Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 60 lines (53 sloc) 2.119 kb
1ecb504 @benhoskings Added 'system' dep, depending on 'secured ssh'.
benhoskings authored
1 def ssh_conf_path file
318db34 @benhoskings Update 'host' call in #ssh_conf_path.
benhoskings authored
2 "/etc#{'/ssh' if Babushka::Base.host.linux?}/#{file}_config"
1ecb504 @benhoskings Added 'system' dep, depending on 'secured ssh'.
benhoskings authored
3 end
4
83ffd11 @benhoskings Changed 'hostname' dep to only apply to Linux (it doesn't work on OS X y...
benhoskings authored
5 dep 'hostname', :for => :linux do
222d958 @benhoskings Added 'hostname' dep.
benhoskings authored
6 met? {
752ae11 @benhoskings Updated old #read_file call in 'hostname'.
benhoskings authored
7 stored_hostname = '/etc/hostname'.p.read
b3ddcb2 @benhoskings Refactored hostname code from 'hostname' dep out into #hostname helper.
benhoskings authored
8 !stored_hostname.blank? && hostname == stored_hostname
222d958 @benhoskings Added 'hostname' dep.
benhoskings authored
9 }
10 meet {
ec3a9d2 @benhoskings Fixed var reference in hostname / meet.
benhoskings authored
11 sudo "echo #{var :hostname, :default => shell('hostname')} > /etc/hostname"
27667fa @benhoskings Fix var: 'hostname' / hostname.
benhoskings authored
12 sudo "sed -ri 's/^127.0.0.1.*$/127.0.0.1 #{var :hostname} localhost.localdomain localhost/' /etc/hosts"
512de5e @benhoskings Set hostname directly instead of relying on /etc/init.d/hostname.sh, whi...
benhoskings authored
13 sudo "hostname #{var :hostname}"
222d958 @benhoskings Added 'hostname' dep.
benhoskings authored
14 }
15 end
16
543d8dc @benhoskings Split 'lax host key checking' out into separate dep.
benhoskings authored
17 dep 'secured ssh logins' do
d485863 @benhoskings Updated more 'managed' requires references.
benhoskings authored
18 requires 'sshd.managed', 'sed.managed'
49d61b1 @benhoskings Added logging to 'secured ssh logins' / met?.
benhoskings authored
19 met? {
2d97ce6 @benhoskings Fix 'secured ssh logins' to handle unexpected ssh output, or when sshd i...
benhoskings authored
20 # -o NumberOfPasswordPrompts=0
21 output = failable_shell('ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no nonexistentuser@localhost').stderr
22 if output.downcase['connection refused']
23 log_ok "sshd doesn't seem to be running."
c0bc8a8 @benhoskings Tightened the regex in 'secured ssh logins' to only match the 'Permissio...
benhoskings authored
24 elsif (auth_methods = output.scan(/Permission denied \((.*)\)\./).join.split(/[^a-z]+/)).empty?
2d97ce6 @benhoskings Fix 'secured ssh logins' to handle unexpected ssh output, or when sshd i...
benhoskings authored
25 log_error "sshd returned unexpected output."
26 else
27 returning auth_methods == %w[publickey] do |result|
28 log_verbose "sshd #{'only ' if result}accepts #{auth_methods.to_list} logins.", :as => (result ? :ok : :error)
29 end
49d61b1 @benhoskings Added logging to 'secured ssh logins' / met?.
benhoskings authored
30 end
31 }
1ecb504 @benhoskings Added 'system' dep, depending on 'secured ssh'.
benhoskings authored
32 meet {
33 change_with_sed 'PasswordAuthentication', 'yes', 'no', ssh_conf_path(:sshd)
34 change_with_sed 'ChallengeResponseAuthentication', 'yes', 'no', ssh_conf_path(:sshd)
35 }
9688e09 @benhoskings Restart sshd after changing the config in 'secured ssh logins'.
benhoskings authored
36 after { sudo "/etc/init.d/ssh restart" }
1ecb504 @benhoskings Added 'system' dep, depending on 'secured ssh'.
benhoskings authored
37 end
543d8dc @benhoskings Split 'lax host key checking' out into separate dep.
benhoskings authored
38
39 dep 'lax host key checking' do
d485863 @benhoskings Updated more 'managed' requires references.
benhoskings authored
40 requires 'sed.managed'
ef95614 @benhoskings Fixed regex in 'lax host key checking' / met?.
benhoskings authored
41 met? { grep /^StrictHostKeyChecking[ \t]+no/, ssh_conf_path(:ssh) }
51f47e6 @benhoskings Added admin group sudoing checks, using #grep where appropriate.
benhoskings authored
42 meet { change_with_sed 'StrictHostKeyChecking', 'yes', 'no', ssh_conf_path(:ssh) }
43 end
44
45 dep 'admins can sudo' do
46 requires 'admin group'
8d68e35 @benhoskings Fixed 'admins can sudo' / met?, which was checking nil? instead of empty...
benhoskings authored
47 met? { !sudo('cat /etc/sudoers').split("\n").grep(/^%admin/).empty? }
374169f @benhoskings Use sudo in 'admins can sudo' and 'admin group' deps.
benhoskings authored
48 meet { append_to_file '%admin ALL=(ALL) ALL', '/etc/sudoers', :sudo => true }
51f47e6 @benhoskings Added admin group sudoing checks, using #grep where appropriate.
benhoskings authored
49 end
50
51 dep 'admin group' do
52 met? { grep /^admin\:/, '/etc/group' }
374169f @benhoskings Use sudo in 'admins can sudo' and 'admin group' deps.
benhoskings authored
53 meet { sudo 'groupadd admin' }
543d8dc @benhoskings Split 'lax host key checking' out into separate dep.
benhoskings authored
54 end
2be59b6 @benhoskings Split 'compiler toolchain' dep into system-specific deps below 'build to...
benhoskings authored
55
d06def0 @benhoskings Temp on
benhoskings authored
56 dep 'tmp cleaning grace period', :for => :ubuntu do
d24a0c0 @benhoskings Added 'tmp cleaning grace period' for linux machines.
benhoskings authored
57 met? { !grep(/^[^#]*TMPTIME=0/, "/etc/default/rcS") }
58 meet { change_line "TMPTIME=0", "TMPTIME=30", "/etc/default/rcS" }
59 end
Something went wrong with that request. Please try again.