Bugfix: sshd listens on IPv6 interface if enabled

Fixes dev-secGH-140

Author: artem-sidorenko

README.md

@@ -58,6 +58,8 @@ This cookbook provides secure ssh-client and ssh-server configurations. This coo
 * `['ssh-hardening']['ssh']['sftp']['group']` - `sftponly` to configure the `Match Group` option of SFTP to allow SFTP only for dedicated users
 * `['ssh-hardening']['ssh']['sftp']['chroot']` - `/home/%u` to configure the directory where the SFTP user should be chrooted
 
+Notice: Some of attribute defaults of this cookbook are set in the recipes. You will have to use a higher [attribute precedence](https://docs.chef.io/attributes.html#attribute-precedence) in order to override them.
+
 ## Usage
 
 Add the recipes to the run_list:

attributes/default.rb

@@ -58,7 +58,6 @@
 default['ssh-hardening']['ssh']['client']['cbc_required']  = false
 default['ssh-hardening']['ssh']['client']['weak_hmac']     = false
 default['ssh-hardening']['ssh']['client']['weak_kex']      = false
-
 default['ssh-hardening']['ssh']['client']['remote_hosts']  = []
 default['ssh-hardening']['ssh']['client']['password_authentication'] = false   # ssh
 # http://undeadly.org/cgi?action=article&sid=20160114142733
@@ -71,11 +70,9 @@
 default['ssh-hardening']['ssh']['server']['cbc_required']             = false
 default['ssh-hardening']['ssh']['server']['weak_hmac']                = false
 default['ssh-hardening']['ssh']['server']['weak_kex']                 = false
-default['ssh-hardening']['ssh']['server']['listen_to']                = ['0.0.0.0']
 default['ssh-hardening']['ssh']['server']['host_key_files']           = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']
 default['ssh-hardening']['ssh']['server']['client_alive_interval']    = 600     # 10min
 default['ssh-hardening']['ssh']['server']['client_alive_count']       = 3       # ~> 3 x interval
-
 default['ssh-hardening']['ssh']['server']['allow_root_with_key']      = false
 default['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']     = false
 default['ssh-hardening']['ssh']['server']['allow_agent_forwarding']   = false

recipes/server.rb

@@ -19,6 +19,17 @@
 # limitations under the License.
 #
 
+# default attributes
+# We can not set this kind of defaults in the attribute files
+# as we react on value of other attributes
+# https://github.com/dev-sec/chef-ssh-hardening/issues/140#issuecomment-267779720
+node.default['ssh-hardening']['ssh']['listen_to'] =
+  if node['ssh-hardening']['network']['ipv6']['enable']
+    ['0.0.0.0', '::']
+  else
+    ['0.0.0.0']
+  end
+
 # installs package name
 package 'openssh-server' do
   package_name node['ssh-hardening']['sshserver']['package']

spec/recipes/server_spec.rb

@@ -374,4 +374,31 @@
         with_content(/^ChrootDirectory test_home_dir$/)
     end
   end
+
+  context 'with disabled IPv6' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['network']['ipv6']['enable'] = false
+      end.converge(described_recipe)
+    end
+
+    it 'sets proper IPv4 ListenAdress' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/ListenAddress 0.0.0.0/)
+    end
+  end
+
+  context 'with enabled IPv6' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['network']['ipv6']['enable'] = true
+      end.converge(described_recipe)
+    end
+
+    it 'sets proper IPv4 and IPv6 ListenAdress' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/ListenAddress 0.0.0.0/).
+        with_content(/ListenAddress ::/)
+    end
+  end
 end