Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make UseDNS configurable #80

Merged
merged 1 commit into from
Apr 27, 2015
Merged

Make UseDNS configurable #80

merged 1 commit into from
Apr 27, 2015

Conversation

aried3r
Copy link
Contributor

@aried3r aried3r commented Apr 27, 2015

Fixes #79.

@arlimus
Copy link
Member

arlimus commented Apr 27, 2015

@aried3r Awesome, thank you for adding this!

I'll merge it, though the default value will probably change. OpenSSH changed the UseDNS defaults on release 6.8. We will have another look at the security implications as well.

arlimus added a commit that referenced this pull request Apr 27, 2015
@arlimus
Merge pull request #80 from aried3r/ar/use_dns
1d90833 
Make UseDNS configurable
@arlimus arlimus merged commit 1d90833 into dev-sec:master Apr 27, 2015
@arlimus
Copy link
Member

arlimus commented Apr 27, 2015

For reference: http://www.openssh.com/txt/release-6.8

@aried3r
Copy link
Contributor Author

aried3r commented Apr 27, 2015

I guess I could do the same as AllowUsers does, either setting whatever the user supplied, or adding the commented out directive (#UseDNS yes). See here, that way if the user does not override this setting, the default OpenSSH behaviour will be used (afaik).

Also, I only added local rspec tests, they did not seem to be run when using `kitchen test default-ubuntu-1204, should I add them to the shared spec repo or how exactly do you guys maintain these?

@aried3r aried3r deleted the ar/use_dns branch April 27, 2015 12:23
@chris-rock chris-rock mentioned this pull request Apr 27, 2015
Closed
@arlimus
Copy link
Member

arlimus commented Apr 27, 2015

@aried3r Thanks for adding the rspecs :) You're right, they don't run with kitchen test; We typically run them via rake spec. Kitchen carries our shared tests, which are serverspecs found here: https://github.com/hardening-io/tests-ssh-hardening . They are only extended with security-based settings.

Let's see if the defaults for UseDNS have security implications. If not, I'd prefer the solution of only setting it, if the user assigns a value. With the cookbook supporting more options, I think it's best to use this style of configuration.

@chris-rock
Copy link
Member

If you use bundle exec thor kitchen:fetch-remote-tests you will fetch the tests into the tests folder. More information is available here: https://github.com/hardening-io/chef-ssh-hardening#local-testing.

kitchen test only runs the integration tests (also triggered by our jenkins environment)
rake spec will run the chef-spec (and called for each travis trigger)

@aried3r
Copy link
Contributor Author

aried3r commented Apr 27, 2015

rake spec will run the chef-spec (and called for each travis trigger)

On that note, I did not see a test run for my PR, are they not triggered by default?

@chris-rock
Copy link
Member

Yes, we recently moved to a new github organization (last week). Something was broken with the Travis access rights. Right after your PR, I already fixed the travis connection. It should work with the next PR. I keep an eye on it.

@chris-rock
Copy link
Member

@aried3r please add AllowUsers. We could extend it to support three states e.g.

default['ssh']['use_dns'] = nil -> commented out '#UseDNS yes'
default['ssh']['use_dns'] = 'yes' -> 'UseDNS yes'
default['ssh']['use_dns'] = 'no' -> 'UseDNS no'

@aried3r aried3r mentioned this pull request Apr 27, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

UseDNS no
3 participants
@aried3r @arlimus @chris-rock