Merge pull request #172 from lubomir-kacalek/master

Authorized keys custom path
dev-sec · Apr 18, 2017 · 2e89e52 · 2e89e52
2 parents eaf6c11 + 71b4f50
commit 2e89e52
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -76,10 +76,9 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['sftp']['enable']` - `false`. Set to `true` to enable the SFTP feature of OpenSSH daemon
 * `['ssh-hardening']['ssh']['server']['sftp']['group']` - `sftponly`. Sets the `Match Group` option of SFTP to allow SFTP only for dedicated users
 * `['ssh-hardening']['ssh']['server']['sftp']['chroot']` - `/home/%u`. Sets the directory where the SFTP user should be chrooted
-
+* `['ssh-hardening']['ssh']['server']['authorized_keys_path']` - `nil`. If not nil, full path to an authorized keys folder is expected
 * `['ssh-hardening']['ssh']['server']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details
 
-
 ## Usage
 
 Add the recipes to the run_list:

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -105,6 +105,7 @@
   server['password_authentication']  = false
   server['log_level']                = 'verbose'
   server['accept_env']               = ['LANG', 'LC_*', 'LANGUAGE']
+  server['authorized_keys_path']     = nil     # if not nil, full path to an authorized keys folder is expected
 
   # extra server configuration options
   server['extras']                   = {}

diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb
@@ -663,4 +663,30 @@
         with_content(/AcceptEnv some environment variables/)
     end
   end
+
+  describe 'customized AuthorizedKeysFile option' do
+    context 'without customized AuthorizedKeysFile' do
+      cached(:chef_run) do
+        ChefSpec::ServerRunner.new.converge(described_recipe)
+      end
+
+      it 'does not have AuthorizedKeysFile configured' do
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
+          with_content('AuthorizedKeysFile')
+      end
+    end
+
+    context 'with customized AuthorizedKeysFile' do
+      cached(:chef_run) do
+        ChefSpec::ServerRunner.new do |node|
+          node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile'
+        end.converge(described_recipe)
+      end
+
+      it 'has AuthorizedKeysFile configured' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').
+          with_content('AuthorizedKeysFile /some/authorizedkeysfile')
+      end
+    end
+  end
 end
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -96,6 +96,11 @@ MaxStartups 10:30:100
 # Enable public key authentication
 PubkeyAuthentication yes
 
+<% if @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %>
+# Customized authorized keys path
+AuthorizedKeysFile <%= @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %>
+<% end %>
+
 # Never use host-based authentication. It can be exploited.
 IgnoreRhosts yes
 IgnoreUserKnownHosts yes