Bugfix: sshd listens on IPv6 interface if enabled

Fixes GH-140

README.md

@@ -40,7 +40,7 @@ Below you can find the attribute documentation and their default values.
 * `['ssh-hardening']['ssh']['client']['remote_hosts']` - `[]` - one or more hosts, to which ssh-client can connect to.
 * `['ssh-hardening']['ssh']['client']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled.
 * `['ssh-hardening']['ssh']['client']['roaming']` - `false`. Set to `true` if experimental client roaming should be enabled. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
-* `['ssh-hardening']['ssh']['server']['listen_to']` - one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
+* `['ssh-hardening']['ssh']['server']['listen_to']` - one or more ip addresses, to which ssh-server should listen to. Default is to listen on all interfaces. It should be configured for security reasons!
 * `['ssh-hardening']['ssh']['server']['allow_root_with_key']` - `false` to disable root login altogether. Set to `true` to allow root to login via key-based mechanism
 * `['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']` - `false`. Set to `true` to allow TCP Forwarding
 * `['ssh-hardening']['ssh']['server']['allow_agent_forwarding']` - `false`. Set to `true` to allow Agent Forwarding
@@ -65,6 +65,8 @@ Below you can find the attribute documentation and their default values.
 * `['ssh-hardening']['ssh']['server']['sftp']['group']` - `sftponly`. Sets the `Match Group` option of SFTP to allow SFTP only for dedicated users
 * `['ssh-hardening']['ssh']['server']['sftp']['chroot']` - `/home/%u`. Sets the directory where the SFTP user should be chrooted
 
+Notice: Some of attribute defaults of this cookbook are set in the recipes. Its a good idea to use a higher [attribute precedence](https://docs.chef.io/attributes.html#attribute-precedence) level for attribute overriding. Otherwise you might get unexpected results.
+
 ## Usage
 
 Add the recipes to the run_list:

attributes/default.rb

@@ -58,7 +58,6 @@
 default['ssh-hardening']['ssh']['client']['cbc_required']  = false
 default['ssh-hardening']['ssh']['client']['weak_hmac']     = false
 default['ssh-hardening']['ssh']['client']['weak_kex']      = false
-
 default['ssh-hardening']['ssh']['client']['remote_hosts']  = []
 default['ssh-hardening']['ssh']['client']['password_authentication'] = false   # ssh
 # http://undeadly.org/cgi?action=article&sid=20160114142733
@@ -71,11 +70,9 @@
 default['ssh-hardening']['ssh']['server']['cbc_required']             = false
 default['ssh-hardening']['ssh']['server']['weak_hmac']                = false
 default['ssh-hardening']['ssh']['server']['weak_kex']                 = false
-default['ssh-hardening']['ssh']['server']['listen_to']                = ['0.0.0.0']
 default['ssh-hardening']['ssh']['server']['host_key_files']           = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']
 default['ssh-hardening']['ssh']['server']['client_alive_interval']    = 600     # 10min
 default['ssh-hardening']['ssh']['server']['client_alive_count']       = 3       # ~> 3 x interval
-
 default['ssh-hardening']['ssh']['server']['allow_root_with_key']      = false
 default['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']     = false
 default['ssh-hardening']['ssh']['server']['allow_agent_forwarding']   = false

recipes/server.rb

@@ -19,6 +19,17 @@
 # limitations under the License.
 #
 
+# default attributes
+# We can not set this kind of defaults in the attribute files
+# as we react on value of other attributes
+# https://github.com/dev-sec/chef-ssh-hardening/issues/140#issuecomment-267779720
+node.default['ssh-hardening']['ssh']['server']['listen_to'] =
+  if node['ssh-hardening']['network']['ipv6']['enable']
+    ['0.0.0.0', '::']
+  else
+    ['0.0.0.0']
+  end
+
 # installs package name
 package 'openssh-server' do
   package_name node['ssh-hardening']['sshserver']['package']

spec/recipes/server_spec.rb

@@ -410,4 +410,31 @@
         with_content(/^ChrootDirectory test_home_dir$/)
     end
   end
+
+  context 'with disabled IPv6' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['network']['ipv6']['enable'] = false
+      end.converge(described_recipe)
+    end
+
+    it 'sets proper IPv4 ListenAdress' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/ListenAddress 0.0.0.0/)
+    end
+  end
+
+  context 'with enabled IPv6' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['network']['ipv6']['enable'] = true
+      end.converge(described_recipe)
+    end
+
+    it 'sets proper IPv4 and IPv6 ListenAdress' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/ListenAddress 0.0.0.0/).
+        with_content(/ListenAddress ::/)
+    end
+  end
 end