test(inspec): add tests based on existing Serverspec tests (#168)

* ci(kitchen): use `openssh.config` as `state_top`
* Semi-automated using myii/ssf-formula#33
* test(pillar): remove deprecated option and disabled method
* https://travis-ci.org/myii/openssh-formula/jobs/585340845#L1811-L1813:
* test(pillar): use same SSH options as used by Travis
* Using existing options locks out after `kitchen converge` (before `verify`)
* https://travis-ci.org/myii/openssh-formula/jobs/585356835#L2957-L2965:
* test(inspec): add tests based on existing Serverspec tests
* Follows on from #166

kitchen.yml

@@ -154,7 +154,7 @@ suites:
       state_top:
         base:
           '*':
-            - openssh
+            - openssh.config
       pillars:
         top.sls:
           base:

pillar.example

@@ -14,7 +14,6 @@ sshd_config:
     - /etc/ssh/ssh_host_dsa_key
     - /etc/ssh/ssh_host_ecdsa_key
     - /etc/ssh/ssh_host_ed25519_key
-  UsePrivilegeSeparation: 'sandbox'
   SyslogFacility: AUTH
   LogLevel: INFO
   ClientAliveInterval: 0
@@ -32,7 +31,7 @@ sshd_config:
   HostbasedAuthentication: 'no'
   PermitEmptyPasswords: 'no'
   ChallengeResponseAuthentication: 'no'
-  AuthenticationMethods: 'publickey,keyboard-interactive'
+  AuthenticationMethods: 'publickey'
   AuthorizedKeysFile: '%h/.ssh/authorized_keys'
   X11Forwarding: 'no'
   X11DisplayOffset: 10

test/integration/default/controls/config_spec.rb

@@ -0,0 +1,33 @@
+# Overide by Platform
+root_group = 'root'
+if platform[:family] == 'freebsd'
+  root_group = 'wheel'
+end
+
+control 'openssh configuration' do
+  title 'should match desired lines'
+
+  describe file('/etc/ssh/sshd_config') do
+    it { should be_file }
+    its('mode') { should cmp '0644' }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into root_group }
+    its('content') { should include 'ChallengeResponseAuthentication no' }
+    its('content') { should include 'X11Forwarding yes' }
+    its('content') { should include 'PrintMotd no' }
+    its('content') { should include 'AcceptEnv LANG LC_*' }
+    its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' }
+    its('content') { should include 'UsePAM yes' }
+  end
+
+  describe file('/etc/ssh/ssh_config') do
+    it { should be_file }
+    its('mode') { should cmp '0644' }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into root_group }
+    its('content') { should include 'Host *' }
+    its('content') { should include '    GSSAPIAuthentication yes' }
+    its('content') { should include '    HashKnownHosts yes' }
+    its('content') { should include '    SendEnv LANG LC_*' }
+  end
+end

test/integration/default/controls/packages_spec.rb

@@ -0,0 +1,13 @@
+# Overide by Platform
+package_name = 'openssh-server'
+if platform[:family] == 'suse'
+  package_name = 'openssh'
+end
+
+control 'openssh package' do
+  title 'should be installed'
+
+  describe package(package_name) do
+    it { should be_installed }
+  end
+end

test/integration/default/controls/services_spec.rb

@@ -0,0 +1,15 @@
+# Overide by Platform
+service_name = 'sshd'
+if platform[:family] == 'debian'
+  service_name = 'ssh'
+end
+
+control 'openssh service' do
+  impact 0.5
+  title 'should be running and enabled'
+
+  describe service(service_name) do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end

