Authorized keys custom path #172

Merged
merged 7 commits into from Apr 18, 2017

Conversation

Projects
None yet
4 participants
@lubomir-kacalek
Contributor

lubomir-kacalek commented Mar 30, 2017

Hi,
this propposed change allow to have configured a custom authorized key file path for an ssh server.
Thanks.
Lubomir Kacalek

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Mar 30, 2017

Coverage Status

Coverage remained the same at 100.0% when pulling 73e8996 on lubomir-kacalek:master into d4dc236 on dev-sec:master.

Coverage Status

Coverage remained the same at 100.0% when pulling 73e8996 on lubomir-kacalek:master into d4dc236 on dev-sec:master.

@artem-sidorenko

@lubomir-kacalek hey Lubos :) Thanks for the PR!

  • Could you please add the tests for this option? (see GH-155 as example)

  • Could you please add the documentation to the README.md?

templates/default/opensshd.conf.erb
@@ -96,6 +96,11 @@ MaxStartups 10:30:100
# Enable public key authentication
PubkeyAuthentication yes
+<% if @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] != nil %>

This comment has been minimized.

@artem-sidorenko

artem-sidorenko Mar 30, 2017

Member

you do not need != nil here

@artem-sidorenko

artem-sidorenko Mar 30, 2017

Member

you do not need != nil here

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Apr 7, 2017

Member

@lubomir-kacalek I would like to release the next minor version after #173 is merged, do you think you will be able to update this PR in the next days, so we can include it in the release?

Member

artem-sidorenko commented Apr 7, 2017

@lubomir-kacalek I would like to release the next minor version after #173 is merged, do you think you will be able to update this PR in the next days, so we can include it in the release?

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Apr 7, 2017

Member

@lubomir-kacalek as discussed, the tests might look like this (in the spec/recipes/server_spec.rb)

describe 'customized AuthorizedKeysFile option' do
  context 'without customized AuthorizedKeysFile' do
      cached(:chef_run) do
        ChefSpec::ServerRunner.new.converge(described_recipe)
      end

      it 'does not have AuthorizedKeysFile configured' do
        expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
          with_content(/^AuthorizedKeysFile/)
      end
  end

  context 'with customized AuthorizedKeysFile' do
      cached(:chef_run) do
        ChefSpec::ServerRunner.new do |node|
          node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile'
        end.converge(described_recipe)
      end

      it 'has AuthorizedKeysFile configured' do
        expect(chef_run).to render_file('/etc/ssh/sshd_config').
          with_content(/^AuthorizedKeysFile /some/authorizedkeysfile/)
      end
  end
end
Member

artem-sidorenko commented Apr 7, 2017

@lubomir-kacalek as discussed, the tests might look like this (in the spec/recipes/server_spec.rb)

describe 'customized AuthorizedKeysFile option' do
  context 'without customized AuthorizedKeysFile' do
      cached(:chef_run) do
        ChefSpec::ServerRunner.new.converge(described_recipe)
      end

      it 'does not have AuthorizedKeysFile configured' do
        expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
          with_content(/^AuthorizedKeysFile/)
      end
  end

  context 'with customized AuthorizedKeysFile' do
      cached(:chef_run) do
        ChefSpec::ServerRunner.new do |node|
          node.normal['ssh-hardening']['ssh']['server']['authorized_keys_path'] = '/some/authorizedkeysfile'
        end.converge(described_recipe)
      end

      it 'has AuthorizedKeysFile configured' do
        expect(chef_run).to render_file('/etc/ssh/sshd_config').
          with_content(/^AuthorizedKeysFile /some/authorizedkeysfile/)
      end
  end
end
@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Apr 7, 2017

Member

@lubomir-kacalek its also possible to have it a bit simplier:

with_content('AuthorizedKeysFile /some/authorizedkeysfile')

instead of

with_content(/^AuthorizedKeysFile /some/authorizedkeysfile/)

and

with_content('AuthorizedKeysFile')

instead of

with_content(/^AuthorizedKeysFile/)
Member

artem-sidorenko commented Apr 7, 2017

@lubomir-kacalek its also possible to have it a bit simplier:

with_content('AuthorizedKeysFile /some/authorizedkeysfile')

instead of

with_content(/^AuthorizedKeysFile /some/authorizedkeysfile/)

and

with_content('AuthorizedKeysFile')

instead of

with_content(/^AuthorizedKeysFile/)
@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Apr 7, 2017

Member

@lubomir-kacalek can you please sign your pr?

Member

atomic111 commented Apr 7, 2017

@lubomir-kacalek can you please sign your pr?

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Apr 7, 2017

Member

@lubomir-kacalek @atomic111 means to use the sign-off, e.g. git commit -s (see the man page for details)

Member

artem-sidorenko commented Apr 7, 2017

@lubomir-kacalek @atomic111 means to use the sign-off, e.g. git commit -s (see the man page for details)

Test and readme added
Signed-off-by: Lubomir Kacalek <lubomir@lkit.cz>
@lubomir-kacalek

This comment has been minimized.

Show comment
Hide comment
@lubomir-kacalek

lubomir-kacalek Apr 13, 2017

Contributor

Hi @artem-sidorenko,
required changes has been pushed to my fork. Thank you in advance for support with testing part :-)

@atomic111 : New commit has been signed off as well.

Best regards,

   Lubos
Contributor

lubomir-kacalek commented Apr 13, 2017

Hi @artem-sidorenko,
required changes has been pushed to my fork. Thank you in advance for support with testing part :-)

@atomic111 : New commit has been signed off as well.

Best regards,

   Lubos
@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Apr 14, 2017

Member

@lubomir-kacalek I looks better, I resolved the conflicts to master

Can you please make the rubocop happy? There are some offenses

Member

artem-sidorenko commented Apr 14, 2017

@lubomir-kacalek I looks better, I resolved the conflicts to master

Can you please make the rubocop happy? There are some offenses

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Apr 14, 2017

Member

@atomic111 any remarks to this PR?

I would like to merge it when rubocop is made happy and release the 2.1 of ssh-hardening

Member

artem-sidorenko commented Apr 14, 2017

@atomic111 any remarks to this PR?

I would like to merge it when rubocop is made happy and release the 2.1 of ssh-hardening

lubomir-kacalek added some commits Apr 18, 2017

attributes white spaces fix
Signed-off-by: lubomir-kacalek <lubomir@lkit.cz>
server_spec.rb formating fix
Signed-off-by: lubomir-kacalek <lubomir@lkit.cz>
server_spec.rb formating fix
Signed-off-by: lubomir-kacalek <lubomir@lkit.cz>
@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Apr 18, 2017

Coverage Status

Coverage remained the same at 100.0% when pulling 71b4f50 on lubomir-kacalek:master into eaf6c11 on dev-sec:master.

Coverage Status

Coverage remained the same at 100.0% when pulling 71b4f50 on lubomir-kacalek:master into eaf6c11 on dev-sec:master.

@artem-sidorenko artem-sidorenko merged commit 2e89e52 into dev-sec:master Apr 18, 2017

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 100.0%
Details
@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Apr 18, 2017

Member

@lubomir-kacalek thank you!

2.1 will be released today/tomorrow

Member

artem-sidorenko commented Apr 18, 2017

@lubomir-kacalek thank you!

2.1 will be released today/tomorrow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment