Make UseDNS configurable #80

Merged
merged 1 commit into from Apr 27, 2015

Conversation

Projects
None yet
3 participants
@aried3r
Contributor

aried3r commented Apr 27, 2015

Fixes #79.

@arlimus

This comment has been minimized.

Show comment
Hide comment
@arlimus

arlimus Apr 27, 2015

Member

@aried3r Awesome, thank you for adding this!

I'll merge it, though the default value will probably change. OpenSSH changed the UseDNS defaults on release 6.8. We will have another look at the security implications as well.

Member

arlimus commented Apr 27, 2015

@aried3r Awesome, thank you for adding this!

I'll merge it, though the default value will probably change. OpenSSH changed the UseDNS defaults on release 6.8. We will have another look at the security implications as well.

arlimus added a commit that referenced this pull request Apr 27, 2015

@arlimus arlimus merged commit 1d90833 into dev-sec:master Apr 27, 2015

@arlimus

This comment has been minimized.

Show comment
Hide comment
@aried3r

This comment has been minimized.

Show comment
Hide comment
@aried3r

aried3r Apr 27, 2015

Contributor

I guess I could do the same as AllowUsers does, either setting whatever the user supplied, or adding the commented out directive (#UseDNS yes). See here, that way if the user does not override this setting, the default OpenSSH behaviour will be used (afaik).

Also, I only added local rspec tests, they did not seem to be run when using `kitchen test default-ubuntu-1204, should I add them to the shared spec repo or how exactly do you guys maintain these?

Contributor

aried3r commented Apr 27, 2015

I guess I could do the same as AllowUsers does, either setting whatever the user supplied, or adding the commented out directive (#UseDNS yes). See here, that way if the user does not override this setting, the default OpenSSH behaviour will be used (afaik).

Also, I only added local rspec tests, they did not seem to be run when using `kitchen test default-ubuntu-1204, should I add them to the shared spec repo or how exactly do you guys maintain these?

@aried3r aried3r deleted the aried3r:ar/use_dns branch Apr 27, 2015

@arlimus

This comment has been minimized.

Show comment
Hide comment
@arlimus

arlimus Apr 27, 2015

Member

@aried3r Thanks for adding the rspecs :) You're right, they don't run with kitchen test; We typically run them via rake spec. Kitchen carries our shared tests, which are serverspecs found here: https://github.com/hardening-io/tests-ssh-hardening . They are only extended with security-based settings.

Let's see if the defaults for UseDNS have security implications. If not, I'd prefer the solution of only setting it, if the user assigns a value. With the cookbook supporting more options, I think it's best to use this style of configuration.

Member

arlimus commented Apr 27, 2015

@aried3r Thanks for adding the rspecs :) You're right, they don't run with kitchen test; We typically run them via rake spec. Kitchen carries our shared tests, which are serverspecs found here: https://github.com/hardening-io/tests-ssh-hardening . They are only extended with security-based settings.

Let's see if the defaults for UseDNS have security implications. If not, I'd prefer the solution of only setting it, if the user assigns a value. With the cookbook supporting more options, I think it's best to use this style of configuration.

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Apr 27, 2015

Member

If you use bundle exec thor kitchen:fetch-remote-tests you will fetch the tests into the tests folder. More information is available here: https://github.com/hardening-io/chef-ssh-hardening#local-testing.

kitchen test only runs the integration tests (also triggered by our jenkins environment)
rake spec will run the chef-spec (and called for each travis trigger)

Member

chris-rock commented Apr 27, 2015

If you use bundle exec thor kitchen:fetch-remote-tests you will fetch the tests into the tests folder. More information is available here: https://github.com/hardening-io/chef-ssh-hardening#local-testing.

kitchen test only runs the integration tests (also triggered by our jenkins environment)
rake spec will run the chef-spec (and called for each travis trigger)

@aried3r

This comment has been minimized.

Show comment
Hide comment
@aried3r

aried3r Apr 27, 2015

Contributor

rake spec will run the chef-spec (and called for each travis trigger)

On that note, I did not see a test run for my PR, are they not triggered by default?

Contributor

aried3r commented Apr 27, 2015

rake spec will run the chef-spec (and called for each travis trigger)

On that note, I did not see a test run for my PR, are they not triggered by default?

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Apr 27, 2015

Member

Yes, we recently moved to a new github organization (last week). Something was broken with the Travis access rights. Right after your PR, I already fixed the travis connection. It should work with the next PR. I keep an eye on it.

Member

chris-rock commented Apr 27, 2015

Yes, we recently moved to a new github organization (last week). Something was broken with the Travis access rights. Right after your PR, I already fixed the travis connection. It should work with the next PR. I keep an eye on it.

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Apr 27, 2015

Member

@aried3r please add AllowUsers. We could extend it to support three states e.g.

default['ssh']['use_dns'] = nil -> commented out '#UseDNS yes'
default['ssh']['use_dns'] = 'yes' -> 'UseDNS yes'
default['ssh']['use_dns'] = 'no' -> 'UseDNS no'
Member

chris-rock commented Apr 27, 2015

@aried3r please add AllowUsers. We could extend it to support three states e.g.

default['ssh']['use_dns'] = nil -> commented out '#UseDNS yes'
default['ssh']['use_dns'] = 'yes' -> 'UseDNS yes'
default['ssh']['use_dns'] = 'no' -> 'UseDNS no'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment