diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index ae7bfb0..116a43a 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -47,7 +47,7 @@ end describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^ListenAddress*/) } + its(:content) { should match(/^ListenAddress .*/) } end describe file('/etc/ssh/sshd_config') do @@ -71,15 +71,89 @@ end describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^Ciphers (aes128-ctr,aes256-ctr,aes192-ctr)|(aes128-ctr,aes256-ctr,aes192-ctr,aes128-cbc,aes256-cbc,aes192-cbc)$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^(MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160)|(MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1)|(MACs hmac-ripemd160$)/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^KexAlgorithms (diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1)|(diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1)$/) } + its(:content) do + + # define a set of default ciphers + ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr' + ciphers66 = 'chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' + ciphers = ciphers53 + + # adjust ciphers based on OS + release + case os[:family] + when 'Ubuntu' + case os[:release] + when '12.04' + ciphers = ciphers53 + when '14.04' + ciphers = ciphers66 + end + when 'RedHat' + case os[:release] + when '6.4', '6.5' + ciphers = ciphers53 + end + end + + should match(/^Ciphers #{ciphers}$/) + end + end + + describe file('/etc/ssh/sshd_config') do + its(:content) do + + # define a set of default MACs + macs66 = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160' + macs59 = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + macs53 = 'hmac-ripemd160,hmac-sha1' + macs = macs59 + + # adjust MACs based on OS + release + case os[:family] + when 'Ubuntu' + case os[:release] + when '12.04' + macs = macs59 + when '14.04' + macs = macs66 + end + when 'RedHat' + case os[:release] + when '6.4', '6.5' + macs = macs53 + end + end + + should match(/^MACs #{macs}$/) + end + end + + describe file('/etc/ssh/sshd_config') do + its(:content) do + + # define a set of default KEXs + kex66 = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + kex59 = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + kex = kex59 + + # adjust KEXs based on OS + release + case os[:family] + when 'Ubuntu' + case os[:release] + when '12.04' + kex = kex59 + when '14.04' + kex = kex66 + end + when 'RedHat' + case os[:release] + when '6.4', '6.5' + should_not match(/^KexAlgorithms/) + kex = nil + end + end + + should match(/^KexAlgorithms #{kex}$/) unless kex.nil? + end end describe file('/etc/ssh/sshd_config') do @@ -166,10 +240,6 @@ its(:content) { should match(/^KerberosTicketCleanup yes$/) } end - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#KerberosGetAFSToken no$/) } - end - describe file('/etc/ssh/sshd_config') do its(:content) { should match(/^GSSAPIAuthentication no$/) } end @@ -178,22 +248,6 @@ its(:content) { should match(/^GSSAPICleanupCredentials yes$/) } end - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#DenyUsers \*$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#AllowUsers user1$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#DenyGroups \*$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#AllowGroups group1$/) } - end - describe file('/etc/ssh/sshd_config') do its(:content) { should match(/^TCPKeepAlive no$/) } end @@ -238,62 +292,6 @@ its(:content) { should match(/^PrintLastLog no$/) } end - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#Banner /etc/ssh/banner\.txt$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#UseDNS yes$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#PidFile /var/run/sshd\.pid$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#MaxStartups 10$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#ChrootDirectory none$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#ChrootDirectory /home/\%u$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#Subsystem sftp internal-sftp -l VERBOSE$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#Match Group sftponly$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#ForceCommand internal-sftp -l VERBOSE$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#ChrootDirectory /sftpchroot/home/\%u$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#AllowTcpForwarding no$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#PasswordAuthentication no$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#PermitRootLogin no$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#X11Forwarding no$/) } - end - end describe 'check ssh_config' do @@ -382,12 +380,4 @@ its(:content) { should match(/^Compression yes$/) } end - describe file('/etc/ssh/ssh_config') do - its(:content) { should match(/^#EscapeChar ~$/) } - end - - describe file('/etc/ssh/ssh_config') do - its(:content) { should match(/^#VisualHostKey yes$/) } - end - end