diff --git a/CHANGELOG.md b/CHANGELOG.md index 84dba9cc..ec351b73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ * new attributes node['ssh']['client']['weak_kex'] and node['ssh']['server']['weak_kex'] replace node['ssh']['weak_kex'], which has been deprecated. +* deprecated: Manging authorized_keys for root via attributes `ssh_rootkey` and `ssh_rootkeys` in the `users` data bag has been deprecated and emits a waning when used. Support will be removed in 2.x. + ## 1.0.1 * feature: cipher, macs and key exchange algorithms are now correctly detected on diff --git a/README.md b/README.md index 39b90980..b67791cf 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,11 @@ This cookbook provides secure ssh-client and ssh-server configurations. ## Data Bags -This cookbook handles authorized keys for the root user. Use other cookbooks to set up your users. +**DEPRECATION WARNING**: Support for managing authorized_keys for the root account will be removed from this cookbook in the next major release. Please use alternative cookbooks for that. + +This cookbook used to handle authorized keys for the root user, but that support will be removed in the next major release. Use other cookbooks to set up your users. + +### Old behaviour: Have users in your `data_bag/users/` directory. This cookbook looks for users inside this folder with a `ssh_rootkey`. diff --git a/TUTORIAL.md b/TUTORIAL.md index cf7d6c66..b353249b 100644 --- a/TUTORIAL.md +++ b/TUTORIAL.md @@ -31,21 +31,13 @@ git clone https://github.com/edelight/chef-solo-search cd .. -7. Add a public key to the root user `data_bags/users/root.json` +7. Create `solo.rb` - { - "id" : "root", - "ssh_rootkeys" : "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TCCCCCCjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qPasgCgzUFtdOKLv6IedplqoPasdasd0aYet2PkEDo3MlTBckFXPITAMzF8dJSICCCCFo9D8HfdOV0IAdx4O7dETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIUc9c9WhQ== vagrant insecure public key" - } - -8. Create `solo.rb` - - This file is used to specify the configuration details for chef-solo. So create a `solo.rb` that include the `cookbook_path` and the `data_bags`. + This file is used to specify the configuration details for chef-solo. So create a `solo.rb` that includes the `cookbook_path`. cookbook_path "cookbooks" - data_bag_path "data_bags -9. Create `solo.json` +8. Create `solo.json` Chef-solo does not interact with the Chef Server. Consequently, node-specific attributes must be located in a JSON file on the target system. Create the following `solo.json`. @@ -60,7 +52,7 @@ ] } -10. Run chef-solo +9. Run chef-solo chef-solo -c solo.rb -j solo.json diff --git a/recipes/server.rb b/recipes/server.rb index a7f8dd7f..c59b4388 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -97,6 +97,7 @@ notifies :restart, 'service[sshd]' end +# authorized_key management will be deprecated in the next major release: def get_key_from(field) return [] unless Chef::DataBag.list.key?('users') search('users', "#{field}:*").map do |v| # ~FC003 ignore footcritic violation @@ -106,7 +107,6 @@ def get_key_from(field) end keys = get_key_from('ssh_rootkey') + get_key_from('ssh_rootkeys') -Chef::Log.info 'ssh_server: not setting up any ssh keys' if keys.empty? directory '/root/.ssh' do mode '0500' @@ -115,15 +115,24 @@ def get_key_from(field) action :create end -template '/root/.ssh/authorized_keys' do - source 'authorized_keys.erb' - mode '0400' - owner 'root' - group 'root' - variables( - keys: keys - ) - only_if { !keys.empty? } +unless keys.empty? + log 'deprecated-databag' do + message 'Use of deprecated key ssh_rootkey(s) found in users data bag. ' \ + 'Managing authorized_keys from users data bag will be removed ' \ + 'from the ssh-hardening cookbook in the next major release. ' \ + 'Please transition to alternative approaches.' + level :warn + end + + template '/root/.ssh/authorized_keys' do + source 'authorized_keys.erb' + mode '0400' + owner 'root' + group 'root' + variables( + keys: keys + ) + end end execute 'unlock root account if it is locked' do diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index 8a2c2388..22376c35 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -366,6 +366,12 @@ .with_content(/^key2-user3$/) .with_content(/^key1-user4$/) end + + it 'warns about deprecation of data bag use' do + expect(chef_run).to write_log('deprecated-databag') + .with(message: /deprecated/) + .with(level: :warn) + end end context 'without users data bag' do @@ -380,5 +386,9 @@ it 'does not touch authorized_keys by root' do expect(chef_run).to_not create_template('/root/.ssh/authorized_keys') end + + it 'does not warn about deprecation of data bag use' do + expect(chef_run).not_to write_log('deprecated-databag') + end end end