Skip to content

Tests update #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atomic111 merged 13 commits into from
Jun 3, 2014
Merged

Tests update #12

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
1057b78
enforce a space between ListenAddress and the value
arlimus Jun 3, 2014
48b40d4
feature: added conditional cipher checks
arlimus Jun 3, 2014
738d2c3
improvement: don't check for commented options
arlimus Jun 3, 2014
6e3ac0e
feature: added conditional MAC checks
arlimus Jun 3, 2014
e9a459e
feature: added conditional KEX checks
arlimus Jun 3, 2014
cd0bf58
remove gcm cipher and fix ordering of ciphers
arlimus Jun 3, 2014
1ca19a1
remove some leftover commented options
arlimus Jun 3, 2014
1a2b37e
feature: add tests for RedHat-based ciphers (6.4+6.5)
arlimus Jun 3, 2014
31adf0a
feature: add tests for RedHat-based macs (6.4+6.5)
arlimus Jun 3, 2014
3085e76
feature: make sure KEX for RedHat 6.4+6.5 is disabled
arlimus Jun 3, 2014
f292ef0
fix syntax errors
arlimus Jun 3, 2014
af76654
sort ciphers correctly
arlimus Jun 3, 2014
8268f23
fix typo in mac test
arlimus Jun 3, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
178 changes: 84 additions & 94 deletions default/serverspec/ssh_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^ListenAddress*/) }
its(:content) { should match(/^ListenAddress .*/) }
end

describe file('/etc/ssh/sshd_config') do
Expand All @@ -71,15 +71,89 @@
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^Ciphers (aes128-ctr,aes256-ctr,aes192-ctr)|(aes128-ctr,aes256-ctr,aes192-ctr,aes128-cbc,aes256-cbc,aes192-cbc)$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^(MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160)|(MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1)|(MACs hmac-ripemd160$)/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^KexAlgorithms (diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1)|(diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1)$/) }
its(:content) do

# define a set of default ciphers
ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr'
ciphers66 = 'chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
ciphers = ciphers53

# adjust ciphers based on OS + release
case os[:family]
when 'Ubuntu'
case os[:release]
when '12.04'
ciphers = ciphers53
when '14.04'
ciphers = ciphers66
end
when 'RedHat'
case os[:release]
when '6.4', '6.5'
ciphers = ciphers53
end
end

should match(/^Ciphers #{ciphers}$/)
end
end

describe file('/etc/ssh/sshd_config') do
its(:content) do

# define a set of default MACs
macs66 = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160'
macs59 = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
macs53 = 'hmac-ripemd160,hmac-sha1'
macs = macs59

# adjust MACs based on OS + release
case os[:family]
when 'Ubuntu'
case os[:release]
when '12.04'
macs = macs59
when '14.04'
macs = macs66
end
when 'RedHat'
case os[:release]
when '6.4', '6.5'
macs = macs53
end
end

should match(/^MACs #{macs}$/)
end
end

describe file('/etc/ssh/sshd_config') do
its(:content) do

# define a set of default KEXs
kex66 = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
kex59 = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
kex = kex59

# adjust KEXs based on OS + release
case os[:family]
when 'Ubuntu'
case os[:release]
when '12.04'
kex = kex59
when '14.04'
kex = kex66
end
when 'RedHat'
case os[:release]
when '6.4', '6.5'
should_not match(/^KexAlgorithms/)
kex = nil
end
end

should match(/^KexAlgorithms #{kex}$/) unless kex.nil?
end
end

describe file('/etc/ssh/sshd_config') do
Expand Down Expand Up @@ -166,10 +240,6 @@
its(:content) { should match(/^KerberosTicketCleanup yes$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#KerberosGetAFSToken no$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^GSSAPIAuthentication no$/) }
end
Expand All @@ -178,22 +248,6 @@
its(:content) { should match(/^GSSAPICleanupCredentials yes$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#DenyUsers \*$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#AllowUsers user1$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#DenyGroups \*$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#AllowGroups group1$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^TCPKeepAlive no$/) }
end
Expand Down Expand Up @@ -238,62 +292,6 @@
its(:content) { should match(/^PrintLastLog no$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(%r(^#Banner /etc/ssh/banner\.txt$)) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#UseDNS yes$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(%r(^#PidFile /var/run/sshd\.pid$)) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#MaxStartups 10$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#ChrootDirectory none$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(%r(^#ChrootDirectory /home/\%u$)) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#Subsystem sftp internal-sftp -l VERBOSE$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#Match Group sftponly$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#ForceCommand internal-sftp -l VERBOSE$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(%r(^#ChrootDirectory /sftpchroot/home/\%u$)) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#AllowTcpForwarding no$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#PasswordAuthentication no$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#PermitRootLogin no$/) }
end

describe file('/etc/ssh/sshd_config') do
its(:content) { should match(/^#X11Forwarding no$/) }
end

end

describe 'check ssh_config' do
Expand Down Expand Up @@ -382,12 +380,4 @@
its(:content) { should match(/^Compression yes$/) }
end

describe file('/etc/ssh/ssh_config') do
its(:content) { should match(/^#EscapeChar ~$/) }
end

describe file('/etc/ssh/ssh_config') do
its(:content) { should match(/^#VisualHostKey yes$/) }
end

end