diff --git a/.rubocop.yml b/.rubocop.yml index 4911a975..0486bca0 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -2,6 +2,7 @@ AllCops: Excludes: - vendor/** - metadata.rb + - test/integration/** AlignParameters: Enabled: false diff --git a/attributes/default.rb b/attributes/default.rb index 2354ed7f..77e90db2 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -19,31 +19,30 @@ # Define the client package name case platform -when "redhat", "centos", "fedora", "amazon", "oracle", "scientific" - default['sslclient']['package'] = "openssh-clients" -when "debian", "ubuntu" - default['sslclient']['package'] = "openssh-client" -when "arch" - default['sslclient']['package'] = "openssh" +when 'redhat', 'centos', 'fedora', 'amazon', 'oracle', 'scientific' + default['sslclient']['package'] = 'openssh-clients' +when 'debian', 'ubuntu' + default['sslclient']['package'] = 'openssh-client' +when 'arch' + default['sslclient']['package'] = 'openssh' else - default['sslclient']['package'] = "openssh-client" + default['sslclient']['package'] = 'openssh-client' end # Define the server package name -default['sslserver']['package'] = "openssh-server" +default['sslserver']['package'] = 'openssh-server' - -default['config_disclaimer'] = "**Note:** This file was automatically created by Pinerolo configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead." +default['config_disclaimer'] = '**Note:** This file was automatically created by Pinerolo configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.' default['network']['ipv6']['enable'] = false # sshd + ssh default['ssh']['cbc_required'] = false # sshd + ssh default['ssh']['weak_hmac'] = false # sshd + ssh default['ssh']['weak_kex'] = false # sshd + ssh -default['ssh']['ports'] = [ 22 ] # sshd + ssh -default['ssh']['listen_to'] = ["0.0.0.0"] # sshd -default['ssh']['host_key_files'] = ["/etc/ssh/ssh_host_rsa_key","/etc/ssh/ssh_host_dsa_key","/etc/ssh/ssh_host_ecdsa_key"] # sshd +default['ssh']['ports'] = [22] # sshd + ssh +default['ssh']['listen_to'] = ['0.0.0.0'] # sshd +default['ssh']['host_key_files'] = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] # sshd default['ssh']['client_alive_interval'] = 600 # sshd, 10min default['ssh']['client_alive_count'] = 3 # sshd, ~> 3 x interval -default['ssh']['remote_hosts'] = [ ] # ssh +default['ssh']['remote_hosts'] = [] # ssh default['ssh']['allow_root_with_key'] = false # sshd default['ssh']['allow_tcp_forwarding'] = false # sshd -default['ssh']['allow_agent_forwarding'] = false # sshd \ No newline at end of file +default['ssh']['allow_agent_forwarding'] = false # sshd diff --git a/recipes/client.rb b/recipes/client.rb index c0c551ff..b5a9c4a1 100644 --- a/recipes/client.rb +++ b/recipes/client.rb @@ -18,20 +18,20 @@ # limitations under the License. # -package "openssh-client" do +package 'openssh-client' do package_name node['sslclient']['package'] end -directory "/etc/ssh" do +directory '/etc/ssh' do mode 0555 - owner "root" - group "root" + owner 'root' + group 'root' action :create end -template "/etc/ssh/ssh_config" do - source "openssh.conf.erb" +template '/etc/ssh/ssh_config' do + source 'openssh.conf.erb' mode 0444 - owner "root" - group "root" + owner 'root' + group 'root' end diff --git a/recipes/default.rb b/recipes/default.rb index 2e06a20b..c52116c5 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -18,5 +18,5 @@ # limitations under the License. # -include_recipe "ssh-hardening::server" -include_recipe "ssh-hardening::client" +include_recipe 'ssh-hardening::server' +include_recipe 'ssh-hardening::client' diff --git a/recipes/server.rb b/recipes/server.rb index 8835082a..5c97f42f 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -18,53 +18,53 @@ # limitations under the License. # -package "openssh-server" do +package 'openssh-server' do package_name node['sslserver']['package'] end -directory "/etc/ssh" do +directory '/etc/ssh' do mode 0555 - owner "root" - group "root" + owner 'root' + group 'root' action :create end -template "/etc/ssh/sshd_config" do - source "opensshd.conf.erb" +template '/etc/ssh/sshd_config' do + source 'opensshd.conf.erb' mode 0400 - owner "root" - group "root" + owner 'root' + group 'root' end -def get_key_from field - search("users","#{field}:*").map do |v| # ~FC003 ignore footcritic violation +def get_key_from(field) + search('users', "#{field}:*").map do |v| # ~FC003 ignore footcritic violation Chef::Log.info "ssh_server: installing ssh-keys for root access of user #{v['id']}" v[field] end.flatten end keys = get_key_from('ssh_rootkey') + get_key_from('ssh_rootkeys') -Chef::Log.info "ssh_server: not setting up any ssh keys" if keys.empty? +Chef::Log.info 'ssh_server: not setting up any ssh keys' if keys.empty? -directory "/root/.ssh" do +directory '/root/.ssh' do mode 0500 - owner "root" - group "root" + owner 'root' + group 'root' action :create end -template "/root/.ssh/authorized_keys" do - source "authorized_keys.erb" +template '/root/.ssh/authorized_keys' do + source 'authorized_keys.erb' mode 0400 - owner "root" - group "root" + owner 'root' + group 'root' variables( :keys => keys ) - only_if{ not keys.empty? } + only_if { !keys.empty? } end -execute "unlock root account if it is locked" do +execute 'unlock root account if it is locked' do command "sed 's/^root:\!/root:*/' /etc/shadow -i" - only_if{ node['ssh']['allow_root_with_key'] } + only_if { node['ssh']['allow_root_with_key'] } end