Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why not wrap openssh cookbook #89

Open
itwasntandy opened this issue Apr 29, 2015 · 10 comments

Comments

@itwasntandy
Copy link

commented Apr 29, 2015

Hi,

I like what you're trying to do here, but I've a couple of questions with regard to the approach.

As it stands this cookbook is incompatible with the openssh-cookbook as it tries to change the same files.
( https://github.com/opscode-cookbooks/openssh )

It would seem sensible to me for this to be a wrapper around openssh-cookbook which sets sensible, secure defaults
Did you consider this as an option? If so why did you not go this way?

Edit to add: I'd be happy to file a PR with this re-worked as a wrapper, if you're open to the idea.

thanks

Andrew

@Rockstar04

This comment has been minimized.

Copy link
Member

commented Apr 29, 2015

I was going to suggest the same thing after I made a proof of concept, I have actually had to override the current template to change some options that are hard-coded in the existing template.

I like the way the opscode cookbook handles the config files and it should give us all the flexibility to set our hardening options.

@arlimus

This comment has been minimized.

Copy link
Member

commented Apr 30, 2015

@itwasntandy and @Rockstar04 Thanks for bringing up this question. As you may have recognized, the ssh module is the only chef module that is not implemented as an overlay module.

Back when we started this, we took an in-depth look into the openssh cookbook, but finally decided to go with a standalone implementation. Some reasons are:

  • no clear separation between client and server
  • tight-in iptables configuration (although different recipe)
  • tests in kitchen were limited

We are currently reconsidering the base cookbook for ssh-hardening, i.e. make this into an overlay module like the rest. We will have another look at the openssh cookbook and others; Let's see if pull-requests get us to where we need it to be. If all fails, we will split out a proper template for ssh.

@chris-rock

This comment has been minimized.

Copy link
Member

commented Apr 30, 2015

I agree that our ssh and sshd templates are not as flexible as they should be ;-)

@arlimus

This comment has been minimized.

Copy link
Member

commented May 8, 2015

We have talked to Chef and will try to update the chef ssh cookbook. If all goes well, we can use it as the new base cookbook and use the same overlay style we have in place for e.g. mysql.

@artem-sidorenko artem-sidorenko added this to the v2.0.0 milestone Nov 8, 2016
@artem-sidorenko

This comment has been minimized.

Copy link
Member

commented Dec 17, 2016

I had a look to the README of the current state of openssh cookbook. It looks like you can set all options of ssh client/server, so it looks feasible to give it a try. @arlimus @chris-rock @atomic111 opinions?

@chris-rock

This comment has been minimized.

Copy link
Member

commented Dec 22, 2016

@artem-sidorenko Sounds like a good plan. Should we plan this for version 3?

@shoekstra

This comment has been minimized.

Copy link

commented Feb 16, 2018

Hi,

I have been thinking this for a while and thought I'd open an issue but see one has already been open for a while.

Currently I have both openssh and this cookbook managing config which isn't great.

Are you open to accepting a PR these days to wrap openssh where possible? I think it would be helpful for many who are already using it and want the hardening without any additional hassle.

Stephen

@chris-rock @artem-sidorenko @atomic111

@artem-sidorenko

This comment has been minimized.

Copy link
Member

commented Feb 16, 2018

@shoekstra definitely! This would be a great contribution!

@bobchaos

This comment has been minimized.

Copy link

commented Nov 21, 2018

You should consider releasing sample roles/policies as opposed to a wrapper cookbook. Just my 2 cents

@artem-sidorenko

This comment has been minimized.

Copy link
Member

commented Nov 21, 2018

@bobchaos can you elaborate a bit? The idea isn't completely clear for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.