Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Why not wrap openssh cookbook #89
I like what you're trying to do here, but I've a couple of questions with regard to the approach.
As it stands this cookbook is incompatible with the openssh-cookbook as it tries to change the same files.
It would seem sensible to me for this to be a wrapper around openssh-cookbook which sets sensible, secure defaults
Edit to add: I'd be happy to file a PR with this re-worked as a wrapper, if you're open to the idea.
I was going to suggest the same thing after I made a proof of concept, I have actually had to override the current template to change some options that are hard-coded in the existing template.
I like the way the opscode cookbook handles the config files and it should give us all the flexibility to set our hardening options.
Back when we started this, we took an in-depth look into the openssh cookbook, but finally decided to go with a standalone implementation. Some reasons are:
We are currently reconsidering the base cookbook for ssh-hardening, i.e. make this into an overlay module like the rest. We will have another look at the openssh cookbook and others; Let's see if pull-requests get us to where we need it to be. If all fails, we will split out a proper template for ssh.
I have been thinking this for a while and thought I'd open an issue but see one has already been open for a while.
Currently I have both openssh and this cookbook managing config which isn't great.
Are you open to accepting a PR these days to wrap openssh where possible? I think it would be helpful for many who are already using it and want the hardening without any additional hassle.