Skip to content

Commit

Permalink
Merge pull request dev-sec#52 from bkw/deprecateRootKeys
Browse files Browse the repository at this point in the history
Deprecate managing authorized_keys for root via data bag
  • Loading branch information
chris-rock committed Oct 14, 2014
2 parents 2f9e415 + 5bf84a9 commit 574f997
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 23 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@

* new attributes node['ssh']['client']['weak_kex'] and node['ssh']['server']['weak_kex'] replace node['ssh']['weak_kex'], which has been deprecated.

* deprecated: Manging authorized_keys for root via attributes `ssh_rootkey` and `ssh_rootkeys` in the `users` data bag has been deprecated and emits a waning when used. Support will be removed in 2.x.

## 1.0.1

* feature: cipher, macs and key exchange algorithms are now correctly detected on
Expand Down
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,11 @@ This cookbook provides secure ssh-client and ssh-server configurations.

## Data Bags

This cookbook handles authorized keys for the root user. Use other cookbooks to set up your users.
**DEPRECATION WARNING**: Support for managing authorized_keys for the root account will be removed from this cookbook in the next major release. Please use alternative cookbooks for that.

This cookbook used to handle authorized keys for the root user, but that support will be removed in the next major release. Use other cookbooks to set up your users.

### Old behaviour:

Have users in your `data_bag/users/` directory. This cookbook looks for users inside this folder with a `ssh_rootkey`.

Expand Down
16 changes: 4 additions & 12 deletions TUTORIAL.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,21 +31,13 @@
git clone https://github.com/edelight/chef-solo-search
cd ..

7. Add a public key to the root user `data_bags/users/root.json`
7. Create `solo.rb`

{
"id" : "root",
"ssh_rootkeys" : "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TCCCCCCjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qPasgCgzUFtdOKLv6IedplqoPasdasd0aYet2PkEDo3MlTBckFXPITAMzF8dJSICCCCFo9D8HfdOV0IAdx4O7dETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIUc9c9WhQ== vagrant insecure public key"
}

8. Create `solo.rb`

This file is used to specify the configuration details for chef-solo. So create a `solo.rb` that include the `cookbook_path` and the `data_bags`.
This file is used to specify the configuration details for chef-solo. So create a `solo.rb` that includes the `cookbook_path`.

cookbook_path "cookbooks"
data_bag_path "data_bags

9. Create `solo.json`
8. Create `solo.json`

Chef-solo does not interact with the Chef Server. Consequently, node-specific attributes must be located in a JSON file on the target system. Create the following `solo.json`.

Expand All @@ -60,7 +52,7 @@
]
}

10. Run chef-solo
9. Run chef-solo

chef-solo -c solo.rb -j solo.json

Expand Down
29 changes: 19 additions & 10 deletions recipes/server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@
notifies :restart, 'service[sshd]'
end

# authorized_key management will be deprecated in the next major release:
def get_key_from(field)
return [] unless Chef::DataBag.list.key?('users')
search('users', "#{field}:*").map do |v| # ~FC003 ignore footcritic violation
Expand All @@ -106,7 +107,6 @@ def get_key_from(field)
end

keys = get_key_from('ssh_rootkey') + get_key_from('ssh_rootkeys')
Chef::Log.info 'ssh_server: not setting up any ssh keys' if keys.empty?

directory '/root/.ssh' do
mode '0500'
Expand All @@ -115,15 +115,24 @@ def get_key_from(field)
action :create
end

template '/root/.ssh/authorized_keys' do
source 'authorized_keys.erb'
mode '0400'
owner 'root'
group 'root'
variables(
keys: keys
)
only_if { !keys.empty? }
unless keys.empty?
log 'deprecated-databag' do
message 'Use of deprecated key ssh_rootkey(s) found in users data bag. ' \
'Managing authorized_keys from users data bag will be removed ' \
'from the ssh-hardening cookbook in the next major release. ' \
'Please transition to alternative approaches.'
level :warn
end

template '/root/.ssh/authorized_keys' do
source 'authorized_keys.erb'
mode '0400'
owner 'root'
group 'root'
variables(
keys: keys
)
end
end

execute 'unlock root account if it is locked' do
Expand Down
10 changes: 10 additions & 0 deletions spec/recipes/server_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,12 @@
.with_content(/^key2-user3$/)
.with_content(/^key1-user4$/)
end

it 'warns about deprecation of data bag use' do
expect(chef_run).to write_log('deprecated-databag')
.with(message: /deprecated/)
.with(level: :warn)
end
end

context 'without users data bag' do
Expand All @@ -380,5 +386,9 @@
it 'does not touch authorized_keys by root' do
expect(chef_run).to_not create_template('/root/.ssh/authorized_keys')
end

it 'does not warn about deprecation of data bag use' do
expect(chef_run).not_to write_log('deprecated-databag')
end
end
end

0 comments on commit 574f997

Please sign in to comment.