively use the resource `sys_ssh_authorize` like:
managed true
end
## Known Hosts
`sys::ssh` can manage the system-wide `/etc/ssh/ssh_known_hosts`.
This is controlled via `node['sys']['ssh']['known_hosts']`.
The attribute format is a hash with the hostnames or IPs pointing to
a hash of keytypes as keys and the base64-encoded keys as velues.
The keytypes and keys can be acquired with `ssh-keyscan`.
The format and options of the `known_hosts` file is explained in the [`sshd` man page](https://manpages.debian.org/openssh-server/sshd.8.en.html#SSH_KNOWN_HOSTS_FILE_FORMAT).
Example:
```ruby
sys: {
ssh: {
known_hosts: {
'login.example.com': {
'ssh-rsa': 'AAAA…==',
'ssh-ed25519': 'AAAA…'
},
'gitlab.com': {
}
}
}
}
```
......@@ -16,4 +16,4 @@ supports 'debian'
depends 'line', '< 1.0'
depends 'chef-vault'
version '1.64.3'
version '1.65.0'
......@@ -2,7 +2,14 @@
# Cookbook Name:: sys
# Recipe:: ssh
#
# Copyright 2012, Victor Penso
# Copyright 2012-2022 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
# Dennis Klein <d.klein@gsi.de>
# Matthias Pausch <m.pausch@gsi.de>
# Victor Penso <v.penso@gsi.de>
# Thomas Roth <t.roth@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -71,3 +78,13 @@ unless node['sys']['ssh']['config'].empty?
end
end
end
if node['sys']['ssh']['known_hosts']
template '/etc/ssh/ssh_known_hosts' do
source 'etc_ssh_known_hosts.erb'
mode 0o0644
variables(
hosts: node['sys']['ssh']['known_hosts']
)
end
end
<%= template_header %>
<%- @hosts.each do |host, pairs| -%>
<%- pairs.each do |algo, key| -%>
<%= host %> <%= algo %> <%= key %>
<%- end -%>
<%- end -%>
......@@ -87,3 +87,19 @@ describe file('/root/.ssh/config') do
should match(/^Host \*\n\s*AddKeysToAgent ask$/m)
end
end
# test /etc/ssh/ssh_known_hosts
describe file('/etc/ssh/ssh_known_hosts') do
it { should exist }
it { should be_mode('644') }
its(:content) do
should match(/^github.com ssh-rsa AAAA\S+==$/)
end
end
describe command 'ssh -o BatchMode=yes -v git@git.gsi.de' do
its(:exit_status) { should eq 255 } # permission denied
its(:stdout) { should be_empty }
its(:stderr) { should include "debug1: Host 'git.gsi.de' is known and matches the ECDSA host key." }
its(:stderr) { should match %r{^debug1: Found key in /etc/ssh/ssh_known_hosts:\d+} }
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment