Merge pull request #82 from aried3r/ar/update_readme

arlimus · arlimus · commit ae0cd6662dc2 · 2015-04-27T15:35:08.000+02:00
Update README and use OpenSSH defaults for UseDNS
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ This cookbook provides secure ssh-client and ssh-server configurations.
 
 * `['network']['ipv6']['enable']` - true if IPv6 is needed
 * `['ssh'][{'client', 'server'}]['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
-* `['ssh'][{'client', 'server'}]['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. 
+* `['ssh'][{'client', 'server'}]['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
 * `['ssh'][{'client', 'server'}]['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
 * `['ssh']['allow_root_with_key']` - `false` to disable root login altogether. Set to `true` to allow root to login via key-based mechanism.
 * `['ssh']['ports']` - ports to which ssh-server should listen to and ssh-client should connect to
@@ -29,6 +29,11 @@ This cookbook provides secure ssh-client and ssh-server configurations.
 * `['ssh']['use_pam']` - `false` to disable pam authentication
 * `['ssh']['print_motd']` - `false` to disable printing of the MOTD
 * `['ssh']['print_last_log']` - `false` to disable display of last login information
+* `default['ssh']['deny_users']` - `[]` to configure `DenyUsers`, if specified login is disallowed for user names that match one of the patterns.
+* `default['ssh']['allow_users']` - `[]` to configure `AllowUsers`, if specified, login is allowed only for user names that match one of the patterns.
+* `default['ssh']['deny_groups']` - `[]` to configure `DenyGroups`, if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
+* `default['ssh']['allow_groups']` - `[]` to configure `AllowGroups`, if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
+* `default['ssh']['use_dns']` - `nil` to configure if sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.
 
 ## Data Bags
 
@@ -40,7 +45,7 @@ This cookbook used to handle authorized keys for the root user, but that support
 
 Have users in your `data_bag/users/` directory. This cookbook looks for users inside this folder with a `ssh_rootkey`.
 
-Example: 
+Example:
 
 First you have to find out the ssh-key of the user you want to allow. A typical example for this is
 
@@ -66,7 +71,7 @@ You can then access
 ## Usage
 
 Add the recipes to the run_list:
-    
+
     "recipe[ssh]"
 
 This will install ssh-server and ssh-client. You can alternatively choose only one via:
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -65,6 +65,7 @@
 default['ssh']['allow_groups']            = []      # sshd
 default['ssh']['print_motd']              = false   # sshd
 default['ssh']['print_last_log']          = false   # sshd
-default['ssh']['use_dns']                 = true    # sshd
+# set this to nil to let us use the default OpenSSH in case it's not set by the user
+default['ssh']['use_dns']                 = nil     # sshd
 # set this to nil to let us detect the attribute based on the node platform
 default['ssh']['use_privilege_separation'] = nil
diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb
@@ -473,13 +473,13 @@
   end
 
   context 'without attribute use_dns' do
-    it 'sets UseDNS to the default' do
+    it 'leaves UseDNS commented' do
       expect(chef_run).to render_file('/etc/ssh/sshd_config')
-        .with_content(/UseDNS yes/)
+        .with_content(/#UseDNS no/)
     end
   end
 
-  context 'with attribute use_dns' do
+  context 'with attribute use_dns set to false' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
         node.set['ssh']['use_dns'] = false
@@ -491,4 +491,17 @@
         .with_content(/UseDNS no/)
     end
   end
+
+  context 'with attribute use_dns set to true' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.set['ssh']['use_dns'] = true
+      end.converge(described_recipe)
+    end
+
+    it 'sets UseDNS correctly' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config')
+        .with_content(/UseDNS yes/)
+    end
+  end
 end
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -185,7 +185,12 @@ X11UseLocalhost yes
 PrintMotd <%= ((@node['ssh']['print_motd']) ? 'yes' : 'no' ) %>
 PrintLastLog <%= ((@node['ssh']['print_last_log']) ? 'yes' : 'no' ) %>
 #Banner /etc/ssh/banner.txt
+<% if @node['ssh']['use_dns'].nil? %>
+# Since OpenSSH 6.8, this value defaults to 'no'
+#UseDNS no
+<% else %>
 UseDNS <%= ((@node['ssh']['use_dns']) ? 'yes' : 'no' ) %>
+<% end %>
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
 #ChrootDirectory none