test/salt/pillar/default.sls

@@ -1,203 +1,35 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
+# yamllint disable rule:line-length
+# Using a stripped down version of both `sshd_config` and `ssh_config` here
+# The values introduced by the initial commit are taken from the Travis
+# instances themselves
+# Care must be taken when modifying this, not to lock out Travis before the
+# `kitchen verify` stage takes place, resulting in:
+# ```
+# $$$$$$ [SSH] connection failed, terminating (#<Net::SSH::AuthenticationFailed: Authentication failed for user kitchen@localhost>)
+# >>>>>> ------Exception-------
+# >>>>>> Class: Kitchen::ActionFailed
+# >>>>>> Message: 1 actions failed.
+# >>>>>>     Failed to complete #verify action: [Transport error, can't connect to 'ssh' backend: SSH session could not be established] on ...
+# ```
+# yamllint enable rule:line-length
+
 sshd_config:
-  # This keyword is totally optional
-  ConfigBanner: |
-    # Alternative banner for the config file
-    # (Indented) hash signs lose their special meaning here
-    # and the lines will be written as-is.
-  Port: 22
-  Protocol: 2
-  HostKey:
-    - /etc/ssh/ssh_host_rsa_key
-    - /etc/ssh/ssh_host_dsa_key
-    - /etc/ssh/ssh_host_ecdsa_key
-    - /etc/ssh/ssh_host_ed25519_key
-  UsePrivilegeSeparation: 'sandbox'
-  SyslogFacility: AUTH
-  LogLevel: INFO
-  ClientAliveInterval: 0
-  ClientAliveCountMax: 3
-  LoginGraceTime: 120
-  PermitRootLogin: 'yes'
-  PasswordAuthentication: 'no'
-  StrictModes: 'yes'
-  MaxAuthTries: 6
-  MaxSessions: 10
-  PubkeyAuthentication: 'yes'
-  AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
-  AuthorizedKeysCommandUser: 'nobody'
-  IgnoreRhosts: 'yes'
-  HostbasedAuthentication: 'no'
-  PermitEmptyPasswords: 'no'
   ChallengeResponseAuthentication: 'no'
-  AuthenticationMethods: 'publickey,keyboard-interactive'
-  AuthorizedKeysFile: '%h/.ssh/authorized_keys'
-  X11Forwarding: 'no'
-  X11DisplayOffset: 10
-  PrintMotd: 'yes'
-  PrintLastLog: 'yes'
-  TCPKeepAlive: 'yes'
+  X11Forwarding: 'yes'
+  PrintMotd: 'no'
   AcceptEnv: "LANG LC_*"
   Subsystem: "sftp /usr/lib/openssh/sftp-server"
   UsePAM: 'yes'
-  UseDNS: 'yes'
-  # set as string
-  AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
-  # # or set as list
-  # AllowUsers:
-  #   - vader@10.0.0.1
-  #   - maul@evil.com
-  #   - sidious
-  #   - luke
-  # # set as string
-  # DenyUsers: 'yoda chewbaca@112.10.21.1'
-  # or set as list
-  DenyUsers:
-    - yoda
-    - chewbaca@112.10.21.1
-  # # set as string
-  # AllowGroups: 'wheel staff imperial'
-  # or set as list
-  AllowGroups:
-    - wheel
-    - staff
-    - imperial
-  # set as string
-  DenyGroups: 'rebel'
-  # # or set as list
-  # DenyGroups:
-  #   - rebel
-  #   - badcompany
-  matches:
-    sftp_chroot:
-      type:
-        Group: sftpusers
-      options:
-        ChrootDirectory: /sftp-chroot/%u
-        X11Forwarding: 'no'
-        AllowTcpForwarding: 'no'
-        ForceCommand: internal-sftp
-    # Supports complex compound matches in Match criteria. For example, be able
-    # to match against multiple Users for a given Match, or be able to match
-    # against address ranges. Or Groups. Or any combination thereof.
-    #
-    # Support for matching users can take one of several different appearances
-    # in pillar data:
-    match_1:
-      type:
-        User: one_user
-      options:
-        ChrootDirectory: /ex/%u
-    match_2:
-      type:
-        User:
-          - jim
-          - bob
-          - sally
-      options:
-        ChrootDirectory: /ex/%u
-    # Note the syntax of match_3. By using empty dicts for each user, we can
-    # leverage Salt's pillar mergine. If we use simple lists, we cannot do
-    # this; Salt can't merge simple lists, because it doesn't know what order
-    # they ought to be in.
-    match_3:
-      type:
-        User:
-          jim: ~
-          bob: ~
-          sally: ~
-      options:
-        ChrootDirectory: /ex/%u
-
-  # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
-  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
-  # The configuration given in the example below is based on:
-  # https://stribika.github.io/2015/01/04/secure-secure-shell.html
-  # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
-  # yamllint disable rule:line-length
-  # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
-  # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
-  # yamllint enable rule:line-length
-  KexAlgorithms:
-    - 'curve25519-sha256@libssh.org'
-    - 'diffie-hellman-group-exchange-sha256'
-  Ciphers:
-    - 'chacha20-poly1305@openssh.com'
-    - 'aes256-gcm@openssh.com'
-    - 'aes128-gcm@openssh.com'
-    - 'aes256-ctr'
-    - 'aes192-ctr'
-    - 'aes128-ctr'
-  MACs:
-    - 'hmac-sha2-512-etm@openssh.com'
-    - 'hmac-sha2-256-etm@openssh.com'
-    - 'umac-128-etm@openssh.com'
-    - 'hmac-sha2-512'
-    - 'hmac-sha2-256'
-    - 'umac-128@openssh.com'
 
-# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
-# pillar will overwrite the defaults of your distribution's SSH client. This
-# will also force the default configuration for all the SSH clients on the
-# machine. This can break SSH connections with servers using older versions of
-# openssh. Please make sure you understand the implication of different settings
 ssh_config:
   Hosts:
     '*':
-      StrictHostKeyChecking: 'no'
-      ForwardAgent: 'no'
-      ForwardX11: 'no'
-      RhostsRSAAuthentication: 'no'
-      RSAAuthentication: 'yes'
-      PasswordAuthentication: 'yes'
-      HostbasedAuthentication: 'no'
-      GSSAPIAuthentication: 'no'
-      GSSAPIDelegateCredentials: 'no'
-      BatchMode: 'yes'
-      CheckHostIP: 'yes'
-      AddressFamily: 'any'
-      ConnectTimeout: 0
-      IdentityFile: '~/.ssh/id_rsa'
-      Port: 22
-      Protocol: 2
-      Cipher: '3des'
-      Tunnel: 'no'
-      TunnelDevice: 'any:any'
-      PermitLocalCommand: 'no'
-      VisualHostKey: 'no'
-      # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
-      # WARNING! Please make sure you understand the implications of the below
-      # settings. The examples provided below might break your connection to older /
-      # legacy openssh servers.
-      # The configuration given in the example below is based on:
-      # https://stribika.github.io/2015/01/04/secure-secure-shell.html
-      # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
-      # yamllint disable rule:line-length
-      # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
-      # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
-      # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
-      # yamllint enable rule:line-length
-      KexAlgorithms:
-        - 'curve25519-sha256@libssh.org'
-        - 'diffie-hellman-group-exchange-sha256'
-        - 'diffie-hellman-group-exchange-sha1'
-        - 'diffie-hellman-group14-sha1'
-      Ciphers:
-        - 'chacha20-poly1305@openssh.com'
-        - 'aes256-gcm@openssh.com'
-        - 'aes128-gcm@openssh.com'
-        - 'aes256-ctr'
-        - 'aes192-ctr'
-        - 'aes128-ctr'
-      MACs:
-        - 'hmac-sha2-512-etm@openssh.com'
-        - 'hmac-sha2-256-etm@openssh.com'
-        - 'umac-128-etm@openssh.com'
-        - 'hmac-sha2-512'
-        - 'hmac-sha2-256'
-        - 'umac-128@openssh.com'
+      GSSAPIAuthentication: 'yes'
+      HashKnownHosts: 'yes'
+      SendEnv: 'LANG LC_*'
 
 
 openssh: